[PATCH v3 0/7] selftests/ima: add kexec and kernel module tests

[PATCH v3 0/7] selftests/ima: add kexec and kernel module tests

[Mimi Zohar]

The kernel can be configured to require kexec kernel images and kernel
modules are signed.  An IMA policy can be specified on the boot command
line or a custom IMA policy loaded requiring the kexec kernel image and
kernel modules be signed.  In addition, systems booted in secure boot
mode with the IMA architecture specific policy enabled, require validly
signed kexec kernel images and kernel modules.

In addition to two methods of signing kernel images and two methods of
signing kernel modules, there are two syscalls for each.

kernel image:  PE signature, IMA signature
kexec syscalls: kexec_load, kexec_file_load

Both the PE and IMA kernel image signature can only be verified when
loaded via the kexec_file_load syscall.

kernel moodule: appended signature, IMA signature
kernel module syscalls: init_module, finit_module

The appended kernel module signature can be verified when the kernel
module is loaded via either syscall.  The IMA kernel module signature
can only be verified when the kernel module is loaded via the
finit_module syscall.

The selftests in this patch set verify that only signed kernel images
and kernel modules are loaded as required, based on the kernel config,
the secure boot mode, and the IMA runtime policy.

Loading a kernel image or kernel module requires root privileges.  To
run just the IMA selftests: sudo make TARGETS=ima kselftest

Changelog:
- Updated tests based on Petr's review, including the defining a common
  test to check for root privileges.
- Modified config, removing the CONFIG_KEXEC_VERIFY_SIG requirement.
- Updated the SPDX license to GPL-2.0 based on Shuah's review.
- Updated the secureboot mode test to check the SetupMode as well, based
  on David Young's review.


Mimi Zohar (6):
  selftests/ima: cleanup the kexec selftest
  selftests/ima: define a set of common functions
  selftests/ima: define common logging functions
  kselftest/ima: define "require_root_privileges"
  selftests/ima: kexec_file_load syscall test
  selftests/ima: loading kernel modules

Petr Vorel (1):
  selftests/ima: Add missing '=y' to config options

 tools/testing/selftests/ima/Makefile               |   3 +-
 tools/testing/selftests/ima/config                 |   7 +-
 tools/testing/selftests/ima/ima_common_lib.sh      | 173 +++++++++++++++++++
 tools/testing/selftests/ima/test_kernel_module.sh  |  93 ++++++++++
 .../testing/selftests/ima/test_kexec_file_load.sh  | 190 +++++++++++++++++++++
 tools/testing/selftests/ima/test_kexec_load.sh     |  53 ++----
 6 files changed, 476 insertions(+), 43 deletions(-)
 create mode 100755 tools/testing/selftests/ima/ima_common_lib.sh
 create mode 100755 tools/testing/selftests/ima/test_kernel_module.sh
 create mode 100755 tools/testing/selftests/ima/test_kexec_file_load.sh

-- 
2.7.5

[PATCH v3 1/7] selftests/ima: cleanup the kexec selftest

[Mimi Zohar]

Remove the few bashisms and use the complete option name for clarity.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
---
 tools/testing/selftests/ima/test_kexec_load.sh | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh
index 1c10093fb526..36f3089ac225 100755
--- a/tools/testing/selftests/ima/test_kexec_load.sh
+++ b/tools/testing/selftests/ima/test_kexec_load.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
-# SPDX-License-Identifier: GPL-2.0+
+# SPDX-License-Identifier: GPL-2.0
 # Loading a kernel image via the kexec_load syscall should fail
-# when the kerne is CONFIG_KEXEC_VERIFY_SIG enabled and the system
+# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system
 # is booted in secureboot mode.
 
