The kernel can be configured to require kexec kernel images and kernel
modules are signed. An IMA policy can be specified on the boot command
line or a custom IMA policy loaded requiring the kexec kernel image and
kernel modules be signed. In addition, systems booted in secure boot
mode with the IMA architecture specific policy enabled, require validly
signed kexec kernel images and kernel modules.
In addition to two methods of signing kernel images and two methods of
signing kernel modules, there are two syscalls for each.
kernel image: PE signature, IMA signature
kexec syscalls: kexec_load, kexec_file_load
Both the PE and IMA kernel image signature can only be verified when
loaded via the kexec_file_load syscall.
kernel moodule: appended signature, IMA signature
kernel module syscalls: init_module, finit_module
The appended kernel module signature can be verified when the kernel
module is loaded via either syscall. The IMA kernel module signature
can only be verified when the kernel module is loaded via the
finit_module syscall.
The selftests in this patch set verify that only signed kernel images
and kernel modules are loaded as required, based on the kernel config,
the secure boot mode, and the IMA runtime policy.
Loading a kernel image or kernel module requires root privileges. To
run just the IMA selftests: sudo make TARGETS=ima kselftest
Changelog:
- Updated tests based on Petr's review, including the defining a common
test to check for root privileges.
- Modified config, removing the CONFIG_KEXEC_VERIFY_SIG requirement.
- Updated the SPDX license to GPL-2.0 based on Shuah's review.
- Updated the secureboot mode test to check the SetupMode as well, based
on David Young's review.
Mimi Zohar (6):
selftests/ima: cleanup the kexec selftest
selftests/ima: define a set of common functions
selftests/ima: define common logging functions
kselftest/ima: define "require_root_privileges"
selftests/ima: kexec_file_load syscall test
selftests/ima: loading kernel modules
Petr Vorel (1):
selftests/ima: Add missing '=y' to config options
tools/testing/selftests/ima/Makefile | 3 +-
tools/testing/selftests/ima/config | 7 +-
tools/testing/selftests/ima/ima_common_lib.sh | 173 +++++++++++++++++++
tools/testing/selftests/ima/test_kernel_module.sh | 93 ++++++++++
.../testing/selftests/ima/test_kexec_file_load.sh | 190 +++++++++++++++++++++
tools/testing/selftests/ima/test_kexec_load.sh | 53 ++----
6 files changed, 476 insertions(+), 43 deletions(-)
create mode 100755 tools/testing/selftests/ima/ima_common_lib.sh
create mode 100755 tools/testing/selftests/ima/test_kernel_module.sh
create mode 100755 tools/testing/selftests/ima/test_kexec_file_load.sh
--
2.7.5
The kmod.sh script breaks because an array is passed as input
instead of a single element input.This patch takes elements
one at a time and passed as input to the condition statement
which in turn fixes the error.There was an issue which had
the need for passing a single digit to the condition statement
which is fixed using regular expression.
Distribution: Debian GNU/Linux buster/sid
Bash Version: 5.0.0(1)-release
Signed-off-by: Jeffrin Jose T <jeffrin(a)rajagiritech.edu.in>
---
tools/testing/selftests/kmod/kmod.sh | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/kmod/kmod.sh b/tools/testing/selftests/kmod/kmod.sh
index 0a76314b4414..49b273c3646e 100755
--- a/tools/testing/selftests/kmod/kmod.sh
+++ b/tools/testing/selftests/kmod/kmod.sh
@@ -526,9 +526,12 @@ function run_all_tests()
TEST_ID=${i%:*:*}
ENABLED=$(get_test_enabled $TEST_ID)
TEST_COUNT=$(get_test_count $TEST_ID)
- if [[ $ENABLED -eq "1" ]]; then
- test_case $TEST_ID $TEST_COUNT
- fi
+ for j in $ENABLED ; do
+ CHECK=${j#*:*:}
+ if [[ $CHECK -eq "1" ]]; then
+ test_case $TEST_ID $TEST_COUNT
+ fi
+ done
done
}
--
2.20.1
From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com>
[ Upstream commit af548a27b158d548d41e56255e6eaca1658cc3be ]
Just like commit e2ba732a1681 ("selftests: fib_tests: sleep after
changing carrier"), wait one second to allow linkwatch to propagate the
carrier change to the stack.
There are two sets of carrier tests. The first slept after the carrier
was set to off, and when the second set ran, it was likely that the
linkwatch would be able to run again without much delay, reducing the
likelihood of a race. However, if you run 'fib_tests.sh -t carrier' on a
loop, you will quickly notice the failures.
Sleeping on the second set of tests make the failures go away.
