mbox series

[v4,0/8] selftests/kexec: add kexec tests

Message ID 1552588876-28481-1-git-send-email-zohar@linux.ibm.com (mailing list archive)
Headers show
Series selftests/kexec: add kexec tests | expand

Message

Mimi Zohar March 14, 2019, 6:41 p.m. UTC
The kernel may be configured or an IMA policy specified on the boot
command line requiring the kexec kernel image signature to be verified.
At runtime a custom IMA policy may be loaded, replacing the policy
specified on the boot command line.  In addition, the arch specific
policy rules are dynamically defined based on the secure boot mode that
may require the kernel image signature to be verified.

The kernel image may have a PE signature, an IMA signature, or both. In
addition, there are two kexec syscalls - kexec_load and kexec_file_load
- but only the kexec_file_load syscall can verify signatures.

These kexec selftests verify that only properly signed kernel images are
loaded as required, based on the kernel config, the secure boot mode,
and the IMA runtime policy.

Loading a kernel image or kernel module requires root privileges.  To
run just the KEXEC selftests: sudo make TARGETS=kexec kselftest

Changelog v4:
- Moved the kexec tests to selftests/kexec, as requested by Dave Young.
- Removed the kernel module selftest from this patch set.
- Rewritten cover letter, removing reference to kernel modules.

Changelog v3:
- Updated tests based on Petr's review, including the defining a common
  test to check for root privileges.
- Modified config, removing the CONFIG_KEXEC_VERIFY_SIG requirement.
- Updated the SPDX license to GPL-2.0 based on Shuah's review.
- Updated the secureboot mode test to check the SetupMode as well, based
  on David Young's review.


Mimi Zohar (7):
  selftests/kexec: move the IMA kexec_load selftest to selftests/kexec
  selftests/kexec: cleanup the kexec selftest
  selftests/kexec: define a set of common functions
  selftests/kexec: define common logging functions
  kselftest/kexec: define "require_root_privileges"
  selftests/kexec: kexec_file_load syscall test
  selftests/kexec: check kexec_load and kexec_file_load are enabled

Petr Vorel (1):
  selftests/kexec: Add missing '=y' to config options

 tools/testing/selftests/Makefile                   |   2 +-
 tools/testing/selftests/ima/Makefile               |  11 --
 tools/testing/selftests/ima/config                 |   4 -
 tools/testing/selftests/ima/test_kexec_load.sh     |  54 ------
 tools/testing/selftests/kexec/Makefile             |  12 ++
 tools/testing/selftests/kexec/config               |   3 +
 tools/testing/selftests/kexec/kexec_common_lib.sh  | 175 ++++++++++++++++++
 .../selftests/kexec/test_kexec_file_load.sh        | 195 +++++++++++++++++++++
 tools/testing/selftests/kexec/test_kexec_load.sh   |  39 +++++
 9 files changed, 425 insertions(+), 70 deletions(-)
 delete mode 100644 tools/testing/selftests/ima/Makefile
 delete mode 100644 tools/testing/selftests/ima/config
 delete mode 100755 tools/testing/selftests/ima/test_kexec_load.sh
 create mode 100644 tools/testing/selftests/kexec/Makefile
 create mode 100644 tools/testing/selftests/kexec/config
 create mode 100755 tools/testing/selftests/kexec/kexec_common_lib.sh
 create mode 100755 tools/testing/selftests/kexec/test_kexec_file_load.sh
 create mode 100755 tools/testing/selftests/kexec/test_kexec_load.sh

Comments

Petr Vorel March 15, 2019, 10:06 a.m. UTC | #1
Hi Mimi,

...
> Changelog v4:
> - Moved the kexec tests to selftests/kexec, as requested by Dave Young.
> - Removed the kernel module selftest from this patch set.
> - Rewritten cover letter, removing reference to kernel modules.

LGTM, to whole patch-set:
Reviewed-by: Petr Vorel <pvorel@suse.cz>

Kind regards,
Petr
Dave Young March 20, 2019, 9:04 a.m. UTC | #2
Hi Mimi,

Thank you for help about the pointer about IMA testing.
Probably I should cc list as well since we are talking about the patch
itself.  For the ima test itself I could still ask for help in a private
email thread.

