From patchwork Tue Feb 26 23:26:56 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10830923 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0BBE81805 for ; Tue, 26 Feb 2019 23:28:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EF8862D51E for ; Tue, 26 Feb 2019 23:28:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E42902D535; Tue, 26 Feb 2019 23:28:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 966352D531 for ; Tue, 26 Feb 2019 23:28:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727998AbfBZX1s (ORCPT ); Tue, 26 Feb 2019 18:27:48 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:33224 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728736AbfBZX1r (ORCPT ); Tue, 26 Feb 2019 18:27:47 -0500 Received: from pps.filterd (m0098396.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x1QNOpIO006220 for ; Tue, 26 Feb 2019 18:27:46 -0500 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2qwdgqmwgg-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Feb 2019 18:27:46 -0500 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 26 Feb 2019 23:27:44 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 26 Feb 2019 23:27:42 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x1QNRfAP32833722 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 26 Feb 2019 23:27:41 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 964D0A4051; Tue, 26 Feb 2019 23:27:41 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D88FBA404D; Tue, 26 Feb 2019 23:27:40 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.106.105]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 26 Feb 2019 23:27:40 +0000 (GMT) From: Mimi Zohar To: linux-kselftest@vger.kernel.org, Shuah Khan Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Mimi Zohar Subject: [PATCH v2 1/5] selftests/ima: cleanup the kexec selftest Date: Tue, 26 Feb 2019 18:26:56 -0500 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1551223620-11586-1-git-send-email-zohar@linux.ibm.com> References: <1551223620-11586-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19022623-0008-0000-0000-000002C54C62 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19022623-0009-0000-0000-00002231977A Message-Id: <1551223620-11586-2-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-02-26_13:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=968 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902260158 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Remove the few bashisms and use the complete option name for clarity. Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- tools/testing/selftests/ima/test_kexec_load.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh index 1c10093fb526..0345803e7bec 100755 --- a/tools/testing/selftests/ima/test_kexec_load.sh +++ b/tools/testing/selftests/ima/test_kexec_load.sh @@ -1,7 +1,7 @@ #!/bin/sh -# SPDX-License-Identifier: GPL-2.0+ +# SPDX-License-Identifier: GPL-2.0-or-later # Loading a kernel image via the kexec_load syscall should fail -# when the kerne is CONFIG_KEXEC_VERIFY_SIG enabled and the system +# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system # is booted in secureboot mode. TEST="$0" @@ -12,8 +12,8 @@ rc=0 ksft_skip=4 # kexec requires root privileges -if [ $UID != 0 ]; then - echo "$TEST: must be run as root" >&2 +if [ $(id -ru) -ne 0 ]; then + echo "$TEST: requires root privileges" >&2 exit $ksft_skip fi @@ -33,17 +33,17 @@ secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` # kexec_load should fail in secure boot mode KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" -kexec -l $KERNEL_IMAGE &>> /dev/null -if [ $? == 0 ]; then - kexec -u - if [ "$secureboot" == "1" ]; then +kexec --load $KERNEL_IMAGE 2>&1 > /dev/null +if [ $? -eq 0 ]; then + kexec --unload + if [ $secureboot -eq 1 ]; then echo "$TEST: kexec_load succeeded [FAIL]" rc=1 else echo "$TEST: kexec_load succeeded [PASS]" fi else - if [ "$secureboot" == "1" ]; then + if [ $secureboot -eq 1 ]; then echo "$TEST: kexec_load failed [PASS]" else echo "$TEST: kexec_load failed [FAIL]" From patchwork Tue Feb 26 23:26:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10830919 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 084291575 for ; Tue, 26 Feb 2019 23:28:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id