Cc: David Ahern <dsahern(a)gmail.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com>
Reviewed-by: David Ahern <dsahern(a)gmail.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
tools/testing/selftests/net/fib_tests.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh
index 0f45633bd634..a4ccde0e473b 100755
--- a/tools/testing/selftests/net/fib_tests.sh
+++ b/tools/testing/selftests/net/fib_tests.sh
@@ -385,6 +385,7 @@ fib_carrier_unicast_test()
set -e
$IP link set dev dummy0 carrier off
+ sleep 1
set +e
echo " Carrier down"
--
2.19.1
From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com>
[ Upstream commit af548a27b158d548d41e56255e6eaca1658cc3be ]
Just like commit e2ba732a1681 ("selftests: fib_tests: sleep after
changing carrier"), wait one second to allow linkwatch to propagate the
carrier change to the stack.
There are two sets of carrier tests. The first slept after the carrier
was set to off, and when the second set ran, it was likely that the
linkwatch would be able to run again without much delay, reducing the
likelihood of a race. However, if you run 'fib_tests.sh -t carrier' on a
loop, you will quickly notice the failures.
Sleeping on the second set of tests make the failures go away.
Cc: David Ahern <dsahern(a)gmail.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com>
Reviewed-by: David Ahern <dsahern(a)gmail.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Sasha Levin <sashal(a)kernel.org>
---
tools/testing/selftests/net/fib_tests.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/testing/selftests/net/fib_tests.sh b/tools/testing/selftests/net/fib_tests.sh
index 802b4af18729..1080ff55a788 100755
--- a/tools/testing/selftests/net/fib_tests.sh
+++ b/tools/testing/selftests/net/fib_tests.sh
@@ -388,6 +388,7 @@ fib_carrier_unicast_test()
set -e
$IP link set dev dummy0 carrier off
+ sleep 1
set +e
echo " Carrier down"
--
2.19.1
Note: this version will likely trivially conflict with some cleanup
patches I sent to Bjorn. So this is meant for review purposes only.
If there are no objections, I'd like to look at getting it merged in
the next cycle through the NTB tree.
--
Changes in v2:
* Cleaned up the changes in intel_irq_remapping.c to make them
less confusing and add a comment. (Per discussion with Jacob and
Joerg)
* Fixed a nit from Bjorn and collected his Ack
* Added a Kconfig dependancy on CONFIG_PCI_MSI for CONFIG_NTB_MSI
as the Kbuild robot hit a random config that didn't build
without it.
* Worked in a callback for when the MSI descriptor changes so that
the clients can resend the new address and data values to the peer.
On my test system this was never necessary, but there may be
other platforms where this can occur. I tested this by hacking
in a path to rewrite the MSI descriptor when I change the cpu
affinity of an IRQ. There's a bit of uncertainty over the latency
of the change, but without hardware this can acctually occur on
we can't test this. This was the result of a discussion with Dave.
--
This patch series adds optional support for using MSI interrupts instead
of NTB doorbells in ntb_transport. This is desirable seeing doorbells on
current hardware are quite slow and therefore switching to MSI interrupts
provides a significant performance gain. On switchtec hardware, a simple
apples-to-apples comparison shows ntb_netdev/iperf numbers going from
3.88Gb/s to 14.1Gb/s when switching to MSI interrupts.
To do this, a couple changes are required outside of the NTB tree:
1) The IOMMU must know to accept MSI requests from aliased bused numbers
seeing NTB hardware typically sends proxied request IDs through
additional requester IDs. The first patch in this series adds support
for the Intel IOMMU. A quirk to add these aliases for switchtec hardware
was already accepted. See commit ad281ecf1c7d ("PCI: Add DMA alias quirk
for Microsemi Switchtec NTB") for a description of NTB proxy IDs and why
this is necessary.
2) NTB transport (and other clients) may often need more MSI interrupts
than the NTB hardware actually advertises support for. However, seeing
these interrupts will not be triggered by the hardware but through an
NTB memory window, the hardware does not actually need support or need
to know about them. Therefore we add the concept of Virtual MSI
interrupts which are allocated just like any other MSI interrupt but
are not programmed into the hardware's MSI table. This is done in
Patch 2 and then made use of in Patch 3.
The remaining patches in this series add a library for dealing with MSI
interrupts, a test client and finally support in ntb_transport.
