From patchwork Mon Mar 11 11:41:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10847371 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A042E186E for ; Mon, 11 Mar 2019 11:42:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 90B352905B for ; Mon, 11 Mar 2019 11:42:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 841F02905F; Mon, 11 Mar 2019 11:42:34 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 357522905B for ; Mon, 11 Mar 2019 11:42:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727195AbfCKLmd (ORCPT ); Mon, 11 Mar 2019 07:42:33 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:49394 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727410AbfCKLmA (ORCPT ); Mon, 11 Mar 2019 07:42:00 -0400 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2BBet2I121787 for ; Mon, 11 Mar 2019 07:41:59 -0400 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 2r5mycwj6m-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 Mar 2019 07:41:57 -0400 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 11 Mar 2019 11:41:54 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 11 Mar 2019 11:41:51 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2BBfo4l35782702 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 11 Mar 2019 11:41:50 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0D45911C04A; Mon, 11 Mar 2019 11:41:50 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0DA3C11C054; Mon, 11 Mar 2019 11:41:49 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.93.170]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 Mar 2019 11:41:48 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v3 1/7] selftests/ima: cleanup the kexec selftest Date: Mon, 11 Mar 2019 07:41:07 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> References: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031111-0012-0000-0000-000003013BC8 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031111-0013-0000-0000-0000213856D0 Message-Id: <1552304473-3966-2-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-11_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=858 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903110088 Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Remove the few bashisms and use the complete option name for clarity. Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- tools/testing/selftests/ima/test_kexec_load.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh index 1c10093fb526..36f3089ac225 100755 --- a/tools/testing/selftests/ima/test_kexec_load.sh +++ b/tools/testing/selftests/ima/test_kexec_load.sh @@ -1,7 +1,7 @@ #!/bin/sh -# SPDX-License-Identifier: GPL-2.0+ +# SPDX-License-Identifier: GPL-2.0 # Loading a kernel image via the kexec_load syscall should fail -# when the kerne is CONFIG_KEXEC_VERIFY_SIG enabled and the system +# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system # is booted in secureboot mode. TEST="$0" @@ -12,8 +12,8 @@ rc=0 ksft_skip=4 # kexec requires root privileges -if [ $UID != 0 ]; then - echo "$TEST: must be run as root" >&2 +if [ $(id -ru) -ne 0 ]; then + echo "$TEST: requires root privileges" >&2 exit $ksft_skip fi @@ -33,17 +33,17 @@ secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` # kexec_load should fail in secure boot mode KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" -kexec -l $KERNEL_IMAGE &>> /dev/null -if [ $? == 0 ]; then - kexec -u - if [ "$secureboot" == "1" ]; then +kexec --load $KERNEL_IMAGE 2>&1 > /dev/null +if [ $? -eq 0 ]; then + kexec --unload + if [ $secureboot -eq 1 ]; then echo "$TEST: kexec_load succeeded [FAIL]" rc=1 else echo "$TEST: kexec_load succeeded [PASS]" fi else - if [ "$secureboot" == "1" ]; then + if [ $secureboot -eq 1 ]; then echo "$TEST: kexec_load failed [PASS]" else echo "$TEST: kexec_load failed [FAIL]" From patchwork Mon Mar 11 11:41:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10847375 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E11B7186E for ; Mon, 11 Mar 2019 11:42:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CF4C02905A for ; Mon, 11 Mar 2019 11:42:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C33D12905B; Mon, 11 Mar 2019 11:42:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 57FC32905D for ; Mon, 11 Mar 2019 11:42:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727388AbfCKLme (ORCPT ); Mon, 11 Mar 2019 07:42:34 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:46806 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727239AbfCKLl7 (ORCPT ); Mon, 11 Mar 2019 07:41:59 -0400 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2BBdjS0049048 for ; Mon, 11 Mar 2019 07:41:58 -0400 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 2r5mn5xcgr-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 Mar 2019 07:41:58 -0400 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 11 Mar 2019 11:41:55 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 11 Mar 2019 11:41:53 