On 03/18/19 at 02:09pm, Mimi Zohar wrote:
> On Mon, 2019-03-18 at 22:06 +0800, Dave Young wrote:
> > Hi Mimi,
> > 
> > On 03/14/19 at 02:41pm, Mimi Zohar wrote:
> > > The kernel may be configured or an IMA policy specified on the boot
> > > command line requiring the kexec kernel image signature to be verified.
> > > At runtime a custom IMA policy may be loaded, replacing the policy
> > > specified on the boot command line.  In addition, the arch specific
> > > policy rules are dynamically defined based on the secure boot mode that
> > > may require the kernel image signature to be verified.
> > > 
> > > The kernel image may have a PE signature, an IMA signature, or both. In
> > > addition, there are two kexec syscalls - kexec_load and kexec_file_load
> > > - but only the kexec_file_load syscall can verify signatures.
> > > 
> > > These kexec selftests verify that only properly signed kernel images are
> > > loaded as required, based on the kernel config, the secure boot mode,
> > > and the IMA runtime policy.
> > > 
> > > Loading a kernel image or kernel module requires root privileges.  To
> > > run just the KEXEC selftests: sudo make TARGETS=kexec kselftest
> > > 
> > > Changelog v4:
> > > - Moved the kexec tests to selftests/kexec, as requested by Dave Young.
> > > - Removed the kernel module selftest from this patch set.
> > > - Rewritten cover letter, removing reference to kernel modules.
> > > 
> > > Changelog v3:
> > > - Updated tests based on Petr's review, including the defining a common
> > >   test to check for root privileges.
> > > - Modified config, removing the CONFIG_KEXEC_VERIFY_SIG requirement.
> > > - Updated the SPDX license to GPL-2.0 based on Shuah's review.
> > > - Updated the secureboot mode test to check the SetupMode as well, based
> > >   on David Young's review.
> > > 
> > > 
> > I was trying to review the patches although I'm slow due to something
> > else.
> > 
> > But I still did not setup a IMA testable system, need check your old
> > email about how to setup it.
> 
> (The ima-evm-utils package contains a README with directions.)
> 
> > 
> > A quick testing gives me below results
> > 
> > /* test #1, my default kconfig
> > # NO CONFIG_INTEGRITY compiled in
> > */
> > 
> > make[1]: Nothing to be done for 'all'.
> > make[1]: Leaving directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > make[1]: Entering directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > TAP version 13
> > selftests: kexec: test_kexec_load.sh
> > ========================================
> > selftests: kexec: test_kexec_load.sh: Warning: file
> > test_kexec_load.sh is not executable, correct this.
> > not ok 1..1 selftests: kexec: test_kexec_load.sh [FAIL]
> 
> That's really weird.  Both before and after applying these patches
> test_kexec_load.sh is executable (stable linux-5.0.y).  Could
> something else be preventing it from executing?
> 
> > selftests: kexec: test_kexec_file_load.sh
> > ========================================
> > [INFO] kexec_file_load is enabled
> > [INFO] secure boot mode not enabled
> > [INFO] kexec kernel image PE signed
> > [INFO] kexec kernel image not IMA signed
> > kexec_file_load succeeded (possibly missing IMA sig) [FAIL]
> > not ok 1..2 selftests: kexec: test_kexec_file_load.sh [FAIL]
> > make[1]: Leaving directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > make: Leaving directory '/home/dyoung/git/github/linux/tools/testing/selftests'
> 
> This message is because neither CONFIG_KEXEC_BZIMAGE_VERIFY_SIG or an
> IMA signature is required.  It couldn't read the IMA runtime policy
> rules to determine if an IMA signature is required.  So, it's trying
> to provide a hint as to what happened.
> 
> I'll update the test to see if CONFIG_IMA_APPRAISE is enabled, before
> emitting this message.
> 
> > 
> > /* test #2, enabled IMA kconfigs, simply test without other ima
> > setup eg. use a policy etc. need to follow up some guide to test the
> > ima functionality (TODO..)
> > */
> > 
> > 
> > [root@dhcp-128-65 linux-x86]# make -C tools/testing/selftests TARGETS=kexec run_tests
> > make: Entering directory '/home/dyoung/git/github/linux/tools/testing/selftests'
> > make[1]: Entering directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > make[1]: Nothing to be done for 'all'.
> > make[1]: Leaving directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > make[1]: Entering directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > TAP version 13
> > selftests: kexec: test_kexec_load.sh
> > ========================================
> > selftests: kexec: test_kexec_load.sh: Warning: file test_kexec_load.sh is not executable, correct this.
> > not ok 1..1 selftests: kexec: test_kexec_load.sh [FAIL]
> > selftests: kexec: test_kexec_file_load.sh
> > ========================================
> > [INFO] kexec_file_load is enabled
> > [INFO] reading IMA policy permitted
> > [INFO] secure boot mode not enabled
> > No signature verification required
> > not ok 1..2 selftests: kexec: test_kexec_file_load.sh [SKIP]
> > make[1]: Leaving directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > make: Leaving directory '/home/dyoung/git/github/linux/tools/testing/selftests'
> 
> The purpose of these tests was to coordinate kernel image signature
> verification.
> 
> If you require a PE signature, load an IMA policy requiring an IMA
> signature, or even enable CONFIG_IMA_ARCH_POLICY, the test would
> require some form of signature verification.

