[PATCH v5 0/9] selftests/kexec: add kexec tests

List overview All Threads
Download

newer

older

next-20190405 kselftest results

[PATCH v10 5/9] kselftests:...

Mimi Zohar

26 Mar 2019 26 Mar '19

1:34 p.m.

The kernel may be configured or an IMA policy specified on the boot command line requiring the kexec kernel image signature to be verified. At runtime a custom IMA policy may be loaded, replacing the policy specified on the boot command line. In addition, the arch specific policy rules are dynamically defined based on the secure boot mode that may require the kernel image signature to be verified.

The kernel image may have a PE signature, an IMA signature, or both. In addition, there are two kexec syscalls - kexec_load and kexec_file_load - but only the kexec_file_load syscall can verify signatures.

These kexec selftests verify that only properly signed kernel images are loaded as required, based on the kernel config, the secure boot mode, and the IMA runtime policy.

Loading a kernel image requires root privileges. To run just the KEXEC selftests: sudo make TARGETS=kexec kselftest

Changelog v5: - Make tests independent of IMA being enabled, folding the changes into the kexec_file_load test. - Add support for CONFIG_KEXEC_VERIFY_SIG being enabled, but not CONFIG_KEXEC_BZIMAGE_VERIFY_SIG.

Changelog v4: - Moved the kexec tests to selftests/kexec, as requested by Dave Young. - Removed the kernel module selftest from this patch set. - Rewritten cover letter, removing reference to kernel modules.

Changelog v3: - Updated tests based on Petr's review, including the defining a common test to check for root privileges. - Modified config, removing the CONFIG_KEXEC_VERIFY_SIG requirement. - Updated the SPDX license to GPL-2.0 based on Shuah's review. - Updated the secureboot mode test to check the SetupMode as well, based on David Young's review.

Mimi Zohar (8): selftests/kexec: move the IMA kexec_load selftest to selftests/kexec selftests/kexec: cleanup the kexec selftest selftests/kexec: define a set of common functions selftests/kexec: define common logging functions kselftest/kexec: define "require_root_privileges" selftests/kexec: kexec_file_load syscall test selftests/kexec: check kexec_load and kexec_file_load are enabled selftests/kexec: make kexec_load test independent of IMA being enabled

Petr Vorel (1): selftests/kexec: Add missing '=y' to config options

tools/testing/selftests/Makefile | 2 +- tools/testing/selftests/ima/Makefile | 11 -- tools/testing/selftests/ima/config | 4 - tools/testing/selftests/ima/test_kexec_load.sh | 54 ------ tools/testing/selftests/kexec/Makefile | 12 ++ tools/testing/selftests/kexec/config | 3 + tools/testing/selftests/kexec/kexec_common_lib.sh | 175 +++++++++++++++++ .../selftests/kexec/test_kexec_file_load.sh | 208 +++++++++++++++++++++ tools/testing/selftests/kexec/test_kexec_load.sh | 47 +++++ 9 files changed, 446 insertions(+), 70 deletions(-) delete mode 100644 tools/testing/selftests/ima/Makefile delete mode 100644 tools/testing/selftests/ima/config delete mode 100755 tools/testing/selftests/ima/test_kexec_load.sh create mode 100644 tools/testing/selftests/kexec/Makefile create mode 100644 tools/testing/selftests/kexec/config create mode 100755 tools/testing/selftests/kexec/kexec_common_lib.sh create mode 100755 tools/testing/selftests/kexec/test_kexec_file_load.sh create mode 100755 tools/testing/selftests/kexec/test_kexec_load.sh

-- 2.7.5

Show replies by date

Mimi Zohar

26 Mar 26 Mar

1:34 p.m.

New subject: [PATCH v5 1/9] selftests/kexec: move the IMA kexec_load selftest to selftests/kexec

As requested move the existing kexec_load selftest and subsequent kexec tests to the selftests/kexec directory.

Suggested-by: Dave Young dyoung@redhat.com Signed-off-by: Mimi Zohar zohar@linux.ibm.com --- tools/testing/selftests/Makefile | 2 +- tools/testing/selftests/ima/Makefile | 11 ----- tools/testing/selftests/ima/config | 4 -- tools/testing/selftests/ima/test_kexec_load.sh | 54 ------------------------ tools/testing/selftests/kexec/Makefile | 11 +++++ tools/testing/selftests/kexec/config | 4 ++ tools/testing/selftests/kexec/test_kexec_load.sh | 54 ++++++++++++++++++++++++ 7 files changed, 70 insertions(+), 70 deletions(-) delete mode 100644 tools/testing/selftests/ima/Makefile delete mode 100644 tools/testing/selftests/ima/config delete mode 100755 tools/testing/selftests/ima/test_kexec_load.sh create mode 100644 tools/testing/selftests/kexec/Makefile create mode 100644 tools/testing/selftests/kexec/config create mode 100755 tools/testing/selftests/kexec/test_kexec_load.sh

diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile index 1a2bd15c5b6e..6da1e32d2b99 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -14,11 +14,11 @@ TARGETS += firmware TARGETS += ftrace TARGETS += futex TARGETS += gpio -TARGETS += ima TARGETS += intel_pstate TARGETS += ipc TARGETS += ir TARGETS += kcmp +TARGETS += kexec TARGETS += kvm TARGETS += lib TARGETS += membarrier diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile deleted file mode 100644 index 0b3adf5444b6..000000000000 --- a/tools/testing/selftests/ima/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# Makefile for kexec_load - -uname_M := $(shell uname -m 2>/dev/null || echo not) -ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) - -ifeq ($(ARCH),x86) -TEST_PROGS := test_kexec_load.sh - -include ../lib.mk - -endif diff --git a/tools/testing/selftests/ima/config b/tools/testing/selftests/ima/config deleted file mode 100644 index 6bc86d4d9bb4..000000000000 --- a/tools/testing/selftests/ima/config +++ /dev/null @@ -1,4 +0,0 @@ -CONFIG_IMA_APPRAISE -CONFIG_IMA_ARCH_POLICY -CONFIG_SECURITYFS -CONFIG_KEXEC_VERIFY_SIG diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh deleted file mode 100755 index 1c10093fb526..000000000000 --- a/tools/testing/selftests/ima/test_kexec_load.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: GPL-2.0+ -# Loading a kernel image via the kexec_load syscall should fail -# when the kerne is CONFIG_KEXEC_VERIFY_SIG enabled and the system -# is booted in secureboot mode. - -TEST="$0" -EFIVARFS="/sys/firmware/efi/efivars" -rc=0 - -# Kselftest framework requirement - SKIP code is 4. -ksft_skip=4 - -# kexec requires root privileges -if [ $UID != 0 ]; then - echo "$TEST: must be run as root" >&2 - exit $ksft_skip -fi - -# Make sure that efivars is mounted in the normal location -if ! grep -q "^\S+ $EFIVARFS efivarfs" /proc/mounts; then - echo "$TEST: efivars is not mounted on $EFIVARFS" >&2 - exit $ksft_skip -fi - -# Get secureboot mode -file="$EFIVARFS/SecureBoot-*" -if [ ! -e $file ]; then - echo "$TEST: unknown secureboot mode" >&2 - exit $ksft_skip -fi -secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` - -# kexec_load should fail in secure boot mode -KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" -kexec -l $KERNEL_IMAGE &>> /dev/null -if [ $? == 0 ]; then - kexec -u - if [ "$secureboot" == "1" ]; then - echo "$TEST: kexec_load succeeded [FAIL]" - rc=1 - else - echo "$TEST: kexec_load succeeded [PASS]" - fi -else - if [ "$secureboot" == "1" ]; then - echo "$TEST: kexec_load failed [PASS]" - else - echo "$TEST: kexec_load failed [FAIL]" - rc=1 - fi -fi - -exit $rc diff --git a/tools/testing/selftests/kexec/Makefile b/tools/testing/selftests/kexec/Makefile new file mode 100644 index 000000000000..0b3adf5444b6 --- /dev/null +++ b/tools/testing/selftests/kexec/Makefile @@ -0,0 +1,11 @@ +# Makefile for kexec_load + +uname_M := $(shell uname -m 2>/dev/null || echo not) +ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) + +ifeq ($(ARCH),x86) +TEST_PROGS := test_kexec_load.sh + +include ../lib.mk + +endif diff --git a/tools/testing/selftests/kexec/config b/tools/testing/selftests/kexec/config new file mode 100644 index 000000000000..6bc86d4d9bb4 --- /dev/null +++ b/tools/testing/selftests/kexec/config @@ -0,0 +1,4 @@ +CONFIG_IMA_APPRAISE +CONFIG_IMA_ARCH_POLICY +CONFIG_SECURITYFS +CONFIG_KEXEC_VERIFY_SIG diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh new file mode 100755 index 000000000000..1c10093fb526 --- /dev/null +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -0,0 +1,54 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0+ +# Loading a kernel image via the kexec_load syscall should fail +# when the kerne is CONFIG_KEXEC_VERIFY_SIG enabled and the system +# is booted in secureboot mode. + +TEST="$0" +EFIVARFS="/sys/firmware/efi/efivars" +rc=0 + +# Kselftest framework requirement - SKIP code is 4. +ksft_skip=4 + +# kexec requires root privileges +if [ $UID != 0 ]; then + echo "$TEST: must be run as root" >&2 + exit $ksft_skip +fi + +# Make sure that efivars is mounted in the normal location +if ! grep -q "^\S+ $EFIVARFS efivarfs" /proc/mounts; then + echo "$TEST: efivars is not mounted on $EFIVARFS" >&2 + exit $ksft_skip +fi + +# Get secureboot mode +file="$EFIVARFS/SecureBoot-*" +if [ ! -e $file ]; then + echo "$TEST: unknown secureboot mode" >&2 + exit $ksft_skip +fi +secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` + +# kexec_load should fail in secure boot mode +KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" +kexec -l $KERNEL_IMAGE &>> /dev/null +if [ $? == 0 ]; then + kexec -u + if [ "$secureboot" == "1" ]; then + echo "$TEST: kexec_load succeeded [FAIL]" + rc=1 + else + echo "$TEST: kexec_load succeeded [PASS]" + fi +else + if [ "$secureboot" == "1" ]; then + echo "$TEST: kexec_load failed [PASS]" + else + echo "$TEST: kexec_load failed [FAIL]" + rc=1 + fi +fi + +exit $rc

-- 2.7.5

Petr Vorel

27 Mar 27 Mar

11:54 a.m.

New subject: [PATCH v5 1/9] selftests/kexec: move the IMA kexec_load selftest to selftests/kexec

Hi Mimi, Dave,

...

As requested move the existing kexec_load selftest and subsequent kexec tests to the selftests/kexec directory.

...

Suggested-by: Dave Young dyoung@redhat.com Signed-off-by: Mimi Zohar zohar@linux.ibm.com

Reviewed-by: Petr Vorel pvorel@suse.cz

Kind regards, Petr

Mimi Zohar

26 Mar 26 Mar

1:34 p.m.