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2BBfqq954395092 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 11 Mar 2019 11:41:52 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4BB6F11C05C; Mon, 11 Mar 2019 11:41:52 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4A2A411C04A; Mon, 11 Mar 2019 11:41:51 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.93.170]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 Mar 2019 11:41:51 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v3 2/7] selftests/ima: define a set of common functions Date: Mon, 11 Mar 2019 07:41:08 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> References: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031111-0028-0000-0000-00000352A2FE X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031111-0029-0000-0000-000024112114 Message-Id: <1552304473-3966-3-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-11_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=895 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903110088 Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Define, update and move get_secureboot_mode() to a common file for use by other tests. Updated to check both the efivar SecureBoot-$(UUID) and SetupMode-$(UUID), based on Dave Young's review. Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel Cc: Dave Young --- tools/testing/selftests/ima/Makefile | 1 + tools/testing/selftests/ima/ima_common_lib.sh | 36 ++++++++++++++++++++++++++ tools/testing/selftests/ima/test_kexec_load.sh | 17 +++--------- 3 files changed, 40 insertions(+), 14 deletions(-) create mode 100755 tools/testing/selftests/ima/ima_common_lib.sh diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile index 0b3adf5444b6..04501516831b 100644 --- a/tools/testing/selftests/ima/Makefile +++ b/tools/testing/selftests/ima/Makefile @@ -5,6 +5,7 @@ ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) ifeq ($(ARCH),x86) TEST_PROGS := test_kexec_load.sh +TEST_FILES := ima_common_lib.sh include ../lib.mk diff --git a/tools/testing/selftests/ima/ima_common_lib.sh b/tools/testing/selftests/ima/ima_common_lib.sh new file mode 100755 index 000000000000..403666247b10 --- /dev/null +++ b/tools/testing/selftests/ima/ima_common_lib.sh @@ -0,0 +1,36 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 + +# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). +# The secure boot mode can be accessed either as the last integer +# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from +# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data". The efi +# SetupMode can be similarly accessed. +# Return 1 for SecureBoot mode enabled and SetupMode mode disabled. +get_secureboot_mode() +{ + local efivarfs="/sys/firmware/efi/efivars" + local secure_boot_file=$efivarfs/../vars/SecureBoot-*/data + local setup_mode_file=$efivarfs/../vars/SetupMode-*/data + local secureboot_mode=0 + local setup_mode=0 + + # Make sure that efivars is mounted in the normal location + if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then + log_skip "efivars is not mounted on $efivarfs" + fi + + if [ ! -e $secure_boot_file ] || [ ! -e $setup_mode_file ]; then + log_skip "unknown secureboot/setup mode" + fi + + secureboot_mode=`od -An -t u1 $secure_boot_file` + setup_mode=`od -An -t u1 $setup_mode_file` + + if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then + log_info "ima: secure boot mode enabled" + return 1; + fi + log_info "secure boot mode not enabled" + return 0; +} diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh index 36f3089ac225..e84139c1506b 100755 --- a/tools/testing/selftests/ima/test_kexec_load.sh +++ b/tools/testing/selftests/ima/test_kexec_load.sh @@ -5,7 +5,7 @@ # is booted in secureboot mode. TEST="$0" -EFIVARFS="/sys/firmware/efi/efivars" +. ./ima_common_lib.sh rc=0 # Kselftest framework requirement - SKIP code is 4. @@ -17,19 +17,8 @@ if [ $(id -ru) -ne 0 ]; then exit $ksft_skip fi -# Make sure that efivars is mounted in the normal location -if ! grep -q "^\S\+ $EFIVARFS efivarfs" /proc/mounts; then - echo "$TEST: efivars is not mounted on $EFIVARFS" >&2 - exit $ksft_skip -fi - -# Get secureboot mode -file="$EFIVARFS/SecureBoot-*" -if [ ! -e $file ]; then - echo "$TEST: unknown secureboot mode" >&2 - exit $ksft_skip -fi -secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` +get_secureboot_mode +secureboot=$? # kexec_load should fail in secure boot mode KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" From patchwork Mon Mar 11 11:41:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10847367 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7D4BF1850 for ; Mon, 11 Mar 2019 11:42:32 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6C6162905C for ; Mon, 11 Mar 2019 11:42:32 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5E13E2905B; Mon, 11 Mar 2019 11:42:32 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 006CD2905B for ; Mon, 11 Mar 2019 