 TEST="$0"
@@ -12,8 +12,8 @@ rc=0
 ksft_skip=4
 
 # kexec requires root privileges
-if [ $UID != 0 ]; then
-	echo "$TEST: must be run as root" >&2
+if [ $(id -ru) -ne 0 ]; then
+	echo "$TEST: requires root privileges" >&2
 	exit $ksft_skip
 fi
 
@@ -33,17 +33,17 @@ secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'`
 
 # kexec_load should fail in secure boot mode
 KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
-kexec -l $KERNEL_IMAGE &>> /dev/null
-if [ $? == 0 ]; then
-	kexec -u
-	if [ "$secureboot" == "1" ]; then
+kexec --load $KERNEL_IMAGE 2>&1 > /dev/null
+if [ $? -eq 0 ]; then
+	kexec --unload
+	if [ $secureboot -eq 1 ]; then
 		echo "$TEST: kexec_load succeeded [FAIL]"
 		rc=1
 	else
 		echo "$TEST: kexec_load succeeded [PASS]"
 	fi
 else
-	if [ "$secureboot" == "1" ]; then
+	if [ $secureboot -eq 1 ]; then
 		echo "$TEST: kexec_load failed [PASS]"
 	else
 		echo "$TEST: kexec_load failed [FAIL]"
-- 
2.7.5

[PATCH v3 2/7] selftests/ima: define a set of common functions

[Mimi Zohar]

Define, update and move get_secureboot_mode() to a common file for use
by other tests.

Updated to check both the efivar SecureBoot-$(UUID) and
SetupMode-$(UUID), based on Dave Young's review.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Cc: Dave Young <dyoung@redhat.com>
---
 tools/testing/selftests/ima/Makefile           |  1 +
 tools/testing/selftests/ima/ima_common_lib.sh  | 36 ++++++++++++++++++++++++++
 tools/testing/selftests/ima/test_kexec_load.sh | 17 +++---------
 3 files changed, 40 insertions(+), 14 deletions(-)
 create mode 100755 tools/testing/selftests/ima/ima_common_lib.sh

diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile
index 0b3adf5444b6..04501516831b 100644
--- a/tools/testing/selftests/ima/Makefile
+++ b/tools/testing/selftests/ima/Makefile
@@ -5,6 +5,7 @@ ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/)
 
 ifeq ($(ARCH),x86)
 TEST_PROGS := test_kexec_load.sh
+TEST_FILES := ima_common_lib.sh
 
 include ../lib.mk
 
diff --git a/tools/testing/selftests/ima/ima_common_lib.sh b/tools/testing/selftests/ima/ima_common_lib.sh
new file mode 100755
index 000000000000..403666247b10
--- /dev/null
+++ b/tools/testing/selftests/ima/ima_common_lib.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+
+# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
+# The secure boot mode can be accessed either as the last integer
+# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from
+# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data".  The efi
+# SetupMode can be similarly accessed.
+# Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
+get_secureboot_mode()
+{
+	local efivarfs="/sys/firmware/efi/efivars"
+	local secure_boot_file=$efivarfs/../vars/SecureBoot-*/data
+	local setup_mode_file=$efivarfs/../vars/SetupMode-*/data
+	local secureboot_mode=0
+	local setup_mode=0
+
+	# Make sure that efivars is mounted in the normal location
+	if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
+		log_skip "efivars is not mounted on $efivarfs"
+	fi
+
+	if [ ! -e $secure_boot_file ] || [ ! -e $setup_mode_file ]; then
+		log_skip "unknown secureboot/setup mode"
+	fi
+
+	secureboot_mode=`od -An -t u1 $secure_boot_file`
+	setup_mode=`od -An -t u1 $setup_mode_file`
+
+	if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
+		log_info "ima: secure boot mode enabled"
+		return 1;
+	fi
+	log_info "secure boot mode not enabled"
+	return 0;
+}
diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh
index 36f3089ac225..e84139c1506b 100755
--- a/tools/testing/selftests/ima/test_kexec_load.sh
+++ b/tools/testing/selftests/ima/test_kexec_load.sh
@@ -5,7 +5,7 @@
 # is booted in secureboot mode.
 
