Capture and display evmctl error messages and pass --v3 to evmctl when necessary

tests/kernel/creds_check.test

@@ -173,7 +173,7 @@ fi
 [ "$VERBOSE" -ge 2 ] && echo "INFO: loop device for $g_image is $g_dev"
 
 [ "$VERBOSE" -ge 1 ] && echo "INFO: formatting $g_dev with ext4 and UUID $IMA_UUID"
-if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then
+if ! mkfs.ext4 -U "$IMA_UUID" -b 8192 "$g_dev" &> /dev/null; then
 	echo "${RED}Cannot format $g_dev${NORM}"
 	exit "$FAIL"
 fi

tests/kernel/functions_kernel.sh

@@ -32,11 +32,21 @@ get_xattr() {
 				 print v}'
 }
 
+# Determine whether the given key requires --v3 to be passed to evmctl
+keyalgo_opt_v3() {
+	local key_path=$1
+
+	if openssl pkey -in "$key_path" -noout -text | grep -q ML-DSA; then
+		echo "--v3"
+	fi
+}
+
 check_load_ima_rule() {
 	local result new_policy color
 	local new_rule="$1"
 	local key_path="$2"
 	local mountpoint="$3"
+	local opt_v3
 
 	echo -e "$new_rule\n$(cat /sys/kernel/security/ima/policy)" | ima_policy_check.awk
 	result=$?
@@ -68,8 +78,11 @@ check_load_ima_rule() {
 	fi
 
 	echo "$new_rule" > "$new_policy"
-	if ! evmctl sign -o -a sha256 --imasig --key "$key_path" "$new_policy" &> /dev/null; then
+	opt_v3=$(keyalgo_opt_v3 "$key_path")
+	if ! err=$(evmctl sign -o -a sha256 --imasig \
+			--key "$key_path" "$new_policy" ${opt_v3:+${opt_v3}} 2>&1); then
 		echo "${RED}Failed to sign IMA policy${NORM}"
+		echo "${RED}${err}${NORM}"
 		return "$FAIL"
 	fi
 

tests/kernel/mmap_check.test

@@ -142,7 +142,7 @@ check_mmap() {
 check_deny() {
 	local hook="$1"
 	local arg="$2"
-	local test_file fowner rule result
+	local test_file fowner rule result err opt_v3
 
 	echo -e "\nTest: ${FUNCNAME[0]} (hook=\"$hook\", test_mmap arg: \"$arg\")"
 
@@ -156,8 +156,11 @@ check_deny() {
 		return "$FAIL"
 	fi
 
-	if ! evmctl ima_sign -a sha256 --key "$g_key_path" "$test_file" &> /dev/null; then
+	opt_v3=$(keyalgo_opt_v3 "$g_key_path")
+	if ! err=$(evmctl ima_sign -a sha256 \
+			--key "$g_key_path" ${opt_v3:+${opt_v3}} "$test_file" 2>&1); then
 		echo "${RED}Cannot sign $test_file${NORM}"
+		echo "${RED}${err}${NORM}"
 		return "$HARDFAIL"
 	fi
 
@@ -288,7 +291,7 @@ if [ -z "$g_dev" ]; then
 	exit "$FAIL"
 fi
 
-if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then
+if ! mkfs.ext4 -U "$IMA_UUID" -b 8192 "$g_dev" &> /dev/null; then
 	echo "${RED}Cannot format $g_dev${NORM}"
 	exit "$FAIL"
 fi

tests/kernel/non_action_rule_flags.test

@@ -157,7 +157,7 @@ fi
 [ "$VERBOSE" -ge 2 ] && echo "INFO: loop device for $g_image is $g_dev"
 
 [ "$VERBOSE" -ge 1 ] && echo "INFO: formatting $g_dev with ext4 and UUID $IMA_UUID"
-if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then
+if ! mkfs.ext4 -U "$IMA_UUID" -b 8192 "$g_dev" &> /dev/null; then
 	echo "${RED}Cannot format $g_dev${NORM}"
 	exit "$FAIL"
 fi

tests/kernel/portable_signatures.test

@@ -71,7 +71,7 @@ METADATA_CHANGE_FOWNER_2=3002
 # requirement to be satisfied by EVM portable signatures' didn't break the
 # current behavior (IMA signatures still satisfy the imasig requirement).
 check_ima_sig_appraisal() {
-	local result
+	local result err opt_v3
 