EB9E02D51E for ; Tue, 26 Feb 2019 23:28:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id DF9C82D535; Tue, 26 Feb 2019 23:28:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 776EE2D51E for ; Tue, 26 Feb 2019 23:28:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728791AbfBZX1u (ORCPT ); Tue, 26 Feb 2019 18:27:50 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:56944 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728729AbfBZX1u (ORCPT ); Tue, 26 Feb 2019 18:27:50 -0500 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x1QNNx1Y005093 for ; Tue, 26 Feb 2019 18:27:49 -0500 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 2qwbr5jmn0-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Feb 2019 18:27:49 -0500 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 26 Feb 2019 23:27:47 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 26 Feb 2019 23:27:44 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x1QNRhe757802838 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 26 Feb 2019 23:27:43 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B9C83A404D; Tue, 26 Feb 2019 23:27:43 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0A262A4040; Tue, 26 Feb 2019 23:27:43 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.106.105]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 26 Feb 2019 23:27:42 +0000 (GMT) From: Mimi Zohar To: linux-kselftest@vger.kernel.org, Shuah Khan Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Mimi Zohar Subject: [PATCH v2 2/5] selftests/ima: define a set of common functions Date: Tue, 26 Feb 2019 18:26:57 -0500 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1551223620-11586-1-git-send-email-zohar@linux.ibm.com> References: <1551223620-11586-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19022623-0008-0000-0000-000002C54C63 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19022623-0009-0000-0000-00002231977B Message-Id: <1551223620-11586-3-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-02-26_13:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902260158 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Define, update and move get_secureboot_mode() to a common file for use by other tests. Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel Reviewed-by: Petr Vorel --- tools/testing/selftests/ima/Makefile | 1 + tools/testing/selftests/ima/common_lib.sh | 24 ++++++++++++++++++++++++ tools/testing/selftests/ima/test_kexec_load.sh | 17 +++-------------- 3 files changed, 28 insertions(+), 14 deletions(-) create mode 100755 tools/testing/selftests/ima/common_lib.sh diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile index 0b3adf5444b6..46b9e04d2737 100644 --- a/tools/testing/selftests/ima/Makefile +++ b/tools/testing/selftests/ima/Makefile @@ -5,6 +5,7 @@ ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) ifeq ($(ARCH),x86) TEST_PROGS := test_kexec_load.sh +TEST_FILES := common_lib.sh include ../lib.mk diff --git a/tools/testing/selftests/ima/common_lib.sh b/tools/testing/selftests/ima/common_lib.sh new file mode 100755 index 000000000000..5583ea74c14e --- /dev/null +++ b/tools/testing/selftests/ima/common_lib.sh @@ -0,0 +1,24 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later + +# The secure boot mode can be accessed either as the last integer +# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from +# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data". +# Return 1 for SecureBoot mode enabled. +get_secureboot_mode() +{ + local efivarfs="/sys/firmware/efi/efivars" + # Make sure that efivars is mounted in the normal location + if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then + echo "$TEST: efivars is not mounted on $efivarfs" >&2 + exit $ksft_skip + fi + + # Get secureboot mode + local file="$efivarfs/../vars/SecureBoot-*/data" + if [ ! -e $file ]; then + echo "$TEST: unknown secureboot mode" >&2 + exit $ksft_skip + fi + return `od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data` +} diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh index 0345803e7bec..35934e0665f1 100755 --- a/tools/testing/selftests/ima/test_kexec_load.sh +++ b/tools/testing/selftests/ima/test_kexec_load.sh @@ -5,7 +5,7 @@ # is booted in secureboot mode. TEST="$0" -EFIVARFS="/sys/firmware/efi/efivars" +. ./common_lib.sh