Hi Mimi, [ Cc Li, although I have no idea if Fedora even runs LTP IMA tests ]
> On Fri, 2025-09-12 at 09:32 +0200, Petr Vorel wrote: > > Since kernel 6.6 policy needs to be signed on enabled UEFI secure boot. > > Skip testing in that case. > > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=56dc986a6b20b > > This fixes errors: > > ima_policy 2 TINFO: verify that policy file is not opened concurrently > > and able to loaded multiple times > > ima_policy 2 TFAIL: problem loading or extending policy (may require > > policy to be signed) > > https://openqa.suse.de/tests/18723792#step/ima_conditionals/6 > > ima_conditionals 1 TINFO: verify measuring user files when requested > > via uid > > echo: write error: Permission denied > > ima_conditionals 1 TBROK: echo measure uid=65534 > > > /sys/kernel/security/ima/policy failed > > Ideally there would be test which check that unsigned policy cannot be > > written. > > Signed-off-by: Petr Vorel <pvo...@suse.cz> > Thanks, Petr. > Reviewed-by: Mimi Zohar <zo...@linux.ibm.com> Thanks for your review, merged! > At some point, consider adding support for signing policy rules, if the > private/public keypair is provided. I'm not against it, but I'm not sure if I find time for this (as usual patches are welcome). If I understand the docs [1] [2] it depends on CONFIG_SYSTEM_TRUSTED_KEYS, right? Fedora builds with CONFIG_SYSTEM_TRUSTED_KEYS="certs/rhel.pem", but ship config with CONFIG_SYSTEM_TRUSTED_KEYS="" ("We are resetting this value to facilitate local builds" - makes perfectly sense), other distros (at least openSUSE Tumbleweed and Debian) build with CONFIG_SYSTEM_TRUSTED_KEYS="". I doubt that Fedora private key will be exposed for testing. Therefore this feature is IMHO useful for mainline testing, but not for distro testing, right? But again, I'm not against merging the patch (if anybody is willing to implement it). Kind regards, Petr [1] https://ima-doc.readthedocs.io/en/latest/ima-utilities.html#build-kernel-with-ima-ca-key-on-keyring [2] https://ima-doc.readthedocs.io/en/latest/ima-utilities.html#ima-ca-key-and-certificate > Mimi