Did a test with a embedded ima key in kernel, with secure boot disabled,
but with Secure Boot enabled, but failed to sign the kernel with both
pesign and evmctl, will continue to see how to work on it and ask in
private email if needed :)

About the patch itself, as we talked in another email, I would expect it
can work with other test cases eg. without IMA/secure boot.  But if that
is not easy, maybe you can change the test script filename to something
like:  test_kexec_load_sigcheck.sh and test_kexec_file_load_sigcheck.sh 
then we can add other non-sigcheck related cases to other test scripts
later.  But ideally if we can handle them in current files it would be
better.

Another issue I noticed is even if boot with ima_appraise=off, kexec
load still checking the conditions. Will see if I'm having something
wrong in test steps.

Thanks
Dave
Mimi Zohar March 20, 2019, 12:03 p.m. UTC | #3
On Wed, 2019-03-20 at 17:04 +0800, Dave Young wrote:
> Hi Mimi,
> 
> Thank you for help about the pointer about IMA testing.
> Probably I should cc list as well since we are talking about the patch
> itself.  For the ima test itself I could still ask for help in a private
> email thread.

Thank you for bringing the discussion back online!

> 
> On 03/18/19 at 02:09pm, Mimi Zohar wrote:
> > On Mon, 2019-03-18 at 22:06 +0800, Dave Young wrote:
> > > Hi Mimi,
> > > 
> > > On 03/14/19 at 02:41pm, Mimi Zohar wrote:
> > > > The kernel may be configured or an IMA policy specified on the boot
> > > > command line requiring the kexec kernel image signature to be verified.
> > > > At runtime a custom IMA policy may be loaded, replacing the policy
> > > > specified on the boot command line.  In addition, the arch specific
> > > > policy rules are dynamically defined based on the secure boot mode that
> > > > may require the kernel image signature to be verified.
> > > > 
> > > > The kernel image may have a PE signature, an IMA signature, or both. In
> > > > addition, there are two kexec syscalls - kexec_load and kexec_file_load
> > > > - but only the kexec_file_load syscall can verify signatures.
> > > > 
> > > > These kexec selftests verify that only properly signed kernel images are
> > > > loaded as required, based on the kernel config, the secure boot mode,
> > > > and the IMA runtime policy.
> > > > 
> > > > Loading a kernel image or kernel module requires root privileges.  To
> > > > run just the KEXEC selftests: sudo make TARGETS=kexec kselftest
> > > > 
> > > > Changelog v4:
> > > > - Moved the kexec tests to selftests/kexec, as requested by Dave Young.
> > > > - Removed the kernel module selftest from this patch set.
> > > > - Rewritten cover letter, removing reference to kernel modules.
> > > > 
> > > > Changelog v3:
> > > > - Updated tests based on Petr's review, including the defining a common
> > > >   test to check for root privileges.
> > > > - Modified config, removing the CONFIG_KEXEC_VERIFY_SIG requirement.
> > > > - Updated the SPDX license to GPL-2.0 based on Shuah's review.
> > > > - Updated the secureboot mode test to check the SetupMode as well, based
> > > >   on David Young's review.
> > > > 
> > > > 
> > > I was trying to review the patches although I'm slow due to something
> > > else.
> > > 
> > > But I still did not setup a IMA testable system, need check your old
> > > email about how to setup it.
> > 
> > (The ima-evm-utils package contains a README with directions.)

Suggesting using the EVM README might not have been the best idea, as
we're only interested, at the moment, in enabling IMA-appraisal for
now.

You need to create 2 public keys - a local CA and an IMA key.  The
local CA public key needs to be loaded onto the builtin trusted keys
keyring.  There are a number of different methods of doing this.  The
simplest method, for those building their own kernel, is to add the
local CA public key to the certs signing_key.x509 (PEM) or to the
x509_certificate_list (DER).

Create the IMA key and then sign the IMA certificate with the local CA
key.  After rebooting the kernel with the local CA key loaded onto the
builtin trusted keyring, you'll be able to import the IMA key onto the
IMA trusted keyring.

To manually load the IMA key, without relying on dracut/systemd:

# id=`sudo keyctl describe %keyring:.ima | awk -F ':' '{print $1}';`
# evmctl import examples/x509_ima.der $id

(The evm utils package contains two sample scripts in the examples
directory to create the local CA and the IMA key.)