The series is based off of v5.0-rc4 and I've tested it on top of a
of the patches I've already sent to the NTB tree (though they are
independent changes). A git repo is available here:
https://github.com/sbates130272/linux-p2pmem/ ntb_transport_msi_v2
Thanks,
Logan
--
Logan Gunthorpe (12):
iommu/vt-d: Implement dma_[un]map_resource()
NTB: ntb_transport: Ensure the destination buffer is mapped for TX DMA
iommu/vt-d: Add helper to set an IRTE to verify only the bus number
iommu/vt-d: Allow interrupts from the entire bus for aliased devices
PCI/MSI: Support allocating virtual MSI interrupts
PCI/switchtec: Add module parameter to request more interrupts
NTB: Introduce functions to calculate multi-port resource index
NTB: Rename ntb.c to support multiple source files in the module
NTB: Introduce MSI library
NTB: Introduce NTB MSI Test Client
NTB: Add ntb_msi_test support to ntb_test
NTB: Add MSI interrupt support to ntb_transport
drivers/iommu/intel-iommu.c | 23 +-
drivers/iommu/intel_irq_remapping.c | 32 +-
drivers/ntb/Kconfig | 11 +
drivers/ntb/Makefile | 3 +
drivers/ntb/{ntb.c => core.c} | 0
drivers/ntb/msi.c | 415 +++++++++++++++++++++++
drivers/ntb/ntb_transport.c | 197 ++++++++++-
drivers/ntb/test/Kconfig | 9 +
drivers/ntb/test/Makefile | 1 +
drivers/ntb/test/ntb_msi_test.c | 433 ++++++++++++++++++++++++
drivers/pci/msi.c | 55 ++-
drivers/pci/switch/switchtec.c | 12 +-
include/linux/msi.h | 8 +
include/linux/ntb.h | 143 ++++++++
include/linux/pci.h | 9 +
tools/testing/selftests/ntb/ntb_test.sh | 54 ++-
16 files changed, 1379 insertions(+), 26 deletions(-)
rename drivers/ntb/{ntb.c => core.c} (100%)
create mode 100644 drivers/ntb/msi.c
create mode 100644 drivers/ntb/test/ntb_msi_test.c
--
2.19.0
When the CONFIG_HOTPLUG_CPU is not set, there won't be a "hotplug"
directory in /sys/devices/system/cpu/. Make use of this fact to check
if we need to skip this test.
Signed-off-by: Po-Hsu Lin <po-hsu.lin(a)canonical.com>
---
tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
index 0d26b5e..27275a1 100755
--- a/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
+++ b/tools/testing/selftests/cpu-hotplug/cpu-on-off-test.sh
@@ -23,6 +23,11 @@ prerequisite()
exit $ksft_skip
fi
+ if [ ! -d $SYSFS/devices/system/cpu/hotplug/ ]; then
+ echo $msg CONFIG_HOTPLUG_CPU needs to be enabled >&2
+ exit $ksft_skip
+ fi
+
if ! ls $SYSFS/devices/system/cpu/cpu* > /dev/null 2>&1; then
echo $msg cpu hotplug is not supported >&2
exit $ksft_skip
--
2.7.4
The kernel can be configured to require kexec kernel images and kernel
modules are signed. An IMA policy can be specified on the boot command
line or a custom IMA policy loaded requiring the kexec kernel image and
kernel modules be signed. In addition, systems booted in secure boot
mode with the IMA architecture specific policy enabled, require validly
signed kexec kernel images and kernel modules.
There are two methods of signing kernel images and two methods of
signing kernel modules. In addition, there are two syscalls for each.
kernel image: PE signature, IMA signature
kexec syscalls: kexec_load, kexec_file_load
Both the PE and IMA kernel image signature can only be verified when
loaded via the kexec_file_load syscall.
kernel moodule: appended signature, IMA signature
kernel module syscalls: init_module, finit_module
The appended kernel module signature can be verified when the kernel
module is loaded via either syscall. The IMA kernel module signature
can only be verified when the kernel module is loaded via the
finit_module syscall.
The selftests in this patch set verify that only signed kernel images
and kernel modules are loaded as required, based on the kernel config,
the secure boot mode, and the IMA runtime policy.
Loading a kernel image or kernel module requires root privileges. To
run just the IMA selftests: sudo make TARGETS=ima kselftest
Mimi Zohar (5):
selftests/ima: cleanup the kexec selftest
selftests/ima: define a set of common functions
selftests/ima: define common logging functions
selftests/ima: kexec_file_load syscall test
selftests/ima: loading kernel modules
tools/testing/selftests/ima/Makefile | 3 +-
tools/testing/selftests/ima/common_lib.sh | 154 ++++++++++++++++
tools/testing/selftests/ima/test_kernel_module.sh | 96 ++++++++++
.../testing/selftests/ima/test_kexec_file_load.sh | 195 +++++++++++++++++++++
tools/testing/selftests/ima/test_kexec_load.sh | 53 ++----
5 files changed, 463 insertions(+), 38 deletions(-)
create mode 100755 tools/testing/selftests/ima/common_lib.sh
create mode 100755 tools/testing/selftests/ima/test_kernel_module.sh
create mode 100755 tools/testing/selftests/ima/test_kexec_file_load.sh
--
2.7.5