rc=0 # Kselftest framework requirement - SKIP code is 4. @@ -17,19 +17,8 @@ if [ $(id -ru) -ne 0 ]; then exit $ksft_skip fi -# Make sure that efivars is mounted in the normal location -if ! grep -q "^\S\+ $EFIVARFS efivarfs" /proc/mounts; then - echo "$TEST: efivars is not mounted on $EFIVARFS" >&2 - exit $ksft_skip -fi - -# Get secureboot mode -file="$EFIVARFS/SecureBoot-*" -if [ ! -e $file ]; then - echo "$TEST: unknown secureboot mode" >&2 - exit $ksft_skip -fi -secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` +get_secureboot_mode +secureboot=$? # kexec_load should fail in secure boot mode KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" From patchwork Tue Feb 26 23:26:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10830905 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6BD211575 for ; Tue, 26 Feb 2019 23:27:59 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5A0CF2D536 for ; Tue, 26 Feb 2019 23:27:59 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4D42A2D535; Tue, 26 Feb 2019 23:27:59 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CB8462D519 for ; Tue, 26 Feb 2019 23:27:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728729AbfBZX1v (ORCPT ); Tue, 26 Feb 2019 18:27:51 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:44734 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729364AbfBZX1u (ORCPT ); Tue, 26 Feb 2019 18:27:50 -0500 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x1QNNxBt117193 for ; Tue, 26 Feb 2019 18:27:49 -0500 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 2qwcj3fvws-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Feb 2019 18:27:49 -0500 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 26 Feb 2019 23:27:48 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 26 Feb 2019 23:27:46 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x1QNRjkK32506058 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 26 Feb 2019 23:27:46 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DD077A4051; Tue, 26 Feb 2019 23:27:45 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2E0F9A4040; Tue, 26 Feb 2019 23:27:45 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.106.105]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 26 Feb 2019 23:27:44 +0000 (GMT) From: Mimi Zohar To: linux-kselftest@vger.kernel.org, Shuah Khan Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Mimi Zohar Subject: [PATCH v2 3/5] selftests/ima: define common logging functions Date: Tue, 26 Feb 2019 18:26:58 -0500 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1551223620-11586-1-git-send-email-zohar@linux.ibm.com> References: <1551223620-11586-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19022623-0008-0000-0000-000002C54C64 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19022623-0009-0000-0000-00002231977C Message-Id: <1551223620-11586-4-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-02-26_13:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=896 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902260158 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Define log_info, log_pass, log_fail, and log_skip functions. Suggested-by: Petr Vorel Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- tools/testing/selftests/ima/common_lib.sh | 43 +++++++++++++++++++++++--- tools/testing/selftests/ima/test_kexec_load.sh | 19 +++--------- 2 files changed, 43 insertions(+), 19 deletions(-) diff --git a/tools/testing/selftests/ima/common_lib.sh b/tools/testing/selftests/ima/common_lib.sh index 5583ea74c14e..c6d04006281d 100755 --- a/tools/testing/selftests/ima/common_lib.sh +++ b/tools/testing/selftests/ima/common_lib.sh @@ -1,5 +1,36 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0-or-later +# +# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4 + +VERBOSE="${VERBOSE:-1}" + +log_info() +{ + [ $VERBOSE -ne 0 ] && echo "[INFO] $1" +} + +# The ksefltest framework requirement returns 0 for PASS. +log_pass() +{ + + [ $VERBOSE -ne 0 ] && echo "$1 [PASS]" + exit 0 +} + +# The ksefltest framework requirement returns 1 for FAIL. +log_fail() +{ + [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]" + exit 1 +} + +# The ksefltest framework requirement returns 4 for SKIP. +log_skip() +{ + [ $VERBOSE -ne 0 ] && echo "$1" + exit 