From patchwork Thu Mar 14 18:41:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10853391 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DE23C6C2 for ; Thu, 14 Mar 2019 18:42:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CC8322A6BC for ; Thu, 14 Mar 2019 18:42:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C0FAC2A6D8; Thu, 14 Mar 2019 18:42:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 15B8E2A6C3 for ; Thu, 14 Mar 2019 18:42:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727832AbfCNSmD (ORCPT ); Thu, 14 Mar 2019 14:42:03 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:56708 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727781AbfCNSmC (ORCPT ); Thu, 14 Mar 2019 14:42:02 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2EIeds0032171 for ; Thu, 14 Mar 2019 14:42:00 -0400 Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101]) by mx0b-001b2d01.pphosted.com with ESMTP id 2r7v5kgt5w-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 14 Mar 2019 14:42:00 -0400 Received: from localhost by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 14 Mar 2019 18:41:58 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 14 Mar 2019 18:41:54 -0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2EIfrRx27787304 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 14 Mar 2019 18:41:53 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 83A8042045; Thu, 14 Mar 2019 18:41:53 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 8812A4204C; Thu, 14 Mar 2019 18:41:52 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.108.186]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 14 Mar 2019 18:41:52 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v4 1/8] selftests/kexec: move the IMA kexec_load selftest to selftests/kexec Date: Thu, 14 Mar 2019 14:41:09 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> References: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031418-0020-0000-0000-000003236303 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031418-0021-0000-0000-0000217568F5 Message-Id: <1552588876-28481-2-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-14_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903140130 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP As requested move the existing kexec_load selftest and subsequent kexec tests to the selftests/kexec directory. Suggested-by: Dave Young Signed-off-by: Mimi Zohar --- tools/testing/selftests/Makefile | 2 +- tools/testing/selftests/ima/Makefile | 11 ----- tools/testing/selftests/ima/config | 4 -- tools/testing/selftests/ima/test_kexec_load.sh | 54 ------------------------ tools/testing/selftests/kexec/Makefile | 11 +++++ tools/testing/selftests/kexec/config | 4 ++ tools/testing/selftests/kexec/test_kexec_load.sh | 54 ++++++++++++++++++++++++ 7 files changed, 70 insertions(+), 70 deletions(-) delete mode 100644 tools/testing/selftests/ima/Makefile delete mode 100644 tools/testing/selftests/ima/config delete mode 100755 tools/testing/selftests/ima/test_kexec_load.sh create mode 100644 tools/testing/selftests/kexec/Makefile create mode 100644 tools/testing/selftests/kexec/config create mode 100755 tools/testing/selftests/kexec/test_kexec_load.sh diff --git a/tools/testing/selftests/Makefile b/tools/testing/selftests/Makefile index 1a2bd15c5b6e..6da1e32d2b99 100644 --- a/tools/testing/selftests/Makefile +++ b/tools/testing/selftests/Makefile @@ -14,11 +14,11 @@ TARGETS += firmware TARGETS += ftrace TARGETS += futex TARGETS += gpio -TARGETS += ima TARGETS += intel_pstate TARGETS += ipc TARGETS += ir TARGETS += kcmp +TARGETS += kexec TARGETS += kvm TARGETS += lib TARGETS += membarrier diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile deleted file mode 100644 index 0b3adf5444b6..000000000000 --- a/tools/testing/selftests/ima/Makefile +++ /dev/null @@ -1,11 +0,0 @@ -# Makefile for kexec_load - -uname_M := $(shell uname -m 2>/dev/null || echo not) -ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) - -ifeq ($(ARCH),x86) -TEST_PROGS := test_kexec_load.sh - -include ../lib.mk - -endif diff --git a/tools/testing/selftests/ima/config b/tools/testing/selftests/ima/config deleted file mode 100644 index 6bc86d4d9bb4..000000000000 --- a/tools/testing/selftests/ima/config +++ /dev/null @@ -1,4 +0,0 @@ -CONFIG_IMA_APPRAISE -CONFIG_IMA_ARCH_POLICY -CONFIG_SECURITYFS -CONFIG_KEXEC_VERIFY_SIG diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh deleted file mode 100755 index 1c10093fb526..000000000000 --- a/tools/testing/selftests/ima/test_kexec_load.sh +++ /dev/null @@ -1,54 +0,0 @@ -#!/bin/sh -# SPDX-License-Identifier: GPL-2.0+ -# Loading a kernel image via the kexec_load syscall should fail -# when the kerne is CONFIG_KEXEC_VERIFY_SIG enabled and the system -# is booted in secureboot mode. - -TEST="$0" -EFIVARFS="/sys/firmware/efi/efivars" -rc=0 - -# Kselftest framework requirement - SKIP code is 4. -ksft_skip=4 - -# kexec requires root privileges -if [ $UID != 0 ]; then - echo "$TEST: must be run as root" >&2 - exit $ksft_skip -fi - -# Make sure that efivars is mounted in the normal location -if ! grep -q "^\S\+ $EFIVARFS efivarfs" /proc/mounts; then - echo "$TEST: efivars is not mounted on $EFIVARFS" >&2 - exit $ksft_skip -fi - -# Get secureboot mode -file="$EFIVARFS/SecureBoot-*" -if [ ! -e $file ]; then - echo "$TEST: unknown secureboot mode" >&2 - exit $ksft_skip -fi -secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` - -# kexec_load should fail in secure boot mode -KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" -kexec -l $KERNEL_IMAGE &>> /dev/null -if [ $? == 0 ]; then - kexec -u - if [ "$secureboot" == "1" ]; then - echo "$TEST: kexec_load succeeded [FAIL]" - rc=1 - else - echo "$TEST: kexec_load succeeded [PASS]" - fi -else - if [ "$secureboot" == "1" ]; then - echo "$TEST: kexec_load failed [PASS]" - else - echo "$TEST: kexec_load failed [FAIL]" - rc=1 - fi -fi - -exit $rc diff --git a/tools/testing/selftests/kexec/Makefile b/tools/testing/selftests/kexec/Makefile new file mode 100644 index 000000000000..0b3adf5444b6 --- /dev/null +++ b/tools/testing/selftests/kexec/Makefile @@ -0,0 +1,11 @@ +# Makefile for kexec_load + +uname_M := $(shell uname -m 2>/dev/null || echo not) +ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) + +ifeq ($(ARCH),x86) +TEST_PROGS := test_kexec_load.sh + +include ../lib.mk + +endif diff --git a/tools/testing/selftests/kexec/config b/tools/testing/selftests/kexec/config new file mode 100644 index 000000000000..6bc86d4d9bb4 --- /dev/null +++ b/tools/testing/selftests/kexec/config @@ -0,0 +1,4 @@ +CONFIG_IMA_APPRAISE +CONFIG_IMA_ARCH_POLICY +CONFIG_SECURITYFS +CONFIG_KEXEC_VERIFY_SIG diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh new file mode 100755 index 000000000000..1c10093fb526 --- /dev/null +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -0,0 +1,54 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0+ +# Loading a kernel image via the kexec_load syscall should fail +# when the kerne is CONFIG_KEXEC_VERIFY_SIG enabled and the system +# is booted in secureboot mode. + +TEST="$0" +EFIVARFS="/sys/firmware/efi/efivars" +rc=0 + +# Kselftest framework requirement - SKIP code is 4. +ksft_skip=4 + +# kexec requires root privileges +if [ $UID != 0 ]; then + echo "$TEST: must be run as root" >&2 + exit $ksft_skip +fi + +# Make sure that efivars is mounted in the normal location +if ! grep -q "^\S\+ $EFIVARFS efivarfs" /proc/mounts; then + echo "$TEST: efivars is not mounted on $EFIVARFS" >&2 + exit $ksft_skip +fi + +# Get secureboot mode +file="$EFIVARFS/SecureBoot-*" +if [ ! -e $file ]; then + echo "$TEST: unknown secureboot mode" >&2 + exit $ksft_skip +fi +secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` + +# kexec_load should fail in secure boot mode +KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" +kexec -l $KERNEL_IMAGE &>> /dev/null +if [ $? == 0 ]; then + kexec -u + if [ "$secureboot" == "1" ]; then + echo "$TEST: kexec_load succeeded [FAIL]" + rc=1 + else + echo "$TEST: kexec_load succeeded [PASS]" + fi +else + if [ "$secureboot" == "1" ]; then + echo "$TEST: kexec_load failed [PASS]" + else + echo "$TEST: kexec_load failed [FAIL]" + rc=1 + fi +fi + +exit $rc From patchwork Thu Mar 14 18:41:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10853419 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3136C1575 for ; Thu, 14 Mar 2019 18:42:44 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F0FC2A3B9 for ; Thu, 14 Mar 2019 18:42:44 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 135E22A6BE; Thu, 14 Mar 2019 18:42:44 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A2C702A3B9 for ; Thu, 14 Mar 2019 18:42:43 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727837AbfCNSmE (ORCPT ); Thu, 14 Mar 2019 14:42:04 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:35284 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727819AbfCNSmD (ORCPT ); Thu, 14 Mar 2019 14:42:03 -0400 Received: from pps.filterd (m0098409.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2EIfPik037850 for ; Thu, 14 Mar 2019 14:42:03 -0400 Received: from e06smtp03.uk.ibm.com (e06smtp03.uk.ibm.com [195.75.94.99]) by mx0a-001b2d01.pphosted.com with ESMTP id 2r7svufvuf-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 14 Mar 2019 14:42:02 -0400 Received: from localhost by e06smtp03.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 14 Mar 2019 18:42:00 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp03.uk.ibm.com (192.168.101.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 14 Mar 2019 18:41:57 -0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2EIfuUf23068920 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 14 Mar 2019 18:41:56 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0517E42045; Thu, 14 Mar 2019 18:41:56 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 0591D4203F; Thu, 14 Mar 2019 18:41:55 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.108.186]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 14 Mar 2019 18:41:54 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v4 2/8] selftests/kexec: cleanup the kexec selftest Date: Thu, 14 Mar 2019 14:41:10 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> References: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031418-0012-0000-0000-00000302B407 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031418-0013-0000-0000-00002139DFF2 Message-Id: <1552588876-28481-3-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-14_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=866 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903140130 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Remove the few bashisms and use the complete option name for clarity. Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- tools/testing/selftests/kexec/test_kexec_load.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 1c10093fb526..82a01a4d5c8d 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -1,7 +1,7 @@ #!