 	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
 
@@ -85,8 +85,11 @@ check_ima_sig_appraisal() {
 		return "$FAIL"
 	fi
 
-	if ! evmctl ima_sign -a sha256 --key "$g_key_path" test-file &> /dev/null; then
+	opt_v3=$(keyalgo_opt_v3 "$g_key_path")
+	if ! err=$(evmctl ima_sign -a sha256 \
+			--key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then
 		echo "${RED}Cannot sign test-file${NORM}"
+		echo "${RED}${err}${NORM}"
 		return "$FAIL"
 	fi
 
@@ -127,9 +130,7 @@ cleanup_ima_sig_appraisal() {
 # field evmsig and write to field sig as fallback' still allows IMA signatures
 # to be displayed in the measurement list.
 check_ima_sig_ima_measurement_list() {
-	local result
-	local ima_sig_fs
-	local ima_sig_list
+	local result ima_sig_fs ima_sig_list err opt_v3
 
 	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
 
@@ -138,8 +139,11 @@ check_ima_sig_ima_measurement_list() {
 		return "$FAIL"
 	fi
 
-	if ! evmctl ima_sign -a sha256 --imasig --key "$g_key_path" test-file &> /dev/null; then
+	opt_v3=$(keyalgo_opt_v3 "$g_key_path")
+	if ! err=$(evmctl ima_sign -a sha256 --imasig \
+			--key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then
 		echo "${RED}Cannot sign test-file${NORM}"
+		echo "${RED}${err}${NORM}"
 		return "$FAIL"
 	fi
 
@@ -220,6 +224,8 @@ cleanup_create_file() {
 # metadata to copied one by one, even if the portable signature verification
 # temporarily fails until the copy is completed.
 check_cp_preserve_xattrs() {
+	local err opt_v3
+
 	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
 
 	if [ "$evm_value" -ne "$EVM_INIT_X509" ]; then
@@ -232,8 +238,11 @@ check_cp_preserve_xattrs() {
 		return "$FAIL"
 	fi
 
-	if ! evmctl sign -o -a sha256 --imahash --key "$g_key_path" test-file &> /dev/null; then
+	opt_v3=$(keyalgo_opt_v3 "$g_key_path")
+	if ! err=$(evmctl sign -o -a sha256 --imahash \
+			--key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then
 		echo "${RED}Cannot sign test-file${NORM}"
+		echo "${RED}${err}${NORM}"
 		return "$FAIL"
 	fi
 
@@ -262,6 +271,8 @@ cleanup_cp_preserve_xattrs() {
 # incrementally test the patches without 'evm: Allow setxattr() and setattr()
 # for unmodified metadata'.
 check_tar_extract_xattrs_different_owner() {
+	local err opt_v3
+
 	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
 
 	if [ "$evm_value" -ne "$EVM_INIT_X509" ]; then
@@ -289,8 +300,11 @@ check_tar_extract_xattrs_different_owner() {
 		return "$FAIL"
 	fi
 
-	if ! evmctl sign -o -a sha256 --imahash --key "$g_key_path" in/test-file &> /dev/null; then
+	opt_v3=$(keyalgo_opt_v3 "$g_key_path")
+	if ! err=$(evmctl sign -o -a sha256 --imahash \
+			--key "$g_key_path" ${opt_v3:+${opt_v3}} in/test-file 2>&1); then
 		echo "${RED}Cannot sign test-file${NORM}"
+		echo "${RED}${err}${NORM}"
 		return "$FAIL"
 	fi
 
@@ -330,6 +344,8 @@ cleanup_tar_extract_xattrs_different_owner() {
 # the same owner as the current one. Thus, this test requires 'evm: Allow
 # setxattr() and setattr() for unmodified metadata'.
 check_tar_extract_xattrs_same_owner() {
+	local err opt_v3
+
 	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
 
 	if [ "$evm_value" -ne "$EVM_INIT_X509" ]; then
@@ -347,8 +363,11 @@ check_tar_extract_xattrs_same_owner() {
 		return "$FAIL"
 	fi
 
-	if ! evmctl sign -o -a sha256 --imahash --key "$g_key_path" in/test-file &> /dev/null; then
+	opt_v3=$(keyalgo_opt_v3 "$g_key_path")
+	if ! err=$(evmctl sign -o -a sha256 --imahash \
+			--key "$g_key_path" ${opt_v3:+${opt_v3}} in/test-file 2>&1); then
 		echo "${RED}Cannot sign test-file${NORM}"
+		echo "${RED}${err}${NORM}"
 		return "$FAIL"
 	fi
 
@@ -389,10 +408,7 @@ cleanup_tar_extract_xattrs_same_owner() {
 # commands to set the same or different metadata. Setting the same metadata
 # should be allowed, setting different metadata should be denied.
 check_metadata_change() {
-	local ima_xattr
-	local label
-	local last_char
-	local msg
+	local ima_xattr label last_char msg err opt_v3
 