> > 
> > > 
> > > A quick testing gives me below results
> > > 
> > > /* test #1, my default kconfig
> > > # NO CONFIG_INTEGRITY compiled in
> > > */
> > > 
> > > make[1]: Nothing to be done for 'all'.
> > > make[1]: Leaving directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > > make[1]: Entering directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > > TAP version 13
> > > selftests: kexec: test_kexec_load.sh
> > > ========================================
> > > selftests: kexec: test_kexec_load.sh: Warning: file
> > > test_kexec_load.sh is not executable, correct this.
> > > not ok 1..1 selftests: kexec: test_kexec_load.sh [FAIL]
> > 
> > That's really weird.  Both before and after applying these patches
> > test_kexec_load.sh is executable (stable linux-5.0.y).  Could
> > something else be preventing it from executing?
> > 
> > > selftests: kexec: test_kexec_file_load.sh
> > > ========================================
> > > [INFO] kexec_file_load is enabled
> > > [INFO] secure boot mode not enabled
> > > [INFO] kexec kernel image PE signed
> > > [INFO] kexec kernel image not IMA signed
> > > kexec_file_load succeeded (possibly missing IMA sig) [FAIL]
> > > not ok 1..2 selftests: kexec: test_kexec_file_load.sh [FAIL]
> > > make[1]: Leaving directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > > make: Leaving directory '/home/dyoung/git/github/linux/tools/testing/selftests'
> > 
> > This message is because neither CONFIG_KEXEC_BZIMAGE_VERIFY_SIG or an
> > IMA signature is required.  It couldn't read the IMA runtime policy
> > rules to determine if an IMA signature is required.  So, it's trying
> > to provide a hint as to what happened.
> > 
> > I'll update the test to see if CONFIG_IMA_APPRAISE is enabled, before
> > emitting this message.
> > 
> > > 
> > > /* test #2, enabled IMA kconfigs, simply test without other ima
> > > setup eg. use a policy etc. need to follow up some guide to test the
> > > ima functionality (TODO..)
> > > */
> > > 
> > > 
> > > [root@dhcp-128-65 linux-x86]# make -C tools/testing/selftests TARGETS=kexec run_tests
> > > make: Entering directory '/home/dyoung/git/github/linux/tools/testing/selftests'
> > > make[1]: Entering directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > > make[1]: Nothing to be done for 'all'.
> > > make[1]: Leaving directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > > make[1]: Entering directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > > TAP version 13
> > > selftests: kexec: test_kexec_load.sh
> > > ========================================
> > > selftests: kexec: test_kexec_load.sh: Warning: file test_kexec_load.sh is not executable, correct this.
> > > not ok 1..1 selftests: kexec: test_kexec_load.sh [FAIL]
> > > selftests: kexec: test_kexec_file_load.sh
> > > ========================================
> > > [INFO] kexec_file_load is enabled
> > > [INFO] reading IMA policy permitted
> > > [INFO] secure boot mode not enabled
> > > No signature verification required
> > > not ok 1..2 selftests: kexec: test_kexec_file_load.sh [SKIP]
> > > make[1]: Leaving directory '/home/dyoung/git/github/linux/tools/testing/selftests/kexec'
> > > make: Leaving directory '/home/dyoung/git/github/linux/tools/testing/selftests'
> > 
> > The purpose of these tests was to coordinate kernel image signature
> > verification.
> > 
> > If you require a PE signature, load an IMA policy requiring an IMA
> > signature, or even enable CONFIG_IMA_ARCH_POLICY, the test would
> > require some form of signature verification.
> 
> Did a test with a embedded ima key in kernel, with secure boot disabled,
> but with Secure Boot enabled, but failed to sign the kernel with both
> pesign and evmctl, will continue to see how to work on it and ask in
> private email if needed :)

"with secure boot disabled, but with Secure Boot enabled" - I'm
missing the nuance between upper and lower case "secure boot".

> 
> About the patch itself, as we talked in another email, I would expect it
> can work with other test cases eg. without IMA/secure boot.  But if that
> is not easy, maybe you can change the test script filename to something
> like:  test_kexec_load_sigcheck.sh and test_kexec_file_load_sigcheck.sh 
> then we can add other non-sigcheck related cases to other test scripts
> later.  But ideally if we can handle them in current files it would be
> better.

Ok

> Another issue I noticed is even if boot with ima_appraise=off, kexec
> load still checking the conditions. Will see if I'm having something
> wrong in test steps.

Enabling the arch policy disables the "ima_appraise=" boot command
line option.  You're right, if the arch policy isn't enabled, this
test needs to detect the "ima_appraise" mode.

Mimi