 TEST="$0"
-EFIVARFS="/sys/firmware/efi/efivars"
+. ./ima_common_lib.sh
 rc=0
 
 # Kselftest framework requirement - SKIP code is 4.
@@ -17,19 +17,8 @@ if [ $(id -ru) -ne 0 ]; then
 	exit $ksft_skip
 fi
 
-# Make sure that efivars is mounted in the normal location
-if ! grep -q "^\S\+ $EFIVARFS efivarfs" /proc/mounts; then
-	echo "$TEST: efivars is not mounted on $EFIVARFS" >&2
-	exit $ksft_skip
-fi
-
-# Get secureboot mode
-file="$EFIVARFS/SecureBoot-*"
-if [ ! -e $file ]; then
-	echo "$TEST: unknown secureboot mode" >&2
-	exit $ksft_skip
-fi
-secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'`
+get_secureboot_mode
+secureboot=$?
 
 # kexec_load should fail in secure boot mode
 KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
-- 
2.7.5

[PATCH v3 3/7] selftests/ima: define common logging functions

[Mimi Zohar]

Define log_info, log_pass, log_fail, and log_skip functions.

Suggested-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
---
 tools/testing/selftests/ima/ima_common_lib.sh  | 31 ++++++++++++++++++++++++++
 tools/testing/selftests/ima/test_kexec_load.sh | 19 +++++-----------
 2 files changed, 36 insertions(+), 14 deletions(-)

diff --git a/tools/testing/selftests/ima/ima_common_lib.sh b/tools/testing/selftests/ima/ima_common_lib.sh
index 403666247b10..59482914ac19 100755
--- a/tools/testing/selftests/ima/ima_common_lib.sh
+++ b/tools/testing/selftests/ima/ima_common_lib.sh
@@ -1,5 +1,36 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0
+#
+# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
+
+VERBOSE="${VERBOSE:-1}"
+
+log_info()
+{
+	[ $VERBOSE -ne 0 ] && echo "[INFO] $1"
+}
+
+# The ksefltest framework requirement returns 0 for PASS.
+log_pass()
+{
+
+	[ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
+	exit 0
+}
+
+# The ksefltest framework requirement returns 1 for FAIL.
+log_fail()
+{
+	[ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
+	exit 1
+}
+
+# The ksefltest framework requirement returns 4 for SKIP.
+log_skip()
+{
+	[ $VERBOSE -ne 0 ] && echo "$1"
+	exit 4
+}
 
 # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
 # The secure boot mode can be accessed either as the last integer
diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh
index e84139c1506b..99ab87b6c681 100755
--- a/tools/testing/selftests/ima/test_kexec_load.sh
+++ b/tools/testing/selftests/ima/test_kexec_load.sh
@@ -6,15 +6,10 @@
 
 TEST="$0"
 . ./ima_common_lib.sh
-rc=0
-
-# Kselftest framework requirement - SKIP code is 4.
-ksft_skip=4
 
 # kexec requires root privileges
 if [ $(id -ru) -ne 0 ]; then
-	echo "$TEST: requires root privileges" >&2
-	exit $ksft_skip
+	log_skip "requires root privileges"
 fi
 
 get_secureboot_mode
@@ -26,18 +21,14 @@ kexec --load $KERNEL_IMAGE 2>&1 > /dev/null
 if [ $? -eq 0 ]; then
 	kexec --unload
 	if [ $secureboot -eq 1 ]; then
-		echo "$TEST: kexec_load succeeded [FAIL]"
-		rc=1
+		log_fail "kexec_load succeeded"
 	else
-		echo "$TEST: kexec_load succeeded [PASS]"
+		log_pass "kexec_load succeeded"
 	fi
 else
 	if [ $secureboot -eq 1 ]; then
-		echo "$TEST: kexec_load failed [PASS]"
+		log_pass "kexec_load failed"
 	else
-		echo "$TEST: kexec_load failed [FAIL]"
-		rc=1
+		log_fail "kexec_load failed"
 	fi
 fi
-
-exit $rc
-- 
2.7.5

[PATCH v3 4/7] kselftest/ima: define "require_root_privileges"

[Mimi Zohar]

Many tests require root privileges.  Define a common function.