New subject: [PATCH v5 2/9] selftests/kexec: cleanup the kexec selftest

Remove the few bashisms and use the complete option name for clarity.

Signed-off-by: Mimi Zohar zohar@linux.ibm.com Reviewed-by: Petr Vorel pvorel@suse.cz --- tools/testing/selftests/kexec/test_kexec_load.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 1c10093fb526..82a01a4d5c8d 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -1,7 +1,7 @@ #!/bin/sh -# SPDX-License-Identifier: GPL-2.0+ +# SPDX-License-Identifier: GPL-2.0 # Loading a kernel image via the kexec_load syscall should fail -# when the kerne is CONFIG_KEXEC_VERIFY_SIG enabled and the system +# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system # is booted in secureboot mode.

TEST="$0" @@ -12,8 +12,8 @@ rc=0 ksft_skip=4

# kexec requires root privileges -if [ $UID != 0 ]; then - echo "$TEST: must be run as root" >&2 +if [ $(id -ru) -ne 0 ]; then + echo "$TEST: requires root privileges" >&2 exit $ksft_skip fi

@@ -33,17 +33,17 @@ secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'`

# kexec_load should fail in secure boot mode KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" -kexec -l $KERNEL_IMAGE &>> /dev/null -if [ $? == 0 ]; then - kexec -u - if [ "$secureboot" == "1" ]; then +kexec --load $KERNEL_IMAGE > /dev/null 2>&1 +if [ $? -eq 0 ]; then + kexec --unload + if [ $secureboot -eq 1 ]; then echo "$TEST: kexec_load succeeded [FAIL]" rc=1 else echo "$TEST: kexec_load succeeded [PASS]" fi else - if [ "$secureboot" == "1" ]; then + if [ $secureboot -eq 1 ]; then echo "$TEST: kexec_load failed [PASS]" else echo "$TEST: kexec_load failed [FAIL]"

-- 2.7.5

Mimi Zohar

1:34 p.m.

New subject: [PATCH v5 3/9] selftests/kexec: define a set of common functions

Define, update and move get_secureboot_mode() to a common file for use by other tests.

Updated to check both the efivar SecureBoot-$(UUID) and SetupMode-$(UUID), based on Dave Young's review.

Signed-off-by: Mimi Zohar zohar@linux.ibm.com Reviewed-by: Petr Vorel pvorel@suse.cz --- tools/testing/selftests/kexec/Makefile | 1 + tools/testing/selftests/kexec/kexec_common_lib.sh | 38 +++++++++++++++++++++++ tools/testing/selftests/kexec/test_kexec_load.sh | 17 ++-------- 3 files changed, 42 insertions(+), 14 deletions(-) create mode 100755 tools/testing/selftests/kexec/kexec_common_lib.sh

diff --git a/tools/testing/selftests/kexec/Makefile b/tools/testing/selftests/kexec/Makefile index 0b3adf5444b6..1a795861040b 100644 --- a/tools/testing/selftests/kexec/Makefile +++ b/tools/testing/selftests/kexec/Makefile @@ -5,6 +5,7 @@ ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/)

ifeq ($(ARCH),x86) TEST_PROGS := test_kexec_load.sh +TEST_FILES := kexec_common_lib.sh

include ../lib.mk

diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh new file mode 100755 index 000000000000..05376be6a6f7 --- /dev/null +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -0,0 +1,38 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 + +# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). +# The secure boot mode can be accessed either as the last integer +# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from +# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data". The efi +# SetupMode can be similarly accessed. +# Return 1 for SecureBoot mode enabled and SetupMode mode disabled. +get_secureboot_mode() +{ + local efivarfs="/sys/firmware/efi/efivars" + local secure_boot_file="$efivarfs/../vars/SecureBoot-*/data" + local setup_mode_file="$efivarfs/../vars/SetupMode-*/data" + local secureboot_mode=0 + local setup_mode=0 + + # Make sure that efivars is mounted in the normal location + if ! grep -q "^\S+ $efivarfs efivarfs" /proc/mounts; then + log_skip "efivars is not mounted on $efivarfs" + fi + + # Due to globbing, quoting "secure_boot_file" and "setup_mode_file" + # is not possible. (Todo: initialize variables using find or ls.) + if [ ! -e $secure_boot_file ] || [ ! -e $setup_mode_file ]; then + log_skip "unknown secureboot/setup mode" + fi + + secureboot_mode=`od -An -t u1 $secure_boot_file` + setup_mode=`od -An -t u1 $setup_mode_file` + + if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then + log_info "secure boot mode enabled" + return 1; + fi + log_info "secure boot mode not enabled" + return 0; +} diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 82a01a4d5c8d..86625c3f1e5d 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -5,7 +5,7 @@ # is booted in secureboot mode.

TEST="$0" -EFIVARFS="/sys/firmware/efi/efivars" +. ./kexec_common_lib.sh rc=0

# Kselftest framework requirement - SKIP code is 4. @@ -17,19 +17,8 @@ if [ $(id -ru) -ne 0 ]; then exit $ksft_skip fi

-# Make sure that efivars is mounted in the normal location -if ! grep -q "^\S+ $EFIVARFS efivarfs" /proc/mounts; then - echo "$TEST: efivars is not mounted on $EFIVARFS" >&2 - exit $ksft_skip -fi - -# Get secureboot mode -file="$EFIVARFS/SecureBoot-*" -if [ ! -e $file ]; then - echo "$TEST: unknown secureboot mode" >&2 - exit $ksft_skip -fi -secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` +get_secureboot_mode +secureboot=$?

