Message ID | 1552304473-3966-3-git-send-email-zohar@linux.ibm.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | selftests/ima: add kexec and kernel module tests | expand |
Hi Mimi, > Define, update and move get_secureboot_mode() to a common file for use > by other tests. > Updated to check both the efivar SecureBoot-$(UUID) and > SetupMode-$(UUID), based on Dave Young's review. > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > Reviewed-by: Petr Vorel <pvorel@suse.cz> > Cc: Dave Young <dyoung@redhat.com> Minor comment below. ... > +++ b/tools/testing/selftests/ima/ima_common_lib.sh > @@ -0,0 +1,36 @@ > +#!/bin/sh > +# SPDX-License-Identifier: GPL-2.0 > + > +# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). > +# The secure boot mode can be accessed either as the last integer > +# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from > +# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data". The efi > +# SetupMode can be similarly accessed. > +# Return 1 for SecureBoot mode enabled and SetupMode mode disabled. > +get_secureboot_mode() > +{ > + local efivarfs="/sys/firmware/efi/efivars" > + local secure_boot_file=$efivarfs/../vars/SecureBoot-*/data > + local setup_mode_file=$efivarfs/../vars/SetupMode-*/data Sorry for nitpicking, but also quote variables these two variables containing string: local secure_boot_file="$efivarfs/../vars/SecureBoot-*/data" local setup_mode_file="$efivarfs/../vars/SetupMode-*/data" > + local secureboot_mode=0 > + local setup_mode=0 > + > + # Make sure that efivars is mounted in the normal location > + if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then > + log_skip "efivars is not mounted on $efivarfs" > + fi > + > + if [ ! -e $secure_boot_file ] || [ ! -e $setup_mode_file ]; then I prefer to quote every variable in [ ] (at least for -f -e -z -n, to prevent shell behavior on empty (I know it's not necessary here): f=; [ -e $f ]; echo $? 0 vs. f=; [ -e "$f" ]; echo $? 1 Kind regards, Petr
diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile index 0b3adf5444b6..04501516831b 100644 --- a/tools/testing/selftests/ima/Makefile +++ b/tools/testing/selftests/ima/Makefile @@ -5,6 +5,7 @@ ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) ifeq ($(ARCH),x86) TEST_PROGS := test_kexec_load.sh +TEST_FILES := ima_common_lib.sh include ../lib.mk diff --git a/tools/testing/selftests/ima/ima_common_lib.sh b/tools/testing/selftests/ima/ima_common_lib.sh new file mode 100755 index 000000000000..403666247b10 --- /dev/null +++ b/tools/testing/selftests/ima/ima_common_lib.sh @@ -0,0 +1,36 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 + +# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). +# The secure boot mode can be accessed either as the last integer +# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from +# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data". The efi +# SetupMode can be similarly accessed. +# Return 1 for SecureBoot mode enabled and SetupMode mode disabled. +get_secureboot_mode() +{ + local efivarfs="/sys/firmware/efi/efivars" + local secure_boot_file=$efivarfs/../vars/SecureBoot-*/data + local setup_mode_file=$efivarfs/../vars/SetupMode-*/data + local secureboot_mode=0 + local setup_mode=0 + + # Make sure that efivars is mounted in the normal location + if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then + log_skip "efivars is not mounted on $efivarfs" + fi + + if [ ! -e $secure_boot_file ] || [ ! -e $setup_mode_file ]; then + log_skip "unknown secureboot/setup mode" + fi + + secureboot_mode=`od -An -t u1 $secure_boot_file` + setup_mode=`od -An -t u1 $setup_mode_file` + + if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then + log_info "ima: secure boot mode enabled" + return 1; + fi + log_info "secure boot mode not enabled" + return 0; +} diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh index 36f3089ac225..e84139c1506b 100755 --- a/tools/testing/selftests/ima/test_kexec_load.sh +++ b/tools/testing/selftests/ima/test_kexec_load.sh @@ -5,7 +5,7 @@ # is booted in secureboot mode. TEST="$0" -EFIVARFS="/sys/firmware/efi/efivars" +. ./ima_common_lib.sh rc=0 # Kselftest framework requirement - SKIP code is 4. @@ -17,19 +17,8 @@ if [ $(id -ru) -ne 0 ]; then exit $ksft_skip fi -# Make sure that efivars is mounted in the normal location -if ! grep -q "^\S\+ $EFIVARFS efivarfs" /proc/mounts; then - echo "$TEST: efivars is not mounted on $EFIVARFS" >&2 - exit $ksft_skip -fi - -# Get secureboot mode -file="$EFIVARFS/SecureBoot-*" -if [ ! -e $file ]; then - echo "$TEST: unknown secureboot mode" >&2 - exit $ksft_skip -fi -secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` +get_secureboot_mode +secureboot=$? # kexec_load should fail in secure boot mode KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"