4 +} # The secure boot mode can be accessed either as the last integer # of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from @@ -8,17 +39,19 @@ get_secureboot_mode() { local efivarfs="/sys/firmware/efi/efivars" + # Make sure that efivars is mounted in the normal location if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then - echo "$TEST: efivars is not mounted on $efivarfs" >&2 - exit $ksft_skip + log_skip "efivars is not mounted on $efivarfs" fi # Get secureboot mode local file="$efivarfs/../vars/SecureBoot-*/data" if [ ! -e $file ]; then - echo "$TEST: unknown secureboot mode" >&2 - exit $ksft_skip + log_skip "unknown secureboot mode" fi - return `od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data` + ret=`od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data` + [ $ret -eq 1 ] && log_info "secure boot mode enabled" + + return $ret } diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh index 35934e0665f1..8b99017538ba 100755 --- a/tools/testing/selftests/ima/test_kexec_load.sh +++ b/tools/testing/selftests/ima/test_kexec_load.sh @@ -6,15 +6,10 @@ TEST="$0" . ./common_lib.sh -rc=0 - -# Kselftest framework requirement - SKIP code is 4. -ksft_skip=4 # kexec requires root privileges if [ $(id -ru) -ne 0 ]; then - echo "$TEST: requires root privileges" >&2 - exit $ksft_skip + log_skip "requires root privileges" >&2 fi get_secureboot_mode @@ -26,18 +21,14 @@ kexec --load $KERNEL_IMAGE 2>&1 > /dev/null if [ $? -eq 0 ]; then kexec --unload if [ $secureboot -eq 1 ]; then - echo "$TEST: kexec_load succeeded [FAIL]" - rc=1 + log_fail "kexec_load succeeded" else - echo "$TEST: kexec_load succeeded [PASS]" + log_pass "kexec_load succeeded" fi else if [ $secureboot -eq 1 ]; then - echo "$TEST: kexec_load failed [PASS]" + log_pass "kexec_load failed" else - echo "$TEST: kexec_load failed [FAIL]" - rc=1 + log_fail "kexec_load failed" fi fi - -exit $rc From patchwork Tue Feb 26 23:26:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10830909 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 281C717E9 for ; Tue, 26 Feb 2019 23:28:00 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 127402D530 for ; Tue, 26 Feb 2019 23:28:00 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 072172D535; Tue, 26 Feb 2019 23:28:00 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 229032D530 for ; Tue, 26 Feb 2019 23:27:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729452AbfBZX1z (ORCPT ); Tue, 26 Feb 2019 18:27:55 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:54494 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729436AbfBZX1y (ORCPT ); Tue, 26 Feb 2019 18:27:54 -0500 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x1QNORQG003543 for ; Tue, 26 Feb 2019 18:27:53 -0500 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0a-001b2d01.pphosted.com with ESMTP id 2qwdh9vr2u-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Feb 2019 18:27:53 -0500 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 26 Feb 2019 23:27:51 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 26 Feb 2019 23:27:48 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x1QNRmYP51445766 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 26 Feb 2019 23:27:48 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EAB1EA404D; Tue, 26 Feb 2019 23:27:47 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3B2B5A4051; Tue, 26 Feb 2019 23:27:47 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.106.105]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 26 Feb 2019 23:27:46 +0000 (GMT) From: Mimi Zohar To: linux-kselftest@vger.kernel.org, Shuah Khan Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Mimi Zohar Subject: [PATCH v2 4/5] selftests/ima: kexec_file_load syscall test Date: Tue, 26 Feb 2019 18:26:59 -0500 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1551223620-11586-1-git-send-email-zohar@linux.ibm.com> References: <1551223620-11586-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19022623-0016-0000-0000-0000025B496D X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19022623-0017-0000-0000-000032B5AE3D Message-Id: <1551223620-11586-5-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-02-26_13:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902260158 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The kernel can be configured to verify PE signed kernel images, IMA kernel image signatures, both types of signatures, or none. This test verifies only properly signed kernel images are loaded into memory, based on the kernel configuration and runtime policies. Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- tools/testing/selftests/ima/Makefile | 2 +- tools/testing/selftests/ima/common_lib.sh | 97 ++++++++++ .../testing/selftests/ima/test_kexec_file_load.sh | 195 +++++++++++++++++++++ tools/testing/selftests/ima/test_kexec_load.sh | 1 - 4 files changed, 293 insertions(+), 2 deletions(-) create mode 100755 tools/testing/selftests/ima/test_kexec_file_load.sh diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile index 46b9e04d2737..049c83c9426c 100644 --- a/tools/testing/selftests/ima/Makefile +++ b/tools/testing/selftests/ima/Makefile @@ -4,7 +4,7 @@ uname_M := $(shell uname -m 2>/dev/null || echo not) ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) ifeq ($(ARCH),x86) -TEST_PROGS := test_kexec_load.sh +TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh TEST_FILES := common_lib.sh include ../lib.mk diff --git a/tools/testing/selftests/ima/common_lib.sh b/tools/testing/selftests/ima/common_lib.sh index c6d04006281d..24091f29bd09 100755 --- a/tools/testing/selftests/ima/common_lib.sh +++ b/tools/testing/selftests/ima/common_lib.sh @@ -4,6 +4,9 @@ # Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4 VERBOSE="${VERBOSE:-1}" +IKCONFIG="/tmp/config-`uname -r`" +KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" +SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}') log_info() { @@ -55,3 +58,97 @@ get_secureboot_mode() return $ret } + +# Look for config option in Kconfig file. +# Return 1 for found and 0 for not found. +kconfig_enabled() +{ + local config="$1" + local msg="$2" + + grep -E -q $config $IKCONFIG + if [ $? -eq 0 ]; then + log_info "$msg" + return 1 + fi + return 0 +} + +# Attempt to get the kernel config first via proc, and then by +# extracting it from the kernel image or the configs.ko using +# scripts/extract-ikconfig. +# Return 1 for found and 0 for not found. +get_kconfig() +{ + local proc_config="/proc/config.gz" + local module_dir="/lib/modules/`uname -r`" + local configs_module="$module_dir/kernel/kernel/configs.ko" + + if [ ! -f $proc_config ]; then + modprobe configs > /dev/null 2>&1 + fi + if [ -f $proc_config ]; then + cat $proc_config | gunzip > $IKCONFIG 2>/dev/null + if [ $? -eq 0 ]; then + return 1 + fi + fi + + local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig" + if [ ! -f $extract_ikconfig ]; then + log_skip "extract-ikconfig not found" + fi + + $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null + if [ $? -eq 1 ]; then + if [ ! -f $configs_module ]; then + log_skip "CONFIG_IKCONFIG not enabled" + fi + $extract_ikconfig $configs_module > $IKCONFIG + if [ $? -eq 1 ]; then + log_skip "CONFIG_IKCONFIG not enabled" + fi + fi + return 1 +} + +# Make sure that securityfs is mounted +mount_securityfs() +{ + if [ -z $SECURITYFS ]; then + SECURITYFS=/sys/kernel/security + mount -t securityfs security $SECURITYFS + fi + + if [ ! -d "$SECURITYFS" ]; then + log_fail "$SECURITYFS :securityfs is not mounted" + fi +} + +# The policy rule format is an "action" followed by key-value pairs. This +# function supports up to two key-value pairs, in any order. +# For example: action func= [appraise_type=] +# Return 1 for found and 0 for not found. +check_ima_policy() +{ + local action=$1 + local keypair1="$2" + local keypair2="$3" + + mount_securityfs + + local ima_policy=$SECURITYFS/ima/policy + if [ ! -e $ima_policy ]; then + log_fail "$ima_policy not found" + fi + + if [ -n $keypair2 ]; then + grep -e "^$action.*$keypair1" "$ima_policy" | \ + grep -q -e "$keypair2" + else + grep -q -e "^$action.*$keypair1" "$ima_policy" + fi + + [ $? -eq 0 ] && ret=1 || ret=0 + return $ret +} diff --git a/tools/testing/selftests/ima/test_kexec_file_load.sh b/tools/testing/selftests/ima/test_kexec_file_load.sh new file mode 100755 index 000000000000..e08c7e6cf28c --- /dev/null +++ b/tools/testing/selftests/ima/test_kexec_file_load.sh @@ -0,0 +1,195 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later +# +# Loading a kernel image via the kexec_file_load syscall can verify either +# the IMA signature stored in the security.ima xattr or the PE signature, +# both signatures depending on the IMA policy, or none. +# +# To determine whether the kernel image is signed, this test depends +# on pesign and getfattr. This test also requires the kernel to be +# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC +# enabled or access to the extract-ikconfig script. + +TEST="KEXEC_FILE_LOAD" +. ./common_lib.sh + +trap "{ rm -f $IKCONFIG ; }" EXIT + +# Some of the IMA builtin policies may require the kexec kernel image to +# be signed, but these policy rules may be replaced with a custom +# policy. Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after +# loading a custom policy. Check if it is enabled, before reading the +# IMA runtime sysfs policy file. +# Return 1 for IMA signature required and 0 for not required. +is_ima_sig_required() +{ + local ret=0 + + kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \ + "IMA kernel image signature required" + if [ $? -eq 1 ]; then + log_info "IMA signature required" + return 1 + fi + + # The architecture specific or a custom policy may require the + # kexec kernel image be signed. Policy rules are walked + # sequentially. As a result, a policy rule may be defined, but + # might not necessarily be used. This test assumes if a policy + # rule is specified, that is the intent. + if [ $ima_read_policy -eq 1 ]; then + check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ + "appraise_type=imasig" + ret=$? + [ $ret -eq 1 ] && log_info "IMA signature required"; + fi + return $ret +} + +# The kexec_file_load_test() is complicated enough, require pesign. +# Return 1 for PE signature found and 0 for not found. +check_for_pesig() +{ + which pesign > /dev/null 2>&1 + if [ $? -eq 1 ]; then + log_skip "pesign not found" + fi + + pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures" + local ret=$? + if [ $ret -eq 1 ]; then + log_info "kexec kernel image PE signed" + else + log_info "kexec kernel image not PE signed" + fi + return $ret +} + +# The kexec_file_load_test() is complicated enough, require getfattr. +# Return 1 for IMA signature found and 0 for not found. +check_for_imasig() +{ + local ret=0 + + which getfattr > /dev/null 2>&1 + if [ $? -eq 1 ]; then + log_skip "getfattr not found" + fi + + line=$(getfattr -n security.ima -e hex --absolute-names $KERNEL_IMAGE 2>&1) + echo $line | grep -q "security.ima=0x03" + if [ $? -eq 0 ]; then + ret=1 + log_info "kexec kernel image IMA signed" + else + log_info "kexec kernel image not IMA signed" + fi + return $ret +} + +kexec_file_load_test() +{ + local succeed_msg="kexec_file_load succeeded" + local failed_msg="kexec_file_load failed" + local key_msg="try enabling the CONFIG_INTEGRITY_PLATFORM_KEYRING" + + line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1) + + if [ $? -eq 0 ]; then + kexec --unload --kexec-file-syscall + + # In secureboot mode with an architecture specific + # policy, make sure either an IMA or PE signature exists. + if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \ + [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then + log_fail "$succeed_msg (missing sig)" + fi + + if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then + log_fail "$succeed_msg (missing PE sig)" + fi + + if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then + log_fail "$succeed_msg (missing IMA sig)" + fi + + if [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] \ + && [ $ima_read_policy -eq 0 ] && [ $ima_signed -eq 0 ]; then + log_fail "$succeed_msg (possibly missing IMA sig)" + fi + + log_pass "$succeed_msg" + fi + + # Check the reason for the kexec_file_load failure + echo $line | grep -q "Required key not available" + if [ $? -eq 0 ]; then + if [ $platform_keyring -eq 0 ]; then + log_pass "$failed_msg (-ENOKEY), $key_msg" + else + log_pass "$failed_msg (-ENOKEY)" + fi + fi + + if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then + log_pass "$failed_msg (missing PE sig)" + fi + + if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then + log_pass "$failed_msg (missing IMA sig)" + fi + + if [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] \ + && [ $ima_read_policy -eq 0 ] && [ $ima_signed -eq 0 ]; then + log_pass "$failed_msg (possibly missing IMA sig)" + fi + + log_pass "$failed_msg" + return 0 +} + +# kexec requires root privileges +if [ $(id -ru) -ne 0 ]; then + log_skip "requires root privileges" +fi + +# get the kernel config +get_kconfig + +# Determine which kernel config options are enabled +kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ + "architecture specific policy enabled" +arch_policy=$? + +kconfig_enabled "CONFIG_INTEGRITY_PLATFORM_KEYRING=y" \ + "platform keyring enabled" +platform_keyring=$? + +kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted" +ima_read_policy=$? + +kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \ + "PE signed kernel image required" +pe_sig_required=$? + +is_ima_sig_required +ima_sig_required=$? + +get_secureboot_mode +secureboot=$? + +if [ $secureboot -eq 0 ] && [ $arch_policy -eq 0 ] && \ + [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] && \ + [ $ima_read_policy -eq 1 ]; then + log_skip "No signature verification required" +fi + +# Are there pe and ima signatures +check_for_pesig +pe_signed=$? + +check_for_imasig +ima_signed=$? + +# Test loading the kernel image via kexec_file_load syscall +kexec_file_load_test diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh index 8b99017538ba..1c00fd6c4dcd 100755 --- a/tools/testing/selftests/ima/test_kexec_load.sh +++ b/tools/testing/selftests/ima/test_kexec_load.sh @@ -16,7 +16,6 @@ get_secureboot_mode secureboot=$? # kexec_load should fail in secure boot mode -KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" kexec --load $KERNEL_IMAGE 2>&1 > /dev/null if [ $? -eq 0 ]; then kexec --unload From patchwork Tue Feb 26 23:27:00 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10830915 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D833417E9 for ; Tue, 26 Feb 2019 23:28:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C825B2D51E for ; Tue, 26 Feb 2019 23:28:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BA3382D535; Tue, 26 Feb 2019 23:28:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 32B652D51E for ; Tue, 26 Feb 2019 23:28:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729432AbfBZX17 (ORCPT ); Tue, 26 Feb 2019 18:27:59 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:48926 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729447AbfBZX15 (ORCPT ); Tue, 26 Feb 2019 18:27:57 -0500 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x1QNNx4b004387 for ; Tue, 26 Feb 2019 18:27:56 -0500 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0a-001b2d01.pphosted.com with ESMTP id 2qwcbg8tue-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Feb 2019 18:27:56 -0500 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 26 Feb 2019 23:27:53 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 26 Feb 2019 23:27:50 -0000 Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x1QNRn1722937626 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Tue, 26 Feb 2019 23:27:50 GMT Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DB553A4055; Tue, 26 Feb 2019 23:27:49 +0000 (GMT) Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 2C775A4051; Tue, 26 Feb 2019 23:27:49 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.106.105]) by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 26 Feb 2019 23:27:49 +0000 (GMT) From: Mimi Zohar To: linux-kselftest@vger.kernel.org, Shuah Khan Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, Mimi Zohar Subject: [PATCH v2 5/5] selftests/ima: loading kernel modules Date: Tue, 26 Feb 2019 18:27:00 -0500 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1551223620-11586-1-git-send-email-zohar@linux.ibm.com> References: <1551223620-11586-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19022623-0016-0000-0000-0000025B496E X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19022623-0017-0000-0000-000032B5AE3E Message-Id: <1551223620-11586-6-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-02-26_13:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902260158 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP While the appended kernel module signature can be verified, when loading a kernel module via either the init_module or the finit_module syscall, verifying the IMA signature requires access to the file descriptor, which is only available via the finit_module syscall. As "modprobe" does not provide a flag allowing the syscall - init_module or finit_module - to be specified, this patch does not load a kernel module. This test simply verifies that on secure boot enabled systems with "CONFIG_IMA_ARCH_POLICY" configured, that at least an appended kernel module signature or an IMA signature is required based on the Kconfig and the runtime IMA policy. Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- tools/testing/selftests/ima/Makefile | 2 +- tools/testing/selftests/ima/test_kernel_module.sh | 96 +++++++++++++++++++++++ 2 files changed, 97 insertions(+), 1 deletion(-) create mode 100755 tools/testing/selftests/ima/test_kernel_module.sh diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile index 049c83c9426c..ef5201ff0bea 100644 --- a/tools/testing/selftests/ima/Makefile +++ b/tools/testing/selftests/ima/Makefile @@ -4,7 +4,7 @@ uname_M := $(shell uname -m 2>/dev/null || echo not) ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) ifeq ($(ARCH),x86) -TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh +TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh test_kernel_module.sh TEST_FILES := common_lib.sh include ../lib.mk diff --git a/tools/testing/selftests/ima/test_kernel_module.sh b/tools/testing/selftests/ima/test_kernel_module.sh new file mode 100755 index 000000000000..4009e1b60b03 --- /dev/null +++ b/tools/testing/selftests/ima/test_kernel_module.sh @@ -0,0 +1,96 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0-or-later +# +# On secure boot enabled systems with "CONFIG_IMA_ARCH_POLICY" configured, +# this test verifies that at least an appended kernel module signature or +# an IMA signature is required. It does not attempt to load a kernel module. + +TEST="KERNEL_MODULE" +. ./common_lib.sh + +trap "{ rm -f $IKCONFIG ; }" EXIT + +# Some of the IMA builtin policies may require the kernel modules to +# be signed, but these policy rules may be replaced with a custom +# policy. Only CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS persists after +# loading a custom policy. Check if it is enabled, before reading the +# IMA runtime sysfs policy file. +# Return 1 for IMA signature required and 0 for not required. +is_ima_sig_required() +{ + local ret=0 + + kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y" \ + "IMA kernel module signature required" + if [ $? -eq 1 ]; then + log_info "IMA kernel module signature required" + return 1 + fi + + # The architecture specific or a custom policy may require the + # kernel module to be signed. Policy rules are walked sequentially. + # As a result, a policy rule may be defined, but might not necessarily + # be used. This test assumes if a policy rule is specified, that is + # the intent. + if [ $ima_read_policy -eq 1 ]; then + check_ima_policy "appraise" "func=MODULE_CHECK" \ + "appraise_type=imasig" + ret=$? + [ $ret -eq 1 ] && log_info "IMA signature required"; + fi + return $ret +} + +# loading kernel modules requires root privileges +if [ $(id -ru) -ne 0 ]; then + log_skip "requires root privileges" +fi + +# Are appended signatures required? +if [ -e /sys/module/module/parameters/sig_enforce ]; then + sig_enforce=$(cat /sys/module/module/parameters/sig_enforce) + if [ $sig_enforce = "Y" ]; then + log_pass "appended kernel module signature required" + fi +fi + +get_secureboot_mode +if [ $? -eq 0 ]; then + log_skip "secure boot not enabled" +fi + +# get the kernel config +get_kconfig + +# Determine which kernel config options are enabled +kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ + "architecture specific policy enabled" +arch_policy=$? + +kconfig_enabled "CONFIG_MODULE_SIG=y" \ + "appended kernel modules signature enabled" +appended_sig_enabled=$? + +kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted" +ima_read_policy=$? + +is_ima_sig_required +ima_sig_required=$? + +if [ $arch_policy -eq 0 ]; then + log_skip "architecture specific policy not enabled" +fi + +if [ $appended_sig_enabled -eq 1 ]; then + log_fail "appended kernel module signature enabled, but not required" +fi + +if [ $ima_sig_required -eq 1 ]; then + log_pass "IMA kernel module signature required" +fi + +if [ $ima_read_policy -eq 1 ]; then + log_fail "IMA kernel module signature not required" +else + log_skip "reading IMA policy not permitted" +fi