# kexec_load should fail in secure boot mode KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"

-- 2.7.5

Mimi Zohar

1:34 p.m.

New subject: [PATCH v5 4/9] selftests/kexec: define common logging functions

Define log_info, log_pass, log_fail, and log_skip functions.

Suggested-by: Petr Vorel pvorel@suse.cz Signed-off-by: Mimi Zohar zohar@linux.ibm.com Reviewed-by: Petr Vorel pvorel@suse.cz --- tools/testing/selftests/kexec/kexec_common_lib.sh | 31 +++++++++++++++++++++++ tools/testing/selftests/kexec/test_kexec_load.sh | 19 ++++---------- 2 files changed, 36 insertions(+), 14 deletions(-)

diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index 05376be6a6f7..d108ac538f14 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -1,5 +1,36 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0 +# +# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4 + +VERBOSE="${VERBOSE:-1}" + +log_info() +{ + [ $VERBOSE -ne 0 ] && echo "[INFO] $1" +} + +# The ksefltest framework requirement returns 0 for PASS. +log_pass() +{ + + [ $VERBOSE -ne 0 ] && echo "$1 [PASS]" + exit 0 +} + +# The ksefltest framework requirement returns 1 for FAIL. +log_fail() +{ + [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]" + exit 1 +} + +# The ksefltest framework requirement returns 4 for SKIP. +log_skip() +{ + [ $VERBOSE -ne 0 ] && echo "$1" + exit 4 +}

# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). # The secure boot mode can be accessed either as the last integer diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 86625c3f1e5d..cbf598a380d2 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -6,15 +6,10 @@

TEST="$0" . ./kexec_common_lib.sh -rc=0 - -# Kselftest framework requirement - SKIP code is 4. -ksft_skip=4

# kexec requires root privileges if [ $(id -ru) -ne 0 ]; then - echo "$TEST: requires root privileges" >&2 - exit $ksft_skip + log_skip "requires root privileges" fi

get_secureboot_mode @@ -26,18 +21,14 @@ kexec --load $KERNEL_IMAGE > /dev/null 2>&1 if [ $? -eq 0 ]; then kexec --unload if [ $secureboot -eq 1 ]; then - echo "$TEST: kexec_load succeeded [FAIL]" - rc=1 + log_fail "kexec_load succeeded" else - echo "$TEST: kexec_load succeeded [PASS]" + log_pass "kexec_load succeeded" fi else if [ $secureboot -eq 1 ]; then - echo "$TEST: kexec_load failed [PASS]" + log_pass "kexec_load failed" else - echo "$TEST: kexec_load failed [FAIL]" - rc=1 + log_fail "kexec_load failed" fi fi - -exit $rc

-- 2.7.5

Petr Vorel

27 Mar 27 Mar

11:45 a.m.

New subject: [PATCH v5 4/9] selftests/kexec: define common logging functions

Hi, Mimi, Dave,

...

diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index 05376be6a6f7..d108ac538f14 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -1,5 +1,36 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0 +# +# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4

+VERBOSE="${VERBOSE:-1}"

+log_info() +{

[ $VERBOSE -ne 0 ] && echo "[INFO] $1"

+}

+# The ksefltest framework requirement returns 0 for PASS. +log_pass() +{

Redundant new line.

...

[ $VERBOSE -ne 0 ] && echo "$1 [PASS]"

exit 0

+}

+# The ksefltest framework requirement returns 1 for FAIL. +log_fail() +{

[ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"

exit 1

+}

+# The ksefltest framework requirement returns 4 for SKIP. +log_skip() +{

[ $VERBOSE -ne 0 ] && echo "$1"

exit 4

+}

...

Kind regards, Petr

Mimi Zohar

26 Mar 26 Mar

1:34 p.m.

New subject: [PATCH v5 5/9] kselftest/kexec: define "require_root_privileges"

Many tests require root privileges. Define a common function.

Suggested-by: Petr Vorel pvorel@suse.cz Signed-off-by: Mimi Zohar zohar@linux.ibm.com Reviewed-by: Petr Vorel pvorel@suse.cz --- tools/testing/selftests/kexec/kexec_common_lib.sh | 7 +++++++ tools/testing/selftests/kexec/test_kexec_load.sh | 4 +--- 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index d108ac538f14..1af892cee726 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -67,3 +67,10 @@ get_secureboot_mode() log_info "secure boot mode not enabled" return 0; } + +require_root_privileges() +{ + if [ $(id -ru) -ne 0 ]; then + log_skip "requires root privileges" + fi +} diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index cbf598a380d2..49545fcdc646 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -8,9 +8,7 @@ TEST="$0" . ./kexec_common_lib.sh

# kexec requires root privileges -if [ $(id -ru) -ne 0 ]; then - log_skip "requires root privileges" -fi +require_root_privileges

get_secureboot_mode secureboot=$?

-- 2.7.5

Mimi Zohar

1:34 p.m.

New subject: [PATCH v5 6/9] selftests/kexec: kexec_file_load syscall test

The kernel can be configured to verify PE signed kernel images, IMA kernel image signatures, both types of signatures, or none. This test verifies only properly signed kernel images are loaded into memory, based on the kernel configuration and runtime policies.

