action #81346
closed[sle][security][sle15sp3] test fails in ima_appraisal_digital_signatures
100%
Description
Observation¶
openQA test in scenario sle-15-SP3-Online-x86_64-ima_appraisal@uefi fails in
ima_appraisal_digital_signatures
Test suite description¶
Maintainer: llzhao@suse.com
Setup and test for IMA appraisal functions.
Reproducible¶
Fails since (at least) Build 14.2
Expected result¶
Last good: (unknown) (or more recent)
Further details¶
Always latest result in this scenario: latest
Updated by rfan1 over 3 years ago
- Priority changed from Normal to High
- Estimated time set to 8.00 h
There are some OS booting issue mentioned in https://bugzilla.suse.com/show_bug.cgi?id=1155890
however, there was an new issue introduced, it impacted the test logic (due to output change), please refer to https://progress.opensuse.org/issues/73159
I will take some time to check if the output is expected, and then try to fix it.
Updated by rfan1 over 3 years ago
- Status changed from New to In Progress
From the output of the command below, we can see the output:
#/usr/bin/find / -fstype ext4 -type f -executable -uid 0 -exec evmctl -a sha256 ima_sign -psuse -k /root/certs/key.asc '{}' \;
hash(sha256): 0a62fc7210492a9931dfaac40cdfdf725f6a34f53dd2b0425d4e6bfe5d2868cc
evm/ima signature: 264 bytes
0302043f73a5f80100888cbab50d99e865202b6bfc899977f7415bb1647801ec07a27fd0fa1f4fa7d0270cf9a360d5dd2d3767892fcf52078805adf3da0989954888ee9160ec01eb6c76465722a98fa8b950f118328a2a8102ddf46f33eae346d4eddb0ef1f3c8ca742d23a24a171fd82738404b35fb9db6c924c26bbc81065581d410d45559f3448560f27a36dd79c6a05d985cd3a2f59925a649173b6c9b59b2380f488ba23f37967a880d7a4928151b52ab8c7395b1d5cfdd73a10143ec1a9af54e447db15b5fe28831646983135701144c775bf158697488dbc43621925c131ed0b02038707a97d719e2c609bbfbc4f616d51bf701fb154ef1d74e8f5d6a1158c46a68ed4e91df
hash(sha256): bea52b8a24f599d914ee53e8f6c9f963fa98e3e0f5ad9f6ce6aaf75ee95a0edc
evm/ima signature: 264 bytes
0302043f73a5f80100393eea699a893ae07f865707a79a4c1d16d26187160639b9f1fc31b0bdf651964b2d3beddd57dbc4bb5e9f7b3d97202e4e0188ede73c572f080802369c48a231601ee355a43389d359d1a1acc8452856457adcd74e813fdb420288ec879df4af5872b513ee19b0a65e8831e1efa8fc84fc8ada615edf1389991d7cf403f7ccc3ccaa692e088479897dfc167e78bb129040cc30781cd3c9c56ea493d95c843a4aff2da04486de93dda6a68a5b16cc8fa8a514822a2ed53e3fe708ff6ada92a35db082bf4dff45d1f6ecef53bcd12658fea8293e40071f4bb484547e8d3bbbfef5a82f4f5ce853e80082cdc8fe2abc762160c48ddd2887966df5233525fbe33689
hash(sha256): 007df10ebda8cfa33c836c0c38a297593f52d8fd4f876cf85f149b86ca8ea337
evm/ima signature: 264 bytes
Based on the man page/l
evmctl ima_sign [...]: IMA appraisal with digital signatures. Uses the configured private RSA key to create a signature of the hash digest of the selected files and stores it in individual security.ima extended attributes
I do think it is a expect result, we ca see the sign and hash.
So, let me enhance the test logic here
$_ =~ m/\/proc\/.*No such file/ or die "Failed to create security.ima for $_" foreach (@finds);
to
$_ =~ m/\/proc\/.*No such file|evm\/ima signature|hash\(sha256\)|^\w{530}$/ or die "Failed to create security.ima for $_" foreach (@finds)
Just like we do at https://progress.opensuse.org/issues/73159
Updated by rfan1 over 3 years ago
http://openqa.suse.de/tests/5220113#step/ima_appraisal_digital_signatures/64
Based on the tests, the issue is not seen any more. please omit the later failure, it is caused by bug https://bugzilla.suse.com/show_bug.cgi?id=1155890
Updated by rfan1 over 3 years ago
- % Done changed from 20 to 80
Updated by rfan1 over 3 years ago
- Status changed from In Progress to Feedback
- % Done changed from 80 to 90
PR Merged, wait for next openqa run