11:42:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727447AbfCKLmB (ORCPT ); Mon, 11 Mar 2019 07:42:01 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:37858 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727430AbfCKLmB (ORCPT ); Mon, 11 Mar 2019 07:42:01 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2BBeQVZ090009 for ; Mon, 11 Mar 2019 07:41:59 -0400 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0b-001b2d01.pphosted.com with ESMTP id 2r5np73hp6-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 Mar 2019 07:41:59 -0400 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 11 Mar 2019 11:41:57 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 11 Mar 2019 11:41:55 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2BBfs2m27394224 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 11 Mar 2019 11:41:54 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 71DB011C05B; Mon, 11 Mar 2019 11:41:54 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7A4C911C054; Mon, 11 Mar 2019 11:41:53 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.93.170]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 Mar 2019 11:41:53 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v3 3/7] selftests/ima: define common logging functions Date: Mon, 11 Mar 2019 07:41:09 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> References: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031111-0028-0000-0000-00000352A2FF X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031111-0029-0000-0000-000024112116 Message-Id: <1552304473-3966-4-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-11_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=478 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903110088 Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Define log_info, log_pass, log_fail, and log_skip functions. Suggested-by: Petr Vorel Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- tools/testing/selftests/ima/ima_common_lib.sh | 31 ++++++++++++++++++++++++++ tools/testing/selftests/ima/test_kexec_load.sh | 19 +++++----------- 2 files changed, 36 insertions(+), 14 deletions(-) diff --git a/tools/testing/selftests/ima/ima_common_lib.sh b/tools/testing/selftests/ima/ima_common_lib.sh index 403666247b10..59482914ac19 100755 --- a/tools/testing/selftests/ima/ima_common_lib.sh +++ b/tools/testing/selftests/ima/ima_common_lib.sh @@ -1,5 +1,36 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0 +# +# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4 + +VERBOSE="${VERBOSE:-1}" + +log_info() +{ + [ $VERBOSE -ne 0 ] && echo "[INFO] $1" +} + +# The ksefltest framework requirement returns 0 for PASS. +log_pass() +{ + + [ $VERBOSE -ne 0 ] && echo "$1 [PASS]" + exit 0 +} + +# The ksefltest framework requirement returns 1 for FAIL. +log_fail() +{ + [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]" + exit 1 +} + +# The ksefltest framework requirement returns 4 for SKIP. +log_skip() +{ + [ $VERBOSE -ne 0 ] && echo "$1" + exit 4 +} # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). # The secure boot mode can be accessed either as the last integer diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh index e84139c1506b..99ab87b6c681 100755 --- a/tools/testing/selftests/ima/test_kexec_load.sh +++ b/tools/testing/selftests/ima/test_kexec_load.sh @@ -6,15 +6,10 @@ TEST="$0" . ./ima_common_lib.sh -rc=0 - -# Kselftest framework requirement - SKIP code is 4. -ksft_skip=4 # kexec requires root privileges if [ $(id -ru) -ne 0 ]; then - echo "$TEST: requires root privileges" >&2 - exit $ksft_skip + log_skip "requires root privileges" fi get_secureboot_mode @@ -26,18 +21,14 @@ kexec --load $KERNEL_IMAGE 2>&1 > /dev/null if [ $? -eq 0 ]; then kexec --unload if [ $secureboot -eq 1 ]; then - echo "$TEST: kexec_load succeeded [FAIL]" - rc=1 + log_fail "kexec_load succeeded" else - echo "$TEST: kexec_load succeeded [PASS]" + log_pass "kexec_load succeeded" fi else if [ $secureboot -eq 1 ]; then - echo "$TEST: kexec_load failed [PASS]" + log_pass "kexec_load failed" else - echo "$TEST: kexec_load failed [FAIL]" - rc=1 + log_fail "kexec_load failed" fi fi - -exit $rc From patchwork Mon Mar 11 11:41:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10847363 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 370621850 for ; Mon, 11 Mar 2019 11:42:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 261712905A for ; Mon, 11 Mar 2019 11:42:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1A1CE2905C; Mon, 11 Mar 2019 11:42:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4A482905A for ; Mon, 11 Mar 2019 11:42:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727189AbfCKLm1 (ORCPT ); Mon, 11 Mar 2019 07:42:27 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:45466 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727460AbfCKLmE (ORCPT ); Mon, 11 Mar 2019 07:42:04 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2BBdhnB041678 for ; Mon, 11 Mar 2019 07:42:02 -0400 