 	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
 
@@ -421,8 +437,11 @@ check_metadata_change() {
 		return "$FAIL"
 	fi
 
-	if ! evmctl sign -o -a sha256 --imahash --key "$g_key_path" test-file &> /dev/null; then
+	opt_v3=$(keyalgo_opt_v3 "$g_key_path")
+	if ! err=$(evmctl sign -o -a sha256 --imahash \
+			--key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then
 		echo "${RED}Cannot sign test-file${NORM}"
+		echo "${RED}${err}${NORM}"
 		return "$FAIL"
 	fi
 
@@ -552,14 +571,7 @@ cleanup_metadata_change() {
 # verifies that IMA grants access again to the file after restoring the correct
 # metadata.
 check_evm_revalidate() {
-	local result
-	local ima_xattr
-	local ima_xattr_new
-	local evm_xattr
-	local evm_xattr_new
-	local label
-	local last_char
-	local msg
+	local result ima_xattr ima_xattr_new evm_xattr evm_xattr_new label last_char msg err opt_v3
 
 	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
 
@@ -581,8 +593,11 @@ check_evm_revalidate() {
 	# We need to defer setting the correct owner, as there could be
 	# already an IMA policy rule preventing evmctl from reading the
 	# file to calculate the digest.
-	if ! evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_FOWNER" --key "$g_key_path" test-file &> /dev/null; then
+	opt_v3=$(keyalgo_opt_v3 "$g_key_path")
+	if ! err=$(evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_FOWNER" \
+			--key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then
 		echo "${RED}Cannot sign test-file${NORM}"
+		echo "${RED}${err}${NORM}"
 		return "$FAIL"
 	fi
 
@@ -762,11 +777,7 @@ cleanup_evm_revalidate() {
 # written to new files after adding the signature and files can be accessed
 # when the imasig requirement is specified in the IMA policy.
 check_evm_portable_sig_ima_appraisal() {
-	local result
-	local xattr_orig
-	local xattr
-	local mode
-	local owner
+	local result xattr_orig xattr mode owner err opt_v3
 
 	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
 
@@ -788,8 +799,11 @@ check_evm_portable_sig_ima_appraisal() {
 	# We need to defer setting the correct owner, as there could be
 	# already an IMA policy rule preventing evmctl from reading the
 	# file to calculate the digest.
-	if ! evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_DIGSIG_FOWNER" --key "$g_key_path" test-file &> /dev/null; then
+	opt_v3=$(keyalgo_opt_v3 "$g_key_path")
+	if ! err=$(evmctl sign -o -a sha256 --imahash --uid "$APPRAISE_DIGSIG_FOWNER" \
+			--key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then
 		echo "${RED}Cannot sign test-file${NORM}"
+		echo "${RED}${err}${NORM}"
 		return "$FAIL"
 	fi
 
@@ -884,9 +898,7 @@ cleanup_evm_portable_sig_ima_appraisal() {
 # The purpose of this test is to verify that the EVM portable signature is
 # displayed in the measurement list.
 check_evm_portable_sig_ima_measurement_list() {
-	local result
-	local evm_sig_fs
-	local evm_sig_list
+	local result evm_sig_fs evm_sig_list err opt_v3
 
 	echo "Test: ${FUNCNAME[0]} (evm_value: $evm_value)"
 
@@ -900,8 +912,11 @@ check_evm_portable_sig_ima_measurement_list() {
 		return "$FAIL"
 	fi
 
-	if ! evmctl sign -o -a sha256 --imahash --key "$g_key_path" test-file &> /dev/null; then
+	opt_v3=$(keyalgo_opt_v3 "$g_key_path")
+	if ! err=$(evmctl sign -o -a sha256 --imahash \
+			--key "$g_key_path" ${opt_v3:+${opt_v3}} test-file 2>&1); then
 		echo "${RED}Cannot sign test-file${NORM}"
+		echo "${RED}${err}${NORM}"
 		return "$FAIL"
 	fi
 
@@ -1005,7 +1020,7 @@ if [ -z "$g_dev" ]; then
 	exit "$FAIL"
 fi
 
-if ! mkfs.ext4 -U "$IMA_UUID" -b 4096 "$g_dev" &> /dev/null; then
+if ! mkfs.ext4 -U "$IMA_UUID" -b 8192 "$g_dev" &> /dev/null; then
 	echo "${RED}Cannot format $g_dev${NORM}"
 	exit "$FAIL"
 fi