/bin/sh -# SPDX-License-Identifier: GPL-2.0+ +# SPDX-License-Identifier: GPL-2.0 # Loading a kernel image via the kexec_load syscall should fail -# when the kerne is CONFIG_KEXEC_VERIFY_SIG enabled and the system +# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system # is booted in secureboot mode. TEST="$0" @@ -12,8 +12,8 @@ rc=0 ksft_skip=4 # kexec requires root privileges -if [ $UID != 0 ]; then - echo "$TEST: must be run as root" >&2 +if [ $(id -ru) -ne 0 ]; then + echo "$TEST: requires root privileges" >&2 exit $ksft_skip fi @@ -33,17 +33,17 @@ secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` # kexec_load should fail in secure boot mode KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" -kexec -l $KERNEL_IMAGE &>> /dev/null -if [ $? == 0 ]; then - kexec -u - if [ "$secureboot" == "1" ]; then +kexec --load $KERNEL_IMAGE > /dev/null 2>&1 +if [ $? -eq 0 ]; then + kexec --unload + if [ $secureboot -eq 1 ]; then echo "$TEST: kexec_load succeeded [FAIL]" rc=1 else echo "$TEST: kexec_load succeeded [PASS]" fi else - if [ "$secureboot" == "1" ]; then + if [ $secureboot -eq 1 ]; then echo "$TEST: kexec_load failed [PASS]" else echo "$TEST: kexec_load failed [FAIL]" From patchwork Thu Mar 14 18:41:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10853399 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AE9AE1874 for ; Thu, 14 Mar 2019 18:42:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A05E52A6C4 for ; Thu, 14 Mar 2019 18:42:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 94B292A6CA; Thu, 14 Mar 2019 18:42:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2900D2A6C5 for ; Thu, 14 Mar 2019 18:42:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727875AbfCNSmI (ORCPT ); Thu, 14 Mar 2019 14:42:08 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:59686 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727780AbfCNSmG (ORCPT ); Thu, 14 Mar 2019 14:42:06 -0400 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2EIeur8120732 for ; Thu, 14 Mar 2019 14:42:05 -0400 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0a-001b2d01.pphosted.com with ESMTP id 2r7snp0mey-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 14 Mar 2019 14:42:04 -0400 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 14 Mar 2019 18:42:02 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp01.uk.ibm.com (192.168.101.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 14 Mar 2019 18:41:59 -0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2EIfwMi22610110 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 14 Mar 2019 18:41:58 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 73BB442041; Thu, 14 Mar 2019 18:41:58 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 7301142042; Thu, 14 Mar 2019 18:41:57 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.108.186]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 14 Mar 2019 18:41:57 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v4 3/8] selftests/kexec: define a set of common functions Date: Thu, 14 Mar 2019 14:41:11 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> References: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031418-4275-0000-0000-0000031B1074 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031418-4276-0000-0000-0000382983FD Message-Id: <1552588876-28481-4-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-14_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=995 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903140130 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Define, update and move get_secureboot_mode() to a common file for use by other tests. Updated to check both the efivar SecureBoot-$(UUID) and SetupMode-$(UUID), based on Dave Young's review. Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel Cc: Dave Young --- tools/testing/selftests/kexec/Makefile | 1 + tools/testing/selftests/kexec/kexec_common_lib.sh | 38 +++++++++++++++++++++++ tools/testing/selftests/kexec/test_kexec_load.sh | 17 ++-------- 3 files changed, 42 insertions(+), 14 deletions(-) create mode 100755 tools/testing/selftests/kexec/kexec_common_lib.sh diff --git a/tools/testing/selftests/kexec/Makefile b/tools/testing/selftests/kexec/Makefile index 0b3adf5444b6..1a795861040b 100644 --- a/tools/testing/selftests/kexec/Makefile +++ b/tools/testing/selftests/kexec/Makefile @@ -5,6 +5,7 @@ ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) ifeq ($(ARCH),x86) TEST_PROGS := test_kexec_load.sh +TEST_FILES := kexec_common_lib.sh include ../lib.mk diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh new file mode 100755 index 000000000000..05376be6a6f7 --- /dev/null +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -0,0 +1,38 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 + +# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). +# The secure boot mode can be accessed either as the last integer +# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from +# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data". The efi +# SetupMode can be similarly accessed. +# Return 1 for SecureBoot mode enabled and SetupMode mode disabled. +get_secureboot_mode() +{ + local efivarfs="/sys/firmware/efi/efivars" + local secure_boot_file="$efivarfs/../vars/SecureBoot-*/data" + local setup_mode_file="$efivarfs/../vars/SetupMode-*/data" + local secureboot_mode=0 + local setup_mode=0 + + # Make sure that efivars is mounted in the normal location + if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then + log_skip "efivars is not mounted on $efivarfs" + fi + + # Due to globbing, quoting "secure_boot_file" and "setup_mode_file" + # is not possible. (Todo: initialize variables using find or ls.) + if [ ! -e $secure_boot_file ] || [ ! -e $setup_mode_file ]; then + log_skip "unknown secureboot/setup mode" + fi + + secureboot_mode=`od -An -t u1 $secure_boot_file` + setup_mode=`od -An -t u1 $setup_mode_file` + + if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then + log_info "secure boot mode enabled" + return 1; + fi + log_info "secure boot mode not enabled" + return 0; +} diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 82a01a4d5c8d..86625c3f1e5d 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -5,7 +5,7 @@ # is booted in secureboot mode. TEST="$0" -EFIVARFS="/sys/firmware/efi/efivars" +. ./kexec_common_lib.sh rc=0 # Kselftest framework requirement - SKIP code is 4. @@ -17,19 +17,8 @@ if [ $(id -ru) -ne 0 ]; then exit $ksft_skip fi -# Make sure that efivars is mounted in the normal location -if ! grep -q "^\S\+ $EFIVARFS efivarfs" /proc/mounts; then - echo "$TEST: efivars is not mounted on $EFIVARFS" >&2 - exit $ksft_skip -fi - -# Get secureboot mode -file="$EFIVARFS/SecureBoot-*" -if [ ! -e $file ]; then - echo "$TEST: unknown secureboot mode" >&2 - exit $ksft_skip -fi -secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` +get_secureboot_mode +secureboot=$? # kexec_load should fail in secure boot mode KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" From patchwork Thu Mar 14 18:41:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10853397 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6CF096C2 for ; Thu, 14 Mar 2019 18:42:09 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5C8BC2A6DA for ; Thu, 14 Mar 2019 18:42:09 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 50E192A6CE; Thu, 14 Mar 2019 18:42:09 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DF1F12A6C4 for ; Thu, 14 Mar 2019 18:42:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727872AbfCNSmI (ORCPT ); Thu, 14 Mar 2019 14:42:08 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:55520 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727867AbfCNSmI (ORCPT ); Thu, 14 Mar 2019 14:42:08 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2EIf1tu099410 for ; Thu, 14 Mar 2019 14:42:07 -0400 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0a-001b2d01.pphosted.com with ESMTP id 2r7up62cd9-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 14 Mar 2019 14:42:07 -0400 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 14 Mar 2019 18:42:05 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 14 Mar 2019 18:42:01 -0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2EIg0LW43122808 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 14 Mar 2019 18:42:00 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9FAF542042; Thu, 14 Mar 2019 18:42:00 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A0CF142045; Thu, 14 Mar 2019 18:41:59 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.108.186]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 14 Mar 2019 18:41:59 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v4 4/8] selftests/kexec: define common logging functions Date: Thu, 14 Mar 2019 14:41:12 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> References: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031418-0008-0000-0000-000002CD62F5 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031418-0009-0000-0000-0000223966DC Message-Id: <1552588876-28481-5-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-14_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=488 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903140130 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Define log_info, log_pass, log_fail, and log_skip functions. Suggested-by: Petr Vorel Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- tools/testing/selftests/kexec/kexec_common_lib.sh | 31 +++++++++++++++++++++++ tools/testing/selftests/kexec/test_kexec_load.sh | 19 ++++---------- 2 files changed, 36 insertions(+), 14 deletions(-) diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index 05376be6a6f7..d108ac538f14 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -1,5 +1,36 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0 +# +# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4 + +VERBOSE="${VERBOSE:-1}" + +log_info() +{ + [ $VERBOSE -ne 0 ] && echo "[INFO] $1" +} + +# The ksefltest framework requirement returns 0 for PASS. +log_pass() +{ + + [ $VERBOSE -ne 0 ] && echo "$1 [PASS]" + exit 0 +} + +# The ksefltest framework requirement returns 1 for FAIL. +log_fail() +{ + [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]" + exit 1 +} + +# The ksefltest framework requirement returns 4 for SKIP. +log_skip() +{ + [ $VERBOSE -ne 0 ] && echo "$1" + exit 4 +} # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). # The secure boot mode can be accessed either as the last integer diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 86625c3f1e5d..cbf598a380d2 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -6,15 +6,10 @@ TEST="$0" . ./kexec_common_lib.sh -rc=0 - -# Kselftest framework requirement - SKIP code is 4. -ksft_skip=4 # kexec requires root privileges if [ $(id -ru) -ne 0 ]; then - echo "$TEST: requires root privileges" >&2 - exit $ksft_skip + log_skip "requires root privileges" fi get_secureboot_mode @@ -26,18 +21,14 @@ kexec --load $KERNEL_IMAGE > /dev/null 2>&1 if [ $? -eq 0 ]; then kexec --unload if [ $secureboot -eq 1 ]; then - echo "$TEST: kexec_load succeeded [FAIL]" - rc=1 + log_fail "kexec_load succeeded" else - echo "$TEST: kexec_load succeeded [PASS]" + log_pass "kexec_load succeeded" fi else if [ $secureboot -eq 1 ]; then - echo "$TEST: kexec_load failed [PASS]" + log_pass "kexec_load failed" else - echo "$TEST: kexec_load failed [FAIL]" - rc=1 + log_fail "kexec_load failed" fi fi - -exit $rc From patchwork Thu Mar 14 18:41:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10853401 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6C9B16C2 for ; Thu, 14 Mar 2019 18:42:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5D26A2A6D1 for ; Thu, 14 Mar 2019 18:42:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 517552A6CE; Thu, 14 Mar 2019 18:42:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E175A2A6C3 for ; Thu, 14 Mar 2019 18:42:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727909AbfCNSmK (ORCPT ); Thu, 14 Mar 2019 14:42:10 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:55710 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727887AbfCNSmK (ORCPT ); Thu, 14 Mar 2019 14:42:10 -0400 Received: from pps.filterd (m0098399.