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0b-001b2d01.pphosted.com with ESMTP id 2r5pneguek-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 Mar 2019 07:42:02 -0400 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 11 Mar 2019 11:42:00 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 11 Mar 2019 11:41:58 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2BBfvt256098834 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 11 Mar 2019 11:41:57 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 06F6611C05B; Mon, 11 Mar 2019 11:41:57 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C7D3E11C04A; Mon, 11 Mar 2019 11:41:55 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.93.170]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 Mar 2019 11:41:55 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v3 4/7] kselftest/ima: define "require_root_privileges" Date: Mon, 11 Mar 2019 07:41:10 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> References: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031111-0016-0000-0000-0000026081E5 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031111-0017-0000-0000-000032BB1FAE Message-Id: <1552304473-3966-5-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-11_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=701 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903110088 Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Many tests require root privileges. Define a common function. Suggested-by: Petr Vorel Signed-off-by: Mimi Zohar --- tools/testing/selftests/ima/ima_common_lib.sh | 7 +++++++ tools/testing/selftests/ima/test_kexec_load.sh | 4 +--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/ima/ima_common_lib.sh b/tools/testing/selftests/ima/ima_common_lib.sh index 59482914ac19..8ab7fcc0b221 100755 --- a/tools/testing/selftests/ima/ima_common_lib.sh +++ b/tools/testing/selftests/ima/ima_common_lib.sh @@ -65,3 +65,10 @@ get_secureboot_mode() log_info "secure boot mode not enabled" return 0; } + +require_root_privileges() +{ + if [ $(id -ru) -ne 0 ]; then + log_skip "requires root privileges" + fi +} diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh index 99ab87b6c681..b2ecd196b382 100755 --- a/tools/testing/selftests/ima/test_kexec_load.sh +++ b/tools/testing/selftests/ima/test_kexec_load.sh @@ -8,9 +8,7 @@ TEST="$0" . ./ima_common_lib.sh # kexec requires root privileges -if [ $(id -ru) -ne 0 ]; then - log_skip "requires root privileges" -fi +require_root_privileges get_secureboot_mode secureboot=$? From patchwork Mon Mar 11 11:41:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10847357 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F01941515 for ; Mon, 11 Mar 2019 11:42:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB0252905A for ; Mon, 11 Mar 2019 11:42:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id CF5F52905C; Mon, 11 Mar 2019 11:42:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E6DCD2905A for ; Mon, 11 Mar 2019 11:42:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727504AbfCKLmJ (ORCPT ); Mon, 11 Mar 2019 07:42:09 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:33912 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727486AbfCKLmH (ORCPT ); Mon, 11 Mar 2019 07:42:07 -0400 Received: from pps.filterd (m0098419.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2BBdpxj089789 for ; Mon, 11 Mar 2019 07:42:06 -0400 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0b-001b2d01.pphosted.com with ESMTP id 2r5mt3p8pq-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 Mar 2019 07:42:06 -0400 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 11 Mar 2019 11:42:04 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 11 Mar 2019 11:42:00 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2BBfx8s29360370 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 11 Mar 2019 11:41:59 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4302E11C05B; Mon, 11 Mar 2019 11:41:59 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 432CC11C058; Mon, 11 Mar 2019 11:41:58 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.93.170]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 Mar 2019 11:41:58 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v3 5/7] selftests/ima: kexec_file_load syscall test Date: Mon, 11 Mar 2019 07:41:11 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> References: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031111-0028-0000-0000-00000352A300 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031111-0029-0000-0000-000024112117 Message-Id: <1552304473-3966-6-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-11_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903110088 Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The kernel can be configured to verify PE signed kernel images, IMA kernel image signatures, both types of signatures, or none. This test verifies only properly signed kernel images are loaded into memory, based on the kernel configuration and runtime policies. Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- tools/testing/selftests/ima/Makefile | 2 +- tools/testing/selftests/ima/ima_common_lib.sh | 99 +++++++++++ .../testing/selftests/ima/test_kexec_file_load.sh | 190 +++++++++++++++++++++ tools/testing/selftests/ima/test_kexec_load.sh | 1 - 4 files changed, 290 insertions(+), 2 deletions(-) create mode 100755 tools/testing/selftests/ima/test_kexec_file_load.sh diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile index 04501516831b..00270de0b637 100644 --- a/tools/testing/selftests/ima/Makefile +++ b/tools/testing/selftests/ima/Makefile @@ -4,7 +4,7 @@ uname_M := $(shell uname -m 2>/dev/null || echo not) ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) ifeq ($(ARCH),x86) -TEST_PROGS := test_kexec_load.sh +TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh TEST_FILES := ima_common_lib.sh include ../lib.mk diff --git a/tools/testing/selftests/ima/ima_common_lib.sh b/tools/testing/selftests/ima/ima_common_lib.sh index 8ab7fcc0b221..d5ed28f9170c 100755 --- a/tools/testing/selftests/ima/ima_common_lib.sh +++ b/tools/testing/selftests/ima/ima_common_lib.sh @@ -4,6 +4,9 @@ # Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4 VERBOSE="${VERBOSE:-1}" +IKCONFIG="/tmp/config-`uname -r`" +KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" +SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}') log_info() { @@ -72,3 +75,99 @@ require_root_privileges() log_skip "requires root privileges" fi } + +# Look for config option in Kconfig file. +# Return 1 for found and 0 for not found. +kconfig_enabled() +{ + local config="$1" + local msg="$2" + + grep -E -q $config $IKCONFIG + if [ $? -eq 0 ]; then + log_info "$msg" + return 1 + fi + return 0 +} + +# Attempt to get the kernel config first via proc, and then by +# extracting it from the kernel image or the configs.ko using +# scripts/extract-ikconfig. +# Return 1 for found. +get_kconfig() +{ + local proc_config="/proc/config.gz" + local module_dir="/lib/modules/`uname -r`" + local configs_module="$module_dir/kernel/kernel/configs.ko" + + if [ ! -f $proc_config ]; then + modprobe configs > /dev/null 2>&1 + fi + if [ -f $proc_config ]; then + cat $proc_config | gunzip > $IKCONFIG 2>/dev/null + if [ $? -eq 0 ]; then + return 1 + fi + fi + + local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig" + if [ ! -f $extract_ikconfig ]; then + log_skip "extract-ikconfig not found" + fi + + $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null + if [ $? -eq 1 ]; then + if [ ! -f $configs_module ]; then + log_skip "CONFIG_IKCONFIG not enabled" + fi + $extract_ikconfig $configs_module > $IKCONFIG + if [ $? -eq 1 ]; then + log_skip "CONFIG_IKCONFIG not enabled" + fi + fi + return 1 +} + +# Make sure that securityfs is mounted +mount_securityfs() +{ + if [ -z $SECURITYFS ]; then + SECURITYFS=/sys/kernel/security + mount -t securityfs security $SECURITYFS + fi + + if [ ! -d "$SECURITYFS" ]; then + log_fail "$SECURITYFS :securityfs is not mounted" + fi +} + +# The policy rule format is an "action" followed by key-value pairs. This +# function supports up to two key-value pairs, in any order. +# For example: action func= [appraise_type=] +# Return 1 for found and 0 for not found. +check_ima_policy() +{ + local action="$1" + local keypair1="$2" + local keypair2="$3" + local ret=0 + + mount_securityfs + + local ima_policy=$SECURITYFS/ima/policy + if [ ! -e $ima_policy ]; then + log_fail "$ima_policy not found" + fi + + if [ -n $keypair2 ]; then + grep -e "^$action.*$keypair1" "$ima_policy" | \ + grep -q -e "$keypair2" + else + grep -q -e "^$action.*$keypair1" "$ima_policy" + fi + + # invert "grep -q" result, returning 1 for found. + [ $? -eq 0 ] && ret=1 + return $ret +} diff --git a/tools/testing/selftests/ima/test_kexec_file_load.sh b/tools/testing/selftests/ima/test_kexec_file_load.sh new file mode 100755 index 000000000000..dbccfb109c68 --- /dev/null +++ b/tools/testing/selftests/ima/test_kexec_file_load.sh @@ -0,0 +1,190 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 +# +# Loading a kernel image via the kexec_file_load syscall can verify either +# the IMA signature stored in the security.ima xattr or the PE signature, +# both signatures depending on the IMA policy, or none. +# +# To determine whether the kernel image is signed, this test depends +# on pesign and getfattr. This test also requires the kernel to be +# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC +# enabled or access to the extract-ikconfig script. + +TEST="KEXEC_FILE_LOAD" +. ./ima_common_lib.sh + +trap "{ rm -f $IKCONFIG ; }" EXIT + +# Some of the IMA builtin policies may require the kexec kernel image to +# be signed, but these policy rules may be replaced with a custom +# policy. Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after +# loading a custom policy. Check if it is enabled, before reading the +# IMA runtime sysfs policy file. +# Return 1 for IMA signature required and 0 for not required. +is_ima_sig_required() +{ + local ret=0 + + kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \ + "IMA kernel image signature required" + if [ $? -eq 1 ]; then + log_info "IMA signature required" + return 1 + fi + + # The architecture specific or a custom policy may require the + # kexec kernel image be signed. Policy rules are walked + # sequentially. As a result, a policy rule may be defined, but + # might not necessarily be used. This test assumes if a policy + # rule is specified, that is the intent. + if [ $ima_read_policy -eq 1 ]; then + check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ + "appraise_type=imasig" + ret=$? + [ $ret -eq 1 ] && log_info "IMA signature required"; + fi + return $ret +} + +# The kexec_file_load_test() is complicated enough, require pesign. +# Return 1 for PE signature found and 0 for not found. +check_for_pesig() +{ + which pesign > /dev/null 2>&1 || log_skip "pesign not found" + + pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures" + local ret=$? + if [ $ret -eq 1 ]; then + log_info "kexec kernel image PE signed" + else + log_info "kexec kernel image not PE signed" + fi + return $ret +} + +# The kexec_file_load_test() is complicated enough, require getfattr. +# Return 1 for IMA signature found and 0 for not found. +check_for_imasig() +{ + local ret=0 + + which getfattr > /dev/null 2>&1 + if [ $? -eq 1 ]; then + log_skip "getfattr not found" + fi + + line=$(getfattr -n security.ima -e hex --absolute-names $KERNEL_IMAGE 2>&1) + echo $line | grep -q "security.ima=0x03" + if [ $? -eq 0 ]; then + ret=1 + log_info "kexec kernel image IMA signed" + else + log_info "kexec kernel image not IMA signed" + fi + return $ret +} + +kexec_file_load_test() +{ + local succeed_msg="kexec_file_load succeeded" + local failed_msg="kexec_file_load failed" + local key_msg="try enabling the CONFIG_INTEGRITY_PLATFORM_KEYRING" + + line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1) + + if [ $? -eq 0 ]; then + kexec --unload --kexec-file-syscall + + # In secureboot mode with an architecture specific + # policy, make sure either an IMA or PE signature exists. + if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \ + [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then + log_fail "$succeed_msg (missing sig)" + fi + + if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then + log_fail "$succeed_msg (missing PE sig)" + fi + + if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then + log_fail "$succeed_msg (missing IMA sig)" + fi + + if [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] \ + && [ $ima_read_policy -eq 0 ] && [ $ima_signed -eq 0 ]; then + log_fail "$succeed_msg (possibly missing IMA sig)" + fi + + log_pass "$succeed_msg" + fi + + # Check the reason for the kexec_file_load failure + echo $line | grep -q "Required key not available" + if [ $? -eq 0 ]; then + if [ $platform_keyring -eq 0 ]; then + log_pass "$failed_msg (-ENOKEY), $key_msg" + else + log_pass "$failed_msg (-ENOKEY)" + fi + fi + + if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then + log_pass "$failed_msg (missing PE sig)" + fi + + if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then + log_pass "$failed_msg (missing IMA sig)" + fi + + if [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] \ + && [ $ima_read_policy -eq 0 ] && [ $ima_signed -eq 0 ]; then + log_pass "$failed_msg (possibly missing IMA sig)" + fi + + log_pass "$failed_msg" + return 0 +} + +# kexec requires root privileges +require_root_privileges + +# get the kernel config +get_kconfig + +# Determine which kernel config options are enabled +kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ + "architecture specific policy enabled" +arch_policy=$? + +kconfig_enabled "CONFIG_INTEGRITY_PLATFORM_KEYRING=y" \ + "platform keyring enabled" +platform_keyring=$? + +kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted" +ima_read_policy=$? + +kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \ + "PE signed kernel image required" +pe_sig_required=$? + +is_ima_sig_required +ima_sig_required=$? + +get_secureboot_mode +secureboot=$? + +if [ $secureboot -eq 0 ] && [ $arch_policy -eq 0 ] && \ + [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] && \ + [ $ima_read_policy -eq 1 ]; then + log_skip "No signature verification required" +fi + +# Are there pe and ima signatures +check_for_pesig +pe_signed=$? + +check_for_imasig +ima_signed=$? + +# Test loading the kernel image via kexec_file_load syscall +kexec_file_load_test diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh index b2ecd196b382..c6f7e0957c58 100755 --- a/tools/testing/selftests/ima/test_kexec_load.sh +++ b/tools/testing/selftests/ima/test_kexec_load.sh @@ -14,7 +14,6 @@ get_secureboot_mode secureboot=$? # kexec_load should fail in secure boot mode -KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" kexec --load $KERNEL_IMAGE 