1 These testcases test the Integrity Measurement Architecture(IMA). 2 3 Requirements 4 ------------ 5 6 A kernel with IMA configured, mount with i_version support, openssl 7 and openssl-devel packages, and auditd, if enabled, with the integrity 8 patch, are required to build and run the IMA testsuite. 9 10 - Enabling IMA in .config will also enable CRYPTO, SECURITYFS, TCG_TPM, 11 and TPM_TIS. 12 13 CONFIG_IMA=y 14 CONFIG_IMA_MEASURE_PCR_IDX=10 15 CONFIG_IMA_AUDIT=y 16 CONFIG_IMA_LSM_RULES=y 17 18 - Both sysfs and securityfs if not mounted, will be mounted. 19 20 - The testsuite must be executed with root priveleges so that it 21 can access securityfs files, such as: security/ima/policy and 22 security/ima/ascii_runtime_measurement. 23 24 - Both openssl and openssl-devel must be installed, to build the 25 testsuite. At runtime, if openssl is not installed, many of the 26 tests will skipped. 27 28 - auditd, if enabled, requires the integrity patch, which is available 29 from https://www.redhat.com/archives/linux-audit/2009-March/msg00016.html. 30 31 - In order to re-measure a file after it changes, the file system must 32 be mounted with i_version support(Bugzilla 471593). 33 [util-linux-ng-2.14.2-2.fc11.src.rpm] 34 35 Add 'iversion' in /etc/fstab as: 36 dev/hdb1 /home ext2 defaults,iversion 1 2 37 38 To mount the root partition with i_version support, 'iversion' must 39 be added on the remount line in /etc/rc.sysinit: 40 # Remount the root filesystem read-write. 41 update_boot_stage RCmountfs 42 if remount_needed ; then 43 action $"Remounting root filesystem in read-write mode: " mount -n -o remount,rw,iversion / 44 fi 45 46 47 Dependency 48 ---------- 49 The testsuite is dependent on the default TCB policy being enabled, which 50 measures all executables, all files mmapped for execute and all files 51 open for read by root. For kernels 2.6.31 and greater, enable the 52 trusted computing base(TCB) policy using the ima_tcb=1 boot parameter. 53 If the TCB policy has been replaced, loading another measurement 54 policy will fail, as the policy may only be replaced once per boot. 55 Some of the policy dependency tests might also fail as well. 56 57 ima_tpm.sh: test02, verifying the PCR-10 value, requires a hard reboot. 58 [On Ubuntu, before running the ltp tests, disable /etc/init.d/kexec-load 59 and reboot.] 60 61 Run tests 62 --------- 63 After doing 'make' and 'make install' from the top-level, 64 - execute './ltp-full-<version>/runltp -f ima' to run the entire testsuite. 65 - To run individual tests, cd into the IMA directory, and add testcases/bin 66 to PATH: 67 ./ltp-full-<version>/testcases/kernel/security/integrity/ima/tests/ 68 and execute the individual scripts. 69 70 System State after running the Testsuite 71 ---------------------------------------- 72 After running the testsuite, the default measurement policy has been 73 replaced with an identical policy. If you want to install a different 74 policy, such as an LSM specific one, a reboot is required. 75 76 More Info to look at 77 -------------------- 78 http://linux-ima.sourceforge.net/ is a good place to start. 79 There's also IMA mailing lists 80 http://sourceforge.net/projects/linux-ima 81 -- 82