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2EIf1WX099429 for ; Thu, 14 Mar 2019 14:42:09 -0400 Received: from e06smtp07.uk.ibm.com (e06smtp07.uk.ibm.com [195.75.94.103]) by mx0a-001b2d01.pphosted.com with ESMTP id 2r7up62ce7-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 14 Mar 2019 14:42:08 -0400 Received: from localhost by e06smtp07.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 14 Mar 2019 18:42:06 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp07.uk.ibm.com (192.168.101.137) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 14 Mar 2019 18:42:03 -0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2EIg2Si34013328 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 14 Mar 2019 18:42:03 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D7BB24204D; Thu, 14 Mar 2019 18:42:02 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D7C7C42045; Thu, 14 Mar 2019 18:42:01 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.108.186]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 14 Mar 2019 18:42:01 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v4 5/8] kselftest/kexec: define "require_root_privileges" Date: Thu, 14 Mar 2019 14:41:13 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> References: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031418-0028-0000-0000-000003541ADB X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031418-0029-0000-0000-00002412A8C5 Message-Id: <1552588876-28481-6-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-14_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=733 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903140130 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Many tests require root privileges. Define a common function. Suggested-by: Petr Vorel Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- tools/testing/selftests/kexec/kexec_common_lib.sh | 7 +++++++ tools/testing/selftests/kexec/test_kexec_load.sh | 4 +--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index d108ac538f14..1af892cee726 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -67,3 +67,10 @@ get_secureboot_mode() log_info "secure boot mode not enabled" return 0; } + +require_root_privileges() +{ + if [ $(id -ru) -ne 0 ]; then + log_skip "requires root privileges" + fi +} diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index cbf598a380d2..49545fcdc646 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -8,9 +8,7 @@ TEST="$0" . ./kexec_common_lib.sh # kexec requires root privileges -if [ $(id -ru) -ne 0 ]; then - log_skip "requires root privileges" -fi +require_root_privileges get_secureboot_mode secureboot=$? From patchwork Thu Mar 14 18:41:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10853407 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 2FC591874 for ; Thu, 14 Mar 2019 18:42:18 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 21DBB2A6C3 for ; Thu, 14 Mar 2019 18:42:18 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 163C92A6D6; Thu, 14 Mar 2019 18:42:18 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 344442A6CB for ; Thu, 14 Mar 2019 18:42:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727931AbfCNSmP (ORCPT ); Thu, 14 Mar 2019 14:42:15 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:47512 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727914AbfCNSmO (ORCPT ); Thu, 14 Mar 2019 14:42:14 -0400 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2EIe1Fb008502 for ; Thu, 14 Mar 2019 14:42:12 -0400 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0a-001b2d01.pphosted.com with ESMTP id 2r7u0pm9sg-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 14 Mar 2019 14:42:12 -0400 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 14 Mar 2019 18:42:10 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 14 Mar 2019 18:42:06 -0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2EIg5pK62849042 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 14 Mar 2019 18:42:05 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 389A84203F; Thu, 14 Mar 2019 18:42:05 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3870A42047; Thu, 14 Mar 2019 18:42:04 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.108.186]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 14 Mar 2019 18:42:03 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v4 6/8] selftests/kexec: kexec_file_load syscall test Date: Thu, 14 Mar 2019 14:41:14 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> References: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031418-0016-0000-0000-0000026267E0 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031418-0017-0000-0000-000032BD6E54 Message-Id: <1552588876-28481-7-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-14_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903140130 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP The kernel can be configured to verify PE signed kernel images, IMA kernel image signatures, both types of signatures, or none. This test verifies only properly signed kernel images are loaded into memory, based on the kernel configuration and runtime policies. Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel --- tools/testing/selftests/kexec/Makefile | 4 +- tools/testing/selftests/kexec/kexec_common_lib.sh | 99 +++++++++++ .../selftests/kexec/test_kexec_file_load.sh | 190 +++++++++++++++++++++ tools/testing/selftests/kexec/test_kexec_load.sh | 1 - 4 files changed, 291 insertions(+), 3 deletions(-) create mode 100755 tools/testing/selftests/kexec/test_kexec_file_load.sh diff --git a/tools/testing/selftests/kexec/Makefile b/tools/testing/selftests/kexec/Makefile index 1a795861040b..8e9b27a7452f 100644 --- a/tools/testing/selftests/kexec/Makefile +++ b/tools/testing/selftests/kexec/Makefile @@ -1,10 +1,10 @@ -# Makefile for kexec_load +# Makefile for kexec tests uname_M := $(shell uname -m 2>/dev/null || echo not) ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/) ifeq ($(ARCH),x86) -TEST_PROGS := test_kexec_load.sh +TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh TEST_FILES := kexec_common_lib.sh include ../lib.mk diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh index 1af892cee726..51ae64c79c41 100755 --- a/tools/testing/selftests/kexec/kexec_common_lib.sh +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh @@ -4,6 +4,9 @@ # Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4 VERBOSE="${VERBOSE:-1}" +IKCONFIG="/tmp/config-`uname -r`" +KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" +SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}') log_info() { @@ -74,3 +77,99 @@ require_root_privileges() log_skip "requires root privileges" fi } + +# Look for config option in Kconfig file. +# Return 1 for found and 0 for not found. +kconfig_enabled() +{ + local config="$1" + local msg="$2" + + grep -E -q $config $IKCONFIG + if [ $? -eq 0 ]; then + log_info "$msg" + return 1 + fi + return 0 +} + +# Attempt to get the kernel config first via proc, and then by +# extracting it from the kernel image or the configs.ko using +# scripts/extract-ikconfig. +# Return 1 for found. +get_kconfig() +{ + local proc_config="/proc/config.gz" + local module_dir="/lib/modules/`uname -r`" + local configs_module="$module_dir/kernel/kernel/configs.ko" + + if [ ! -f $proc_config ]; then + modprobe configs > /dev/null 2>&1 + fi + if [ -f $proc_config ]; then + cat $proc_config | gunzip > $IKCONFIG 2>/dev/null + if [ $? -eq 0 ]; then + return 1 + fi + fi + + local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig" + if [ ! -f $extract_ikconfig ]; then + log_skip "extract-ikconfig not found" + fi + + $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null + if [ $? -eq 1 ]; then + if [ ! -f $configs_module ]; then + log_skip "CONFIG_IKCONFIG not enabled" + fi + $extract_ikconfig $configs_module > $IKCONFIG + if [ $? -eq 1 ]; then + log_skip "CONFIG_IKCONFIG not enabled" + fi + fi + return 1 +} + +# Make sure that securityfs is mounted +mount_securityfs() +{ + if [ -z $SECURITYFS ]; then + SECURITYFS=/sys/kernel/security + mount -t securityfs security $SECURITYFS + fi + + if [ ! -d "$SECURITYFS" ]; then + log_fail "$SECURITYFS :securityfs is not mounted" + fi +} + +# The policy rule format is an "action" followed by key-value pairs. This +# function supports up to two key-value pairs, in any order. +# For example: action func= [appraise_type=] +# Return 1 for found and 0 for not found. +check_ima_policy() +{ + local action="$1" + local keypair1="$2" + local keypair2="$3" + local ret=0 + + mount_securityfs + + local ima_policy=$SECURITYFS/ima/policy + if [ ! -e $ima_policy ]; then + log_fail "$ima_policy not found" + fi + + if [ -n $keypair2 ]; then + grep -e "^$action.*$keypair1" "$ima_policy" | \ + grep -q -e "$keypair2" + else + grep -q -e "^$action.*$keypair1" "$ima_policy" + fi + + # invert "grep -q" result, returning 1 for found. + [ $? -eq 0 ] && ret=1 + return $ret +} diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh new file mode 100755 index 000000000000..6cf6a99f6a64 --- /dev/null +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -0,0 +1,190 @@ +#!/bin/sh +# SPDX-License-Identifier: GPL-2.0 +# +# Loading a kernel image via the kexec_file_load syscall can verify either +# the IMA signature stored in the security.ima xattr or the PE signature, +# both signatures depending on the IMA policy, or none. +# +# To determine whether the kernel image is signed, this test depends +# on pesign and getfattr. This test also requires the kernel to be +# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC +# enabled or access to the extract-ikconfig script. + +TEST="KEXEC_FILE_LOAD" +. ./kexec_common_lib.sh + +trap "{ rm -f $IKCONFIG ; }" EXIT + +# Some of the IMA builtin policies may require the kexec kernel image to +# be signed, but these policy rules may be replaced with a custom +# policy. Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after +# loading a custom policy. Check if it is enabled, before reading the +# IMA runtime sysfs policy file. +# Return 1 for IMA signature required and 0 for not required. +is_ima_sig_required() +{ + local ret=0 + + kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \ + "IMA kernel image signature required" + if [ $? -eq 1 ]; then + log_info "IMA signature required" + return 1 + fi + + # The architecture specific or a custom policy may require the + # kexec kernel image be signed. Policy rules are walked + # sequentially. As a result, a policy rule may be defined, but + # might not necessarily be used. This test assumes if a policy + # rule is specified, that is the intent. + if [ $ima_read_policy -eq 1 ]; then + check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ + "appraise_type=imasig" + ret=$? + [ $ret -eq 1 ] && log_info "IMA signature required"; + fi + return $ret +} + +# The kexec_file_load_test() is complicated enough, require pesign. +# Return 1 for PE signature found and 0 for not found. +check_for_pesig() +{ + which pesign > /dev/null 2>&1 || log_skip "pesign not found" + + pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures" + local ret=$? + if [ $ret -eq 1 ]; then + log_info "kexec kernel image PE signed" + else + log_info "kexec kernel image not PE signed" + fi + return $ret +} + +# The kexec_file_load_test() is complicated enough, require getfattr. +# Return 1 for IMA signature found and 0 for not found. +check_for_imasig() +{ + local ret=0 + + which getfattr > /dev/null 2>&1 + if [ $? -eq 1 ]; then + log_skip "getfattr not found" + fi + + line=$(getfattr -n security.ima -e hex --absolute-names $KERNEL_IMAGE 2>&1) + echo $line | grep -q "security.ima=0x03" + if [ $? -eq 0 ]; then + ret=1 + log_info "kexec kernel image IMA signed" + else + log_info "kexec kernel image not IMA signed" + fi + return $ret +} + +kexec_file_load_test() +{ + local succeed_msg="kexec_file_load succeeded" + local failed_msg="kexec_file_load failed" + local key_msg="try enabling the CONFIG_INTEGRITY_PLATFORM_KEYRING" + + line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1) + + if [ $? -eq 0 ]; then + kexec --unload --kexec-file-syscall + + # In secureboot mode with an architecture specific + # policy, make sure either an IMA or PE signature exists. + if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \ + [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then + log_fail "$succeed_msg (missing sig)" + fi + + if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then + log_fail "$succeed_msg (missing PE sig)" + fi + + if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then + log_fail "$succeed_msg (missing IMA sig)" + fi + + if [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] \ + && [ $ima_read_policy -eq 0 ] && [ $ima_signed -eq 0 ]; then + log_fail "$succeed_msg (possibly missing IMA sig)" + fi + + log_pass "$succeed_msg" + fi + + # Check the reason for the kexec_file_load failure + echo $line | grep -q "Required key not available" + if [ $? -eq 0 ]; then + if [ $platform_keyring -eq 0 ]; then + log_pass "$failed_msg (-ENOKEY), $key_msg" + else + log_pass "$failed_msg (-ENOKEY)" + fi + fi + + if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then + log_pass "$failed_msg (missing PE sig)" + fi + + if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then + log_pass "$failed_msg (missing IMA sig)" + fi + + if [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] \ + && [ $ima_read_policy -eq 0 ] && [ $ima_signed -eq 0 ]; then + log_pass "$failed_msg (possibly missing IMA sig)" + fi + + log_pass "$failed_msg" + return 0 +} + +# kexec requires root privileges +require_root_privileges + +# get the kernel config +get_kconfig + +# Determine which kernel config options are enabled +kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ + "architecture specific policy enabled" +arch_policy=$? + +kconfig_enabled "CONFIG_INTEGRITY_PLATFORM_KEYRING=y" \ + "platform keyring enabled" +platform_keyring=$? + +kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted" +ima_read_policy=$? + +kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \ + "PE signed kernel image required" +pe_sig_required=$? + +is_ima_sig_required +ima_sig_required=$? + +get_secureboot_mode +secureboot=$? + +if [ $secureboot -eq 0 ] && [ $arch_policy -eq 0 ] && \ + [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] && \ + [ $ima_read_policy -eq 1 ]; then + log_skip "No signature verification required" +fi + +# Are there pe and ima signatures +check_for_pesig +pe_signed=$? + +check_for_imasig +ima_signed=$? + +# Test loading the kernel image via kexec_file_load syscall +kexec_file_load_test diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 49545fcdc646..afd440ee23cb 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -14,7 +14,6 @@ get_secureboot_mode secureboot=$? # kexec_load should fail in secure boot mode -KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" kexec --load $KERNEL_IMAGE > /dev/null 2>&1 if [ $? -eq 0 ]; then kexec --unload From patchwork Thu Mar 14 18:41:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10853405 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id C59631575 for ; Thu, 14 Mar 2019 18:42:17 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B60B62A6D6 for ; Thu, 14 Mar 2019 18:42:17 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AAFA52A6E5; Thu, 14 Mar 2019 18:42:17 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6165F2A6D6 for ; Thu, 14 Mar 2019 18:42:17 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727618AbfCNSmQ (ORCPT ); Thu, 14 Mar 2019 14:42:16 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:45188 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727568AbfCNSmP (ORCPT ); Thu, 14 Mar 2019 14:42:15 -0400 Received: from pps.filterd (m0098420.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2EIe1av092223 for ; Thu, 14 Mar 2019 14:42:14 -0400 Received: from e06smtp02.uk.ibm.com (e06smtp02.uk.ibm.com [195.75.94.98]) by mx0b-001b2d01.pphosted.com with ESMTP id 2r7v9h0gqy-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 14 Mar 2019 14:42:14 -0400 Received: from localhost by e06smtp02.