2>&1 > /dev/null if [ $? -eq 0 ]; then kexec --unload From patchwork Mon Mar 11 11:41:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10847355 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 36FC71850 for ; Mon, 11 Mar 2019 11:42:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2633B2905A for ; Mon, 11 Mar 2019 11:42:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1A4282905C; Mon, 11 Mar 2019 11:42:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6C7CC2905A for ; Mon, 11 Mar 2019 11:42:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727519AbfCKLmN (ORCPT ); Mon, 11 Mar 2019 07:42:13 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:54828 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727486AbfCKLmK (ORCPT ); Mon, 11 Mar 2019 07:42:10 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2BBf1Gh007183 for ; Mon, 11 Mar 2019 07:42:09 -0400 Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101]) by mx0a-001b2d01.pphosted.com with ESMTP id 2r5ngcm27w-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 Mar 2019 07:42:08 -0400 Received: from localhost by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 11 Mar 2019 11:42:05 -0000 Received: from b06cxnps4076.portsmouth.uk.ibm.com (9.149.109.198) by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 11 Mar 2019 11:42:02 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4076.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2BBg1MT25624802 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 11 Mar 2019 11:42:01 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9219A11C05B; Mon, 11 Mar 2019 11:42:01 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 80B5F11C04A; Mon, 11 Mar 2019 11:42:00 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.93.170]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 Mar 2019 11:42:00 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v3 6/7] selftests/ima: loading kernel modules Date: Mon, 11 Mar 2019 07:41:12 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> References: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031111-0020-0000-0000-00000321374B X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031111-0021-0000-0000-000021735B04 Message-Id: <1552304473-3966-7-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-11_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903110088 Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP While the appended kernel module signature can be verified, when loading a kernel module via either the init_module or the finit_module syscall, verifying the IMA signature requires access to the file descriptor, which is only available via the finit_module syscall. As "modprobe" does not provide a flag allowing the syscall - init_module or finit_module - to be specified, this patch does not load a kernel module. This test simply verifies that on secure boot enabled systems with "CONFIG_IMA_ARCH_POLICY" configured, that at least an appended kernel module signature or an IMA signature is required based on the Kconfig and the runtime IMA policy. Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- tools/testing/selftests/ima/Makefile | 2 +- tools/testing/selftests/ima/test_kernel_module.sh | 93 +++++++++++++++++++++++ 2 files changed, 94 insertions(+), 1 deletion(-) create mode 100755 tools/testing/selftests/ima/test_kernel_module.sh diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile index 00270de0b637..e1c59c510e1b 100644 --- a/tools/testing/selftests/ima/Makefile +++ b/tools/testing/selftests/ima/Makefile @@ -4,7 +4,7 @@ uname_M := $(shell uname -m 2>/dev/null || echo not) ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) ifeq ($(ARCH),x86) -TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh +TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh test_kernel_module.sh TEST_FILES := ima_common_lib.sh include ../lib.mk diff --git a/tools/testing/selftests/ima/test_kernel_module.sh b/tools/testing/selftests/ima/test_kernel_module.sh new file mode 100755 index 000000000000..319c601b9697 --- /dev/null +++ b/tools/testing/selftests/ima/test_kernel_module.sh @@ -0,0 +1,93 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 +# +# On secure boot enabled systems with "CONFIG_IMA_ARCH_POLICY" configured, +# this test verifies that at least an appended kernel module signature or +# an IMA signature is required. It does not attempt to load a kernel module. + +TEST="KERNEL_MODULE" +. ./ima_common_lib.sh + +trap "{ rm -f $IKCONFIG ; }" EXIT + +# Some of the IMA builtin policies may require the kernel modules to +# be signed, but these policy rules may be replaced with a custom +# policy. Only CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS persists after +# loading a custom policy. Check if it is enabled, before reading the +# IMA runtime sysfs policy file. +# Return 1 for IMA signature required and 0 for not required. +is_ima_sig_required() +{ + local ret=0 + + kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y" \ + "IMA kernel module signature required" + if [ $? -eq 1 ]; then + return 1 + fi + + # The architecture specific or a custom policy may require the + # kernel module to be signed. Policy rules are walked sequentially. + # As a result, a policy rule may be defined, but might not necessarily + # be used. This test assumes if a policy rule is specified, that is + # the intent. + if [ $ima_read_policy -eq 1 ]; then + check_ima_policy "appraise" "func=MODULE_CHECK" \ + "appraise_type=imasig" + ret=$? + [ $ret -eq 1 ] && log_info "IMA signature required"; + fi + return $ret +} + +# loading kernel modules requires root privileges +require_root_privileges + +# Are appended signatures required? +if [ -e /sys/module/module/parameters/sig_enforce ]; then + sig_enforce=$(cat /sys/module/module/parameters/sig_enforce) + if [ $sig_enforce = "Y" ]; then + log_pass "appended kernel module signature required" + fi +fi + +get_secureboot_mode +if [ $? -eq 0 ]; then + log_skip "secure boot not enabled" +fi + +# get the kernel config +get_kconfig + +# Determine which kernel config options are enabled +kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ + "architecture specific policy enabled" +arch_policy=$? + +kconfig_enabled "CONFIG_MODULE_SIG=y" \ + "appended kernel modules signature enabled" +appended_sig_enabled=$? + +kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted" +ima_read_policy=$? + +is_ima_sig_required +ima_sig_required=$? + +if [ $arch_policy -eq 0 ]; then + log_skip "architecture specific policy not enabled" +fi + +if [ $appended_sig_enabled -eq 1 ]; then + log_fail "appended kernel module signature enabled, but not required" +fi + +if [ $ima_sig_required -eq 1 ]; then + log_pass "IMA kernel module signature required" +fi + +if [ $ima_read_policy -eq 1 ]; then + log_fail "IMA kernel module signature not required" +else + log_skip "reading IMA policy not permitted" +fi From patchwork Mon Mar 11 11:41:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10847353 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8BD0C1850 for ; Mon, 11 Mar 2019 11:42:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7B5FE2905A for ; Mon, 11 Mar 2019 11:42:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6F7ED2905C; Mon, 11 Mar 2019 11:42:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2660B2905A for ; Mon, 11 Mar 2019 11:42:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727527AbfCKLmN (ORCPT ); Mon, 11 Mar 2019 07:42:13 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:54154 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727415AbfCKLmN (ORCPT ); Mon, 11 Mar 2019 07:42:13 -0400 Received: from pps.filterd (m0098393.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2BBevkF121926 for ; Mon, 11 Mar 2019 07:42:12 -0400 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0a-001b2d01.pphosted.com with ESMTP id 2r5mycwjpj-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 11 Mar 2019 07:42:11 -0400 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 11 Mar 2019 11:42:08 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp01.uk.ibm.com (192.168.101.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Mon, 11 Mar 2019 11:42:05 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2BBg4l237748824 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 11 Mar 2019 11:42:04 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1478111C04C; Mon, 11 Mar 2019 11:42:04 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D73BB11C05B; Mon, 11 Mar 2019 11:42:02 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.93.170]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Mon, 11 Mar 2019 11:42:02 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v3 7/7] selftests/ima: Add missing '=y' to config options Date: Mon, 11 Mar 2019 07:41:13 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> References: <1552304473-3966-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031111-4275-0000-0000-0000031997CB X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031111-4276-0000-0000-00003827FBFD Message-Id: <1552304473-3966-8-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-11_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903110088 Sender: linux-kselftest-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Petr Vorel so the file can be used as kernel config snippet. Signed-off-by: Petr Vorel [zohar@linux.ibm.com: remove CONFIG_KEXEC_VERIFY_SIG from config] Signed-off-by: Mimi Zohar --- tools/testing/selftests/ima/config | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/ima/config b/tools/testing/selftests/ima/config index 6bc86d4d9bb4..8962e862b2b8 100644 --- a/tools/testing/selftests/ima/config +++ b/tools/testing/selftests/ima/config @@ -1,4 +1,3 @@ -CONFIG_IMA_APPRAISE -CONFIG_IMA_ARCH_POLICY -CONFIG_SECURITYFS -CONFIG_KEXEC_VERIFY_SIG +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_ARCH_POLICY=y +CONFIG_SECURITYFS=y