Signed-off-by: Mimi Zohar zohar@linux.ibm.com Reviewed-by: Petr Vorel pvorel@suse.cz --- tools/testing/selftests/kexec/Makefile | 4 +- tools/testing/selftests/kexec/kexec_common_lib.sh | 99 ++++++++++ .../selftests/kexec/test_kexec_file_load.sh | 203 +++++++++++++++++++++ tools/testing/selftests/kexec/test_kexec_load.sh | 1 - 4 files changed, 304 insertions(+), 3 deletions(-) create mode 100755 tools/testing/selftests/kexec/test_kexec_file_load.sh

diff --git a/tools/testing/selftests/kexec/Makefile b/tools/testing/selftests/kexec/Makefile index 1a795861040b..8e9b27a7452f 100644 --- a/tools/testing/selftests/kexec/Makefile +++ b/tools/testing/selftests/kexec/Makefile @@ -1,10 +1,10 @@ -# Makefile for kexec_load +# Makefile for kexec tests

uname_M := $(shell uname -m 2>/dev/null || echo not) ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/)

ifeq ($(ARCH),x86) -TEST_PROGS := test_kexec_load.sh +TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh TEST_FILES := kexec_common_lib.sh

include ../lib.mk diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index 1af892cee726..51ae64c79c41 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -4,6 +4,9 @@ # Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4

VERBOSE="${VERBOSE:-1}" +IKCONFIG="/tmp/config-`uname -r`" +KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" +SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')

log_info() { @@ -74,3 +77,99 @@ require_root_privileges() log_skip "requires root privileges" fi } + +# Look for config option in Kconfig file. +# Return 1 for found and 0 for not found. +kconfig_enabled() +{ + local config="$1" + local msg="$2" + + grep -E -q $config $IKCONFIG + if [ $? -eq 0 ]; then + log_info "$msg" + return 1 + fi + return 0 +} + +# Attempt to get the kernel config first via proc, and then by +# extracting it from the kernel image or the configs.ko using +# scripts/extract-ikconfig. +# Return 1 for found. +get_kconfig() +{ + local proc_config="/proc/config.gz" + local module_dir="/lib/modules/`uname -r`" + local configs_module="$module_dir/kernel/kernel/configs.ko" + + if [ ! -f $proc_config ]; then + modprobe configs > /dev/null 2>&1 + fi + if [ -f $proc_config ]; then + cat $proc_config | gunzip > $IKCONFIG 2>/dev/null + if [ $? -eq 0 ]; then + return 1 + fi + fi + + local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig" + if [ ! -f $extract_ikconfig ]; then + log_skip "extract-ikconfig not found" + fi + + $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null + if [ $? -eq 1 ]; then + if [ ! -f $configs_module ]; then + log_skip "CONFIG_IKCONFIG not enabled" + fi + $extract_ikconfig $configs_module > $IKCONFIG + if [ $? -eq 1 ]; then + log_skip "CONFIG_IKCONFIG not enabled" + fi + fi + return 1 +} + +# Make sure that securityfs is mounted +mount_securityfs() +{ + if [ -z $SECURITYFS ]; then + SECURITYFS=/sys/kernel/security + mount -t securityfs security $SECURITYFS + fi + + if [ ! -d "$SECURITYFS" ]; then + log_fail "$SECURITYFS :securityfs is not mounted" + fi +} + +# The policy rule format is an "action" followed by key-value pairs. This +# function supports up to two key-value pairs, in any order. +# For example: action func=<keyword> [appraise_type=<type>] +# Return 1 for found and 0 for not found. +check_ima_policy() +{ + local action="$1" + local keypair1="$2" + local keypair2="$3" + local ret=0 + + mount_securityfs + + local ima_policy=$SECURITYFS/ima/policy + if [ ! -e $ima_policy ]; then + log_fail "$ima_policy not found" + fi + + if [ -n $keypair2 ]; then + grep -e "^$action.*$keypair1" "$ima_policy" | \ + grep -q -e "$keypair2" + else + grep -q -e "^$action.*$keypair1" "$ima_policy" + fi + + # invert "grep -q" result, returning 1 for found. + [ $? -eq 0 ] && ret=1 + return $ret +} diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh new file mode 100755 index 000000000000..4603282dd8b6 --- /dev/null +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -0,0 +1,203 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 +# +# Loading a kernel image via the kexec_file_load syscall can verify either +# the IMA signature stored in the security.ima xattr or the PE signature, +# both signatures depending on the IMA policy, or none. +# +# To determine whether the kernel image is signed, this test depends +# on pesign and getfattr. This test also requires the kernel to be +# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC +# enabled or access to the extract-ikconfig script. + +TEST="KEXEC_FILE_LOAD" +. ./kexec_common_lib.sh + +trap "{ rm -f $IKCONFIG ; }" EXIT + +# Some of the IMA builtin policies may require the kexec kernel image to +# be signed, but these policy rules may be replaced with a custom +# policy. Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after +# loading a custom policy. Check if it is enabled, before reading the +# IMA runtime sysfs policy file. +# Return 1 for IMA signature required and 0 for not required. +is_ima_sig_required() +{ + local ret=0 + + kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \ + "IMA kernel image signature required" + if [ $? -eq 1 ]; then + log_info "IMA signature required" + return 1 + fi + + # The architecture specific or a custom policy may require the + # kexec kernel image be signed. Policy rules are walked + # sequentially. As a result, a policy rule may be defined, but + # might not necessarily be used. This test assumes if a policy + # rule is specified, that is the intent. + if [ $ima_read_policy -eq 1 ]; then + check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ + "appraise_type=imasig" + ret=$? + [ $ret -eq 1 ] && log_info "IMA signature required"; + fi + return $ret +} + +# The kexec_file_load_test() is complicated enough, require pesign. +# Return 1 for PE signature found and 0 for not found. +check_for_pesig() +{ + which pesign > /dev/null 2>&1 || log_skip "pesign not found" + + pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures" + local ret=$? + if [ $ret -eq 1 ]; then + log_info "kexec kernel image PE signed" + else + log_info "kexec kernel image not PE signed" + fi + return $ret +} + +# The kexec_file_load_test() is complicated enough, require getfattr. +# Return 1 for IMA signature found and 0 for not found. +check_for_imasig() +{ + local ret=0 + + which getfattr > /dev/null 2>&1 + if [ $? -eq 1 ]; then + log_skip "getfattr not found" + fi + + line=$(getfattr -n security.ima -e hex --absolute-names $KERNEL_IMAGE 2>&1) + echo $line | grep -q "security.ima=0x03" + if [ $? -eq 0 ]; then + ret=1 + log_info "kexec kernel image IMA signed" + else + log_info "kexec kernel image not IMA signed" + fi + return $ret +} + +kexec_file_load_test() +{ + local succeed_msg="kexec_file_load succeeded" + local failed_msg="kexec_file_load failed" + local key_msg="try enabling the CONFIG_INTEGRITY_PLATFORM_KEYRING" + + line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1) + + if [ $? -eq 0 ]; then + kexec --unload --kexec-file-syscall + + # In secureboot mode with an architecture specific + # policy, make sure either an IMA or PE signature exists. + if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \ + [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then + log_fail "$succeed_msg (missing sig)" + fi + + if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \ + && [ $pe_signed -eq 0 ]; then + log_fail "$succeed_msg (missing PE sig)" + fi + + if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then + log_fail "$succeed_msg (missing IMA sig)" + fi + + if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ + && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \ + && [ $ima_read_policy -eq 0 ]; then + log_fail "$succeed_msg (possibly missing IMA sig)" + fi + + if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 0 ]; then + log_info "No signature verification required" + elif [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ + && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \ + && [ $ima_read_policy -eq 1 ]; then + log_info "No signature verification required" + fi + + log_pass "$succeed_msg" + fi + + # Check the reason for the kexec_file_load failure + echo $line | grep -q "Required key not available" + if [ $? -eq 0 ]; then + if [ $platform_keyring -eq 0 ]; then + log_pass "$failed_msg (-ENOKEY), $key_msg" + else + log_pass "$failed_msg (-ENOKEY)" + fi + fi + + if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \ + && [ $pe_signed -eq 0 ]; then + log_pass "$failed_msg (missing PE sig)" + fi + + if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then + log_pass "$failed_msg (missing IMA sig)" + fi + + if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ + && [ $ima_sig_required -eq 0 ] && [ $ima_read_policy -eq 0 ] \ + && [ $ima_signed -eq 0 ]; then + log_pass "$failed_msg (possibly missing IMA sig)" + fi + + log_pass "$failed_msg" + return 0 +} + +# kexec requires root privileges +require_root_privileges + +# get the kernel config +get_kconfig + +# Determine which kernel config options are enabled +kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" +ima_appraise=$? + +kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ + "architecture specific policy enabled" +arch_policy=$? + +kconfig_enabled "CONFIG_INTEGRITY_PLATFORM_KEYRING=y" \ + "platform keyring enabled" +platform_keyring=$? + +kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted" +ima_read_policy=$? + +kconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \ + "kexec signed kernel image required" +kexec_sig_required=$? + +kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \ + "PE signed kernel image required" +pe_sig_required=$? + +is_ima_sig_required +ima_sig_required=$? + +get_secureboot_mode +secureboot=$? + +# Are there pe and ima signatures +check_for_pesig +pe_signed=$? + +check_for_imasig +ima_signed=$? + +# Test loading the kernel image via kexec_file_load syscall +kexec_file_load_test diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 49545fcdc646..afd440ee23cb 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -14,7 +14,6 @@ get_secureboot_mode secureboot=$?

# kexec_load should fail in secure boot mode -KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" kexec --load $KERNEL_IMAGE > /dev/null 2>&1 if [ $? -eq 0 ]; then kexec --unload

-- 2.7.5

Mimi Zohar

1:34 p.m.

New subject: [PATCH v5 7/9] selftests/kexec: Add missing '=y' to config options

From: Petr Vorel pvorel@suse.cz

so the file can be used as kernel config snippet.

Signed-off-by: Petr Vorel pvorel@suse.cz [zohar@linux.ibm.com: remove CONFIG_KEXEC_VERIFY_SIG from config] Signed-off-by: Mimi Zohar zohar@linux.ibm.com --- tools/testing/selftests/kexec/config | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/tools/testing/selftests/kexec/config b/tools/testing/selftests/kexec/config index 6bc86d4d9bb4..8962e862b2b8 100644 --- a/tools/testing/selftests/kexec/config +++ b/tools/testing/selftests/kexec/config @@ -1,4 +1,3 @@ -CONFIG_IMA_APPRAISE -CONFIG_IMA_ARCH_POLICY -CONFIG_SECURITYFS -CONFIG_KEXEC_VERIFY_SIG +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_ARCH_POLICY=y +CONFIG_SECURITYFS=y

-- 2.7.5

Mimi Zohar

1:34 p.m.

New subject: [PATCH v5 8/9] selftests/kexec: check kexec_load and kexec_file_load are enabled

Skip the kexec_load and kexec_file_load tests, if they aren't configured in the kernel. This change adds a new requirement that ikconfig is configured in the kexec_load test.

Suggested-by: Dave Young dyoung@redhat.com Signed-off-by: Mimi Zohar zohar@linux.ibm.com --- tools/testing/selftests/kexec/test_kexec_file_load.sh | 5 +++++ tools/testing/selftests/kexec/test_kexec_load.sh | 8 ++++++++ 2 files changed, 13 insertions(+)

diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh index 4603282dd8b6..fa7c24e8eefb 100755 --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -163,6 +163,11 @@ require_root_privileges # get the kernel config get_kconfig

+kconfig_enabled "CONFIG_KEXEC_FILE=y" "kexec_file_load is enabled" +if [ $? -eq 0 ]; then + log_skip "kexec_file_load is not enabled" +fi + # Determine which kernel config options are enabled kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" ima_appraise=$? diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index afd440ee23cb..2a66c8897f55 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -10,6 +10,14 @@ TEST="$0" # kexec requires root privileges require_root_privileges

+# get the kernel config +get_kconfig + +kconfig_enabled "CONFIG_KEXEC=y" "kexec_load is enabled" +if [ $? -eq 0 ]; then + log_skip "kexec_load is not enabled" +fi + get_secureboot_mode secureboot=$?

-- 2.7.5

Petr Vorel

27 Mar 27 Mar

11:53 a.m.

New subject: [PATCH v5 8/9] selftests/kexec: check kexec_load and kexec_file_load are enabled

Hi Mimi, Dave,

...

Skip the kexec_load and kexec_file_load tests, if they aren't configured in the kernel. This change adds a new requirement that ikconfig is configured in the kexec_load test.

...

Suggested-by: Dave Young dyoung@redhat.com Signed-off-by: Mimi Zohar zohar@linux.ibm.com

Reviewed-by: Petr Vorel pvorel@suse.cz

Kind regards, Petr

Mimi Zohar

26 Mar 26 Mar

1:34 p.m.

New subject: [PATCH v5 9/9] selftests/kexec: make kexec_load test independent of IMA being enabled

Verify IMA is enabled before failing tests or emitting irrelevant messages.

Suggested-by: Dave Young dyoung@redhat.com Signed-off-by: Mimi Zohar zohar@linux.ibm.com Reviewed-by: Dave Young dyoung@redhat.com --- tools/testing/selftests/kexec/test_kexec_load.sh | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 2a66c8897f55..49c6aa929137 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -1,8 +1,8 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0 -# Loading a kernel image via the kexec_load syscall should fail -# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system -# is booted in secureboot mode. +# +# Prevent loading a kernel image via the kexec_load syscall when +# signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.)

TEST="$0" . ./kexec_common_lib.sh @@ -18,20 +18,28 @@ if [ $? -eq 0 ]; then log_skip "kexec_load is not enabled" fi

+kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" +ima_appraise=$? + +kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ + "IMA architecture specific policy enabled" +arch_policy=$? + get_secureboot_mode secureboot=$?

-# kexec_load should fail in secure boot mode +# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled kexec --load $KERNEL_IMAGE > /dev/null 2>&1 if [ $? -eq 0 ]; then kexec --unload - if [ $secureboot -eq 1 ]; then + if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then log_fail "kexec_load succeeded" - else - log_pass "kexec_load succeeded" + elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then + log_info "Either IMA or the IMA arch policy is not enabled" fi + log_pass "kexec_load succeeded" else - if [ $secureboot -eq 1 ]; then + if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then log_pass "kexec_load failed" else log_fail "kexec_load failed"

-- 2.7.5

Petr Vorel

27 Mar 27 Mar

11:56 a.m.

New subject: [PATCH v5 9/9] selftests/kexec: make kexec_load test independent of IMA being enabled

Hi Mimi, Dave,

...

Verify IMA is enabled before failing tests or emitting irrelevant messages.

...

Suggested-by: Dave Young dyoung@redhat.com Signed-off-by: Mimi Zohar zohar@linux.ibm.com Reviewed-by: Dave Young dyoung@redhat.com

Reviewed-by: Petr Vorel pvorel@suse.cz

Kind regards, Petr

Mimi Zohar

3 Apr 3 Apr

2:06 p.m.

New subject: [PATCH] selftests/kexec: update get_secureboot_mode

The get_secureboot_mode() function unnecessarily requires both CONFIG_EFIVAR_FS and CONFIG_EFI_VARS to be enabled to determine if the system is booted in secure boot mode. On some systems the old EFI variable support is not enabled or, possibly, even implemented.

This patch first checks the efivars filesystem for the SecureBoot and SetupMode flags, but falls back to using the old EFI variable support.

The "secure_boot_file" and "setup_mode_file" couldn't be quoted due to globbing. This patch also removes the globbing.

Signed-off-by: Mimi Zohar zohar@linux.ibm.com --- tools/testing/selftests/kexec/kexec_common_lib.sh | 87 +++++++++++++++++------ 1 file changed, 67 insertions(+), 20 deletions(-)

diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index b7ac8f3fa025..4d3ff08bdb81 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -35,6 +35,64 @@ log_skip() }

# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). +# (Based on kdump-lib.sh) +get_efivarfs_secureboot_mode() +{ + local efivarfs="/sys/firmware/efi/efivars" + local secure_boot_file="" + local setup_mode_file="" + local secureboot_mode=0 + local setup_mode=0 + + # Make sure that efivar_fs is mounted in the normal location + if ! grep -q "^\S+ $efivarfs efivarfs" /proc/mounts; then + log_info "efivars is not mounted on $efivarfs" + return 0; + fi + secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null) + setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null) + if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then + secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \ + "$secure_boot_file"|cut -d' ' -f 5) + setup_mode=$(hexdump -v -e '/1 "%d\ "' \ + "$setup_mode_file"|cut -d' ' -f 5) + + if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then + log_info "secure boot mode enabled (efivar_fs)" + return 1; + fi + fi + return 0; +} + +get_efi_var_secureboot_mode() +{ + local efi_vars="/sys/firmware/efi/vars" + local secure_boot_file="" + local setup_mode_file="" + local secureboot_mode=0 + local setup_mode=0 + + if [ ! -d "$efi_vars" ]; then + log_skip "efi_vars is not enabled\n" + return 0; + fi + secure_boot_file=$(find "$efi_vars" -name SecureBoot-* 2>/dev/null) + setup_mode_file=$(find "$efi_vars" -name SetupMode-* 2>/dev/null) + if [ -f "$secure_boot_file/data" ] && \ + [ -f "$setup_mode_file/data" ]; then + secureboot_mode=`od -An -t u1 "$secure_boot_file/data"` + setup_mode=`od -An -t u1 "$setup_mode_file/data"` + + if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then + log_info "secure boot mode enabled (efi_var)" + return 1; + fi + fi + return 0; +} + +# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). # The secure boot mode can be accessed either as the last integer # of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from # "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data". The efi @@ -42,32 +100,21 @@ log_skip() # Return 1 for SecureBoot mode enabled and SetupMode mode disabled. get_secureboot_mode() { - local efivarfs="/sys/firmware/efi/efivars" - local secure_boot_file="$efivarfs/../vars/SecureBoot-*/data" - local setup_mode_file="$efivarfs/../vars/SetupMode-*/data" local secureboot_mode=0 - local setup_mode=0

- # Make sure that efivars is mounted in the normal location - if ! grep -q "^\S+ $efivarfs efivarfs" /proc/mounts; then - log_skip "efivars is not mounted on $efivarfs" - fi + get_efivarfs_secureboot_mode + secureboot_mode=$?

- # Due to globbing, quoting "secure_boot_file" and "setup_mode_file" - # is not possible. (Todo: initialize variables using find or ls.) - if [ ! -e $secure_boot_file ] || [ ! -e $setup_mode_file ]; then - log_skip "unknown secureboot/setup mode" + # fallback to using the efi_var files + if [ $secureboot_mode -eq 0 ]; then + get_efi_var_secureboot_mode + secureboot_mode=$? fi

- secureboot_mode=`od -An -t u1 $secure_boot_file` - setup_mode=`od -An -t u1 $setup_mode_file` - - if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then - log_info "secure boot mode enabled" - return 1; + if [ $secureboot_mode -eq 0 ]; then + log_info "secure boot mode not enabled" fi - log_info "secure boot mode not enabled" - return 0; + return $secureboot_mode; }

require_root_privileges()

-- 2.7.5

Petr Vorel

5 Apr 5 Apr

12:47 p.m.

New subject: [PATCH] selftests/kexec: update get_secureboot_mode

Hi Mimi,

Reviewed-by: Petr Vorel pvorel@suse.cz

Some minor comments below.

...

diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh

...

# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). +# (Based on kdump-lib.sh) +get_efivarfs_secureboot_mode() +{

local efivarfs="/sys/firmware/efi/efivars"

local secure_boot_file=""

local setup_mode_file=""

local secureboot_mode=0

local setup_mode=0

NOTE: variables does not need to be initialized (in both functions).

...

# Make sure that efivar_fs is mounted in the normal location

if ! grep -q "^\S+ $efivarfs efivarfs" /proc/mounts; then
log_info "efivars is not mounted on $efivarfs"
return 0;
fi

secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)

setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)

if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
	"$secure_boot_file"|cut -d' ' -f 5)
setup_mode=$(hexdump -v -e '/1 "%d\ "' \
	"$setup_mode_file"|cut -d' ' -f 5)
if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
	log_info "secure boot mode enabled (efivar_fs)"

Instead of efivar_fs maybe CONFIG_EFIVAR_FS or EFIVAR_FS?

...

	return 1;
fi
fi

return 0;
+}

+get_efi_var_secureboot_mode() +{
local efi_vars="/sys/firmware/efi/vars"

local secure_boot_file=""

local setup_mode_file=""

local secureboot_mode=0

local setup_mode=0

if [ ! -d "$efi_vars" ]; then
log_skip "efi_vars is not enabled\n"
return 0;

Return is not needed (log_skip exits).

...

fi

secure_boot_file=$(find "$efi_vars" -name SecureBoot-* 2>/dev/null)

setup_mode_file=$(find "$efi_vars" -name SetupMode-* 2>/dev/null)

if [ -f "$secure_boot_file/data" ] && \
  [ -f "$setup_mode_file/data" ]; then
secureboot_mode=`od -An -t u1 "$secure_boot_file/data"`
setup_mode=`od -An -t u1 "$setup_mode_file/data"`
if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
	log_info "secure boot mode enabled (efi_var)"

Instead of efi_var maybe CONFIG_EFI_VARS or EFI_VARS?

...

Kind regards, Petr

Mimi Zohar

6:35 p.m.

New subject: [PATCH] selftests/kexec: update get_secureboot_mode

On Fri, 2019-04-05 at 14:47 +0200, Petr Vorel wrote:

...

Hi Mimi,

Reviewed-by: Petr Vorel pvorel@suse.cz

Some minor comments below.

Thanks! "Minor" changes made. This and the rest of the patch set can be seen in the #next-integrity branch.

Mimi

2096

days inactive

2106

days old

linux-kselftest-mirror@lists.linaro.org

16 comments

participants

tags (0)

participants (2)

Mimi Zohar
Petr Vorel