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 14 Mar 2019 18:42:13 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp02.uk.ibm.com (192.168.101.132) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 14 Mar 2019 18:42:08 -0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2EIg7Wr47317198 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 14 Mar 2019 18:42:08 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DB28A4204B; Thu, 14 Mar 2019 18:42:07 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id A871642041; Thu, 14 Mar 2019 18:42:06 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.108.186]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 14 Mar 2019 18:42:06 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v4 7/8] selftests/kexec: Add missing '=y' to config options Date: Thu, 14 Mar 2019 14:41:15 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> References: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031418-0008-0000-0000-000002CD62F7 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031418-0009-0000-0000-0000223966DF Message-Id: <1552588876-28481-8-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-14_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903140130 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Petr Vorel so the file can be used as kernel config snippet. Signed-off-by: Petr Vorel [zohar@linux.ibm.com: remove CONFIG_KEXEC_VERIFY_SIG from config] Signed-off-by: Mimi Zohar --- tools/testing/selftests/kexec/config | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/kexec/config b/tools/testing/selftests/kexec/config index 6bc86d4d9bb4..8962e862b2b8 100644 --- a/tools/testing/selftests/kexec/config +++ b/tools/testing/selftests/kexec/config @@ -1,4 +1,3 @@ -CONFIG_IMA_APPRAISE -CONFIG_IMA_ARCH_POLICY -CONFIG_SECURITYFS -CONFIG_KEXEC_VERIFY_SIG +CONFIG_IMA_APPRAISE=y +CONFIG_IMA_ARCH_POLICY=y +CONFIG_SECURITYFS=y From patchwork Thu Mar 14 18:41:16 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 10853411 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 922186C2 for ; Thu, 14 Mar 2019 18:42:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 86B9C2A6C4 for ; Thu, 14 Mar 2019 18:42:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 852092A6C7; Thu, 14 Mar 2019 18:42:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3A7E92A6C3 for ; Thu, 14 Mar 2019 18:42:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727402AbfCNSmd (ORCPT ); Thu, 14 Mar 2019 14:42:33 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:33518 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727950AbfCNSmT (ORCPT ); Thu, 14 Mar 2019 14:42:19 -0400 Received: from pps.filterd (m0098410.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2EIexsJ120887 for ; Thu, 14 Mar 2019 14:42:18 -0400 Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101]) by mx0a-001b2d01.pphosted.com with ESMTP id 2r7snp0mrb-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 14 Mar 2019 14:42:17 -0400 Received: from localhost by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 14 Mar 2019 18:42:15 -0000 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Thu, 14 Mar 2019 18:42:11 -0000 Received: from d06av24.portsmouth.uk.ibm.com (mk.ibm.com [9.149.105.60]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2EIgA7L62849064 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Thu, 14 Mar 2019 18:42:10 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 22D0942042; Thu, 14 Mar 2019 18:42:10 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 239864203F; Thu, 14 Mar 2019 18:42:09 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.108.186]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Thu, 14 Mar 2019 18:42:08 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v4 8/8] selftests/kexec: check kexec_load and kexec_file_load are enabled Date: Thu, 14 Mar 2019 14:41:16 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> References: <1552588876-28481-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19031418-0020-0000-0000-000003236307 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19031418-0021-0000-0000-0000217568F9 Message-Id: <1552588876-28481-9-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-14_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903140130 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Skip the kexec_load and kexec_file_load tests, if they aren't configured in the kernel. This change adds a new requirement that ikconfig is configured in the kexec_load test. Suggested-by: Dave Young Signed-off-by: Mimi Zohar --- tools/testing/selftests/kexec/test_kexec_file_load.sh | 5 +++++ tools/testing/selftests/kexec/test_kexec_load.sh | 8 ++++++++ 2 files changed, 13 insertions(+) diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh index 6cf6a99f6a64..1d2e5e799523 100755 --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -151,6 +151,11 @@ require_root_privileges # get the kernel config get_kconfig +kconfig_enabled "CONFIG_KEXEC_FILE=y" "kexec_file_load is enabled" +if [ $? -eq 0 ]; then + log_skip "kexec_file_load is not enabled" +fi + # Determine which kernel config options are enabled kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ "architecture specific policy enabled" diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index afd440ee23cb..2a66c8897f55 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -10,6 +10,14 @@ TEST="$0" # kexec requires root privileges require_root_privileges +# get the kernel config +get_kconfig + +kconfig_enabled "CONFIG_KEXEC=y" "kexec_load is enabled" +if [ $? -eq 0 ]; then + log_skip "kexec_load is not enabled" +fi + get_secureboot_mode secureboot=$?