Suggested-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 tools/testing/selftests/ima/ima_common_lib.sh  | 7 +++++++
 tools/testing/selftests/ima/test_kexec_load.sh | 4 +---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/ima/ima_common_lib.sh b/tools/testing/selftests/ima/ima_common_lib.sh
index 59482914ac19..8ab7fcc0b221 100755
--- a/tools/testing/selftests/ima/ima_common_lib.sh
+++ b/tools/testing/selftests/ima/ima_common_lib.sh
@@ -65,3 +65,10 @@ get_secureboot_mode()
 	log_info "secure boot mode not enabled"
 	return 0;
 }
+
+require_root_privileges()
+{
+	if [ $(id -ru) -ne 0 ]; then
+		log_skip "requires root privileges"
+	fi
+}
diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh
index 99ab87b6c681..b2ecd196b382 100755
--- a/tools/testing/selftests/ima/test_kexec_load.sh
+++ b/tools/testing/selftests/ima/test_kexec_load.sh
@@ -8,9 +8,7 @@ TEST="$0"
 . ./ima_common_lib.sh
 
 # kexec requires root privileges
-if [ $(id -ru) -ne 0 ]; then
-	log_skip "requires root privileges"
-fi
+require_root_privileges
 
 get_secureboot_mode
 secureboot=$?
-- 
2.7.5

[PATCH v3 5/7] selftests/ima: kexec_file_load syscall test

[Mimi Zohar]

The kernel can be configured to verify PE signed kernel images, IMA
kernel image signatures, both types of signatures, or none.  This test
verifies only properly signed kernel images are loaded into memory,
based on the kernel configuration and runtime policies.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
---
 tools/testing/selftests/ima/Makefile               |   2 +-
 tools/testing/selftests/ima/ima_common_lib.sh      |  99 +++++++++++
 .../testing/selftests/ima/test_kexec_file_load.sh  | 190 +++++++++++++++++++++
 tools/testing/selftests/ima/test_kexec_load.sh     |   1 -
 4 files changed, 290 insertions(+), 2 deletions(-)
 create mode 100755 tools/testing/selftests/ima/test_kexec_file_load.sh

diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile
index 04501516831b..00270de0b637 100644
--- a/tools/testing/selftests/ima/Makefile
+++ b/tools/testing/selftests/ima/Makefile
@@ -4,7 +4,7 @@ uname_M := $(shell uname -m 2>/dev/null || echo not)
 ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/)
 
 ifeq ($(ARCH),x86)
-TEST_PROGS := test_kexec_load.sh
+TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh
 TEST_FILES := ima_common_lib.sh
 
 include ../lib.mk
diff --git a/tools/testing/selftests/ima/ima_common_lib.sh b/tools/testing/selftests/ima/ima_common_lib.sh
index 8ab7fcc0b221..d5ed28f9170c 100755
--- a/tools/testing/selftests/ima/ima_common_lib.sh
+++ b/tools/testing/selftests/ima/ima_common_lib.sh
@@ -4,6 +4,9 @@
 # Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
 
 VERBOSE="${VERBOSE:-1}"
+IKCONFIG="/tmp/config-`uname -r`"
+KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
+SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
 
 log_info()
 {
@@ -72,3 +75,99 @@ require_root_privileges()
 		log_skip "requires root privileges"
 	fi
 }
+
+# Look for config option in Kconfig file.
+# Return 1 for found and 0 for not found.
+kconfig_enabled()
+{
+	local config="$1"
+	local msg="$2"
+
+	grep -E -q $config $IKCONFIG
+	if [ $? -eq 0 ]; then
+		log_info "$msg"
+		return 1
+	fi
+	return 0
+}
+
+# Attempt to get the kernel config first via proc, and then by
+# extracting it from the kernel image or the configs.ko using
+# scripts/extract-ikconfig.
+# Return 1 for found.
+get_kconfig()
+{
+	local proc_config="/proc/config.gz"
+	local module_dir="/lib/modules/`uname -r`"
+	local configs_module="$module_dir/kernel/kernel/configs.ko"
+
+	if [ ! -f $proc_config ]; then
+		modprobe configs > /dev/null 2>&1
+	fi
+	if [ -f $proc_config ]; then
+		cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
+		if [ $? -eq 0 ]; then
+			return 1
+		fi
+	fi
+
+	local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
+	if [ ! -f $extract_ikconfig ]; then
+		log_skip "extract-ikconfig not found"
+	fi
+
+	$extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
+	if [ $? -eq 1 ]; then
+		if [ ! -f $configs_module ]; then
+			log_skip "CONFIG_IKCONFIG not enabled"
+		fi
+		$extract_ikconfig $configs_module > $IKCONFIG
+		if [ $? -eq 1 ]; then
+			log_skip "CONFIG_IKCONFIG not enabled"
+		fi
+	fi
+	return 1
+}
+
+# Make sure that securityfs is mounted
+mount_securityfs()
+{
+	if [ -z $SECURITYFS ]; then
+		SECURITYFS=/sys/kernel/security
+		mount -t securityfs security $SECURITYFS
+	fi
+
+	if [ ! -d "$SECURITYFS" ]; then
+		log_fail "$SECURITYFS :securityfs is not mounted"
+	fi
+}
+
+# The policy rule format is an "action" followed by key-value pairs.  This
+# function supports up to two key-value pairs, in any order.
+# For example: action func=<keyword> [appraise_type=<type>]
+# Return 1 for found and 0 for not found.
+check_ima_policy()
+{
+	local action="$1"
+	local keypair1="$2"
+	local keypair2="$3"
+	local ret=0
+
+	mount_securityfs
+
+	local ima_policy=$SECURITYFS/ima/policy
+	if [ ! -e $ima_policy ]; then
+		log_fail "$ima_policy not found"
+	fi
+
+	if [ -n $keypair2 ]; then
+		grep -e "^$action.*$keypair1" "$ima_policy" | \
+			grep -q -e "$keypair2"
+	else
+		grep -q -e "^$action.*$keypair1" "$ima_policy"
+	fi
+
+	# invert "grep -q" result, returning 1 for found.
+	[ $? -eq 0 ] && ret=1
+	return $ret
+}
diff --git a/tools/testing/selftests/ima/test_kexec_file_load.sh b/tools/testing/selftests/ima/test_kexec_file_load.sh
new file mode 100755
index 000000000000..dbccfb109c68
--- /dev/null
+++ b/tools/testing/selftests/ima/test_kexec_file_load.sh
@@ -0,0 +1,190 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+#
+# Loading a kernel image via the kexec_file_load syscall can verify either
+# the IMA signature stored in the security.ima xattr or the PE signature,
+# both signatures depending on the IMA policy, or none.
+#
+# To determine whether the kernel image is signed, this test depends
+# on pesign and getfattr.  This test also requires the kernel to be
+# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC
+# enabled or access to the extract-ikconfig script.
+
+TEST="KEXEC_FILE_LOAD"
+. ./ima_common_lib.sh
+
+trap "{ rm -f $IKCONFIG ; }" EXIT
+
+# Some of the IMA builtin policies may require the kexec kernel image to
+# be signed, but these policy rules may be replaced with a custom
+# policy.  Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after
+# loading a custom policy.  Check if it is enabled, before reading the
+# IMA runtime sysfs policy file.
+# Return 1 for IMA signature required and 0 for not required.
+is_ima_sig_required()
+{
+	local ret=0
+
+	kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \
+		"IMA kernel image signature required"
+	if [ $? -eq 1 ]; then
+		log_info "IMA signature required"
+		return 1
+	fi
+
+	# The architecture specific or a custom policy may require the
+	# kexec kernel image be signed.  Policy rules are walked
+	# sequentially.  As a result, a policy rule may be defined, but
+	# might not necessarily be used.  This test assumes if a policy
+	# rule is specified, that is the intent.
+	if [ $ima_read_policy -eq 1 ]; then
+		check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
+			"appraise_type=imasig"
+		ret=$?
+		[ $ret -eq 1 ] && log_info "IMA signature required";
+	fi
+	return $ret
+}
+
+# The kexec_file_load_test() is complicated enough, require pesign.
+# Return 1 for PE signature found and 0 for not found.
+check_for_pesig()
+{
+	which pesign > /dev/null 2>&1 || log_skip "pesign not found"
+
+	pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures"
+	local ret=$?
+	if [ $ret -eq 1 ]; then
+		log_info "kexec kernel image PE signed"
+	else
+		log_info "kexec kernel image not PE signed"
+	fi
+	return $ret
+}
+
+# The kexec_file_load_test() is complicated enough, require getfattr.
+# Return 1 for IMA signature found and 0 for not found.
+check_for_imasig()
+{
+	local ret=0
+
+	which getfattr > /dev/null 2>&1
+	if [ $?	-eq 1 ]; then
+		log_skip "getfattr not found"
+	fi
+
+	line=$(getfattr -n security.ima -e hex --absolute-names $KERNEL_IMAGE 2>&1)
+	echo $line | grep -q "security.ima=0x03"
+	if [ $? -eq 0 ]; then
+		ret=1
+		log_info "kexec kernel image IMA signed"
+	else
+		log_info "kexec kernel image not IMA signed"
+	fi
+	return $ret
+}
+
+kexec_file_load_test()
+{
+	local succeed_msg="kexec_file_load succeeded"
+	local failed_msg="kexec_file_load failed"
+	local key_msg="try enabling the CONFIG_INTEGRITY_PLATFORM_KEYRING"
+
+	line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1)
+
+	if [ $? -eq 0 ]; then
+		kexec --unload --kexec-file-syscall
+
+		# In secureboot mode with an architecture  specific
+		# policy, make sure either an IMA or PE signature exists.
+		if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \
+			[ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then
+			log_fail "$succeed_msg (missing sig)"
+		fi
+
+		if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then
+			log_fail "$succeed_msg (missing PE sig)"
+		fi
+
+		if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then
+			log_fail "$succeed_msg (missing IMA sig)"
+		fi
+
+		if [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] \
+		    && [ $ima_read_policy -eq 0 ] && [ $ima_signed -eq 0 ]; then
+			log_fail "$succeed_msg (possibly missing IMA sig)"
+		fi
+
+		log_pass "$succeed_msg"
+	fi
+
+	# Check the reason for the kexec_file_load failure
+	echo $line | grep -q "Required key not available"
+	if [ $? -eq 0 ]; then
+		if [ $platform_keyring -eq 0 ]; then
+			log_pass "$failed_msg (-ENOKEY), $key_msg"
+		else
+			log_pass "$failed_msg (-ENOKEY)"
+		fi
+	fi
+
+	if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then
+		log_pass "$failed_msg (missing PE sig)"
+	fi
+
+	if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then
+		log_pass "$failed_msg (missing IMA sig)"
+	fi
+
+	if [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] \
+	    && [ $ima_read_policy -eq 0 ] && [ $ima_signed -eq 0 ]; then
+		log_pass "$failed_msg (possibly missing IMA sig)"
+	fi
+
+	log_pass "$failed_msg"
+	return 0
+}
+
+# kexec requires root privileges
+require_root_privileges
+
+# get the kernel config
+get_kconfig
+
+# Determine which kernel config options are enabled
+kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
+	"architecture specific policy enabled"
+arch_policy=$?
+
+kconfig_enabled "CONFIG_INTEGRITY_PLATFORM_KEYRING=y" \
+	"platform keyring enabled"
+platform_keyring=$?
+
+kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted"
+ima_read_policy=$?
+
+kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \
+	"PE signed kernel image required"
+pe_sig_required=$?
+
+is_ima_sig_required
+ima_sig_required=$?
+
+get_secureboot_mode
+secureboot=$?
+
+if [ $secureboot -eq 0 ] && [ $arch_policy -eq 0 ] && \
+   [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] && \
+   [ $ima_read_policy -eq 1 ]; then
+	log_skip "No signature verification required"
+fi
+
+# Are there pe and ima signatures
+check_for_pesig
+pