From patchwork Tue May 2 11:06:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Armin Kuster X-Patchwork-Id: 23248 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id DC458C7EE26 for ; Tue, 2 May 2023 11:07:09 +0000 (UTC) Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) by mx.groups.io with SMTP id smtpd.web11.125417.1683025621463353973 for ; Tue, 02 May 2023 04:07:01 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@gmail.com header.s=20221208 header.b=LffnwvN6; spf=pass (domain: gmail.com, ip: 209.85.128.179, mailfrom: akuster808@gmail.com) Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-54fb6ac1e44so50632397b3.1 for ; Tue, 02 May 2023 04:07:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683025620; x=1685617620; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=tLA4gkuxBAF+Mwwc4Uj3bFPyJ9OM9l1h//lGvDk9OYQ=; b=LffnwvN6xtxEBDHGXmnP6icshc7Jz52BgxpQEAqvAddoqf40tT/PA20cNR9dUGkRsP ySXn5wQ6ArKbtkz76sPBZIdmCqG+ZEPbsLNNex/M0RxvMJzb4Iyw5gWf+cRuu656vvR1 a53G1vYnudLH7huF3K8fI+nkC3DQOAIfQ9hwB+Iliy/haGQP9rB+28AXB3O5XY40fhiN cS13uwxmIQ51C5wtaEv4wlx24tIGsxxr7gP93NLThzflf4LoyISQ9KojG8rpEG9Q3GTF 7o9COuUw8Ul03Ufa5DKJy/5YP6IyP2OM6IUq8qg+85xEoo5rnzDydMX+GU+s2bFW8JQS XZtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683025620; x=1685617620; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tLA4gkuxBAF+Mwwc4Uj3bFPyJ9OM9l1h//lGvDk9OYQ=; b=QmKGki4OIBTggmUS8YE8BDk4GPH33yg9o4VbMmdG2Vrd2diSz5M0HI4W1FaLDIaFIl eCDb78O1BpYY0XNdc8u6L0V7TqZ+ZK12MPYe7518ZVaa7fZSr69cLg05TrS/UJ726V6s Gt7PlP5vXVKvmJqv8cJThrEkBwcntjRHVq672mqq9+Nac7Tuuyk279STJzIE5vUY0bXl G9fNr+KjOJK8KzNgynw1rgNtJHADUx5Ie5paWdqT4/QPDbaewYR1G4SAxt2ZMypg61DH y1ZkMCF88WsOWivkCRxIUR+H3xKiYOmN9ldmU20hwv+2Au+/Ka6XSmd8eqEBWcOcJQE3 rNwQ== X-Gm-Message-State: AC+VfDwtyRbzNdopTdx5tDlhdsYx6AuI0fk7IrslCLb3DRqof7EHHydC 5ycOzqIkZZmgzT6HaL/LwedstPULnGU= X-Google-Smtp-Source: ACHHUZ4yzE9bj/Z7WYTDHgiUlclDlrn8HzSsdK6K0I+Knd3NsJkyRlBNogXlahcNCHSxX5VRCIjAbg== X-Received: by 2002:a81:89c5:0:b0:541:8c8f:ec14 with SMTP id z188-20020a8189c5000000b005418c8fec14mr15406209ywf.14.1683025620393; Tue, 02 May 2023 04:07:00 -0700 (PDT) Received: from keaua.attlocal.net ([2600:1700:9190:ba10:aa99:c4d5:88d7:f86c]) by smtp.gmail.com with ESMTPSA id i20-20020a0ddf14000000b0055aad7d3f34sm14247ywe.142.2023.05.02.04.06.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 04:06:59 -0700 (PDT) From: Armin Kuster To: yocto@lists.yoctoproject.org Subject: [meta-security][PATCH 1/2] oeqa: fix hash test to match new changes Date: Tue, 2 May 2023 07:06:56 -0400 Message-Id: <20230502110657.2496963-1-akuster808@gmail.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 May 2023 11:07:09 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59835 Signed-off-by: Armin Kuster Reviewed-by: Stefan Berger --- meta-integrity/lib/oeqa/runtime/cases/ima.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/meta-integrity/lib/oeqa/runtime/cases/ima.py b/meta-integrity/lib/oeqa/runtime/cases/ima.py index 0c8617a..6b361ca 100644 --- a/meta-integrity/lib/oeqa/runtime/cases/ima.py +++ b/meta-integrity/lib/oeqa/runtime/cases/ima.py @@ -58,21 +58,19 @@ class IMACheck(OERuntimeTestCase): @OETestDepends(['ima.IMACheck.test_ima_enabled']) def test_ima_hash(self): ''' Test if IMA stores correct file hash ''' - filename = "/etc/filetest" + filename = "/etc/ld.so.cache" ima_measure_file = "/sys/kernel/security/ima/ascii_runtime_measurements" - status, output = self.target.run("echo test > %s" % filename) - self.assertEqual(status, 0, "Cannot create file %s on target" % filename) # wait for the IMA system to update the entry - maximum_tries = 30 + maximum_tries = 3 tries = 0 - status, output = self.target.run("sha1sum %s" %filename) + status, output = self.target.run("sha256sum %s" %filename) sleep(2) current_hash = output.split()[0] ima_hash = "" while tries < maximum_tries: - status, output = self.target.run("cat %s | grep %s" \ + status, output = self.target.run("cat %s | grep -e '%s'" \ % (ima_measure_file, filename)) # get last entry, 4th field if status == 0: From patchwork Tue May 2 11:06:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Armin Kuster X-Patchwork-Id: 23249 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id E0189C7EE2A for ; Tue, 2 May 2023 11:07:09 +0000 (UTC) Received: from mail-yw1-f169.google.com (mail-yw1-f169.google.com [209.85.128.169]) by mx.groups.io with SMTP id smtpd.web11.125419.1683025622339036282 for ; Tue, 02 May 2023 04:07:02 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="signature has expired" header.i=@gmail.com header.s=20221208 header.b=luzPdvAJ; spf=pass (domain: gmail.com, ip: 209.85.128.169, mailfrom: akuster808@gmail.com) Received: by mail-yw1-f169.google.com with SMTP id 00721157ae682-55a64f0053fso24479417b3.3 for ; Tue, 02 May 2023 04:07:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683025621; x=1685617621; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=CfRKJSiYaZ/MaYCIHuTJFGC2q4tMiUyEYdlcP9BzWcE=; b=luzPdvAJAAUffOAbyUW0xOl7kQ/oSEDPtaElf6fA/YdEE8+25iSCjl+67OVHG++I1d wLoZ649VYDRacNB44vLPhU1Yg/PTpKNBmYHuzAqHNO0xQleriXPNw9KKyMAePcCY4gx2 3WDhKvOD8BLw+2K3GHUxHVpl/ONQlQra8/XQmuuGIGlzBrP5+7bn4txIJ3K5s53QpKRG LorvoJj391TXdHOxikQ9jycTNoZ2pPNjmFUT+Dv9qhVM0lgCbB6wwaa9wEK9X1zRzLPv 4Snk904m7bSwRVXhXfZN/V1eZGhBd8M3av+9HgYKWyn2uqC5kOQXFgf5tJMYGaZ/LFQ+ qOGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683025621; x=1685617621; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=CfRKJSiYaZ/MaYCIHuTJFGC2q4tMiUyEYdlcP9BzWcE=; b=YGZLZ7UuRrRl16shPcc/17DftZ8I5+LmdL3o0RcGLgdWwFKU+HIdO7168g4/n0dvf5 a7F8dg3Is9gazJtHK/Ly1cAqk6T1WdIpMJTQsdTgtNs2HnPRvL+f8q/R35I0eW8r0Vqc c9/uEthPvm1hYjigoIrahRHfxTIePI00nk+WxvLuAb130oRyPR52rFl6VG5lKT5KENpw Ee1UWFQa+LACDZPl9zeG/VFPBqkSiw9Z0VYPtwuMAVON6c2ybFgbNaYHmeuvtts+v0zB EUIc1fN0nd7Ier6VM0wo6X1jJigFCDTAM3EQhwjEbs0B/HcXVj13davhIQ9N+7w0+2T8 AWYQ== X-Gm-Message-State: AC+VfDyy4QG/KIu0sTYdce0MjH2upzh72dH2kFrCXEKPKxECtjb+mlyL SS94Xet3tCWUhmF0fjuqJKAQAF5+z6k= X-Google-Smtp-Source: ACHHUZ5WIwO/o1H1HAgS+V4dSBC23O4lsPtpJvOZF7+p9eS8w55gsoNuTDFhAVd+62j37snUcYTcnA== X-Received: by 2002:a81:8351:0:b0:55a:7c7:c756 with SMTP id t78-20020a818351000000b0055a07c7c756mr8747976ywf.31.1683025621241; Tue, 02 May 2023 04:07:01 -0700 (PDT) Received: from keaua.attlocal.net ([2600:1700:9190:ba10:aa99:c4d5:88d7:f86c]) by smtp.gmail.com with ESMTPSA id i20-20020a0ddf14000000b0055aad7d3f34sm14247ywe.142.2023.05.02.04.07.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 May 2023 04:07:00 -0700 (PDT) From: Armin Kuster To: yocto@lists.yoctoproject.org Subject: [meta-security][PATCH 2/2] integrity-image-minimal: adapt QEMU cmdline to new changes Date: Tue, 2 May 2023 07:06:57 -0400 Message-Id: <20230502110657.2496963-2-akuster808@gmail.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230502110657.2496963-1-akuster808@gmail.com> References: <20230502110657.2496963-1-akuster808@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 02 May 2023 11:07:09 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto/message/59836 Signed-off-by: Armin Kuster Reviewed-by: Stefan Berger --- meta-integrity/recipes-core/images/integrity-image-minimal.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-integrity/recipes-core/images/integrity-image-minimal.bb b/meta-integrity/recipes-core/images/integrity-image-minimal.bb index f40e867..5022170 100644 --- a/meta-integrity/recipes-core/images/integrity-image-minimal.bb +++ b/meta-integrity/recipes-core/images/integrity-image-minimal.bb @@ -18,4 +18,4 @@ export IMAGE_BASENAME = "integrity-image-minimal" INHERIT += "ima-evm-rootfs" -QB_KERNEL_CMDLINE_APPEND:append = " ima_appraise=fix ima_policy=tcb ima_policy=appraise_tcb" +QB_KERNEL_CMDLINE_APPEND:append = " ima_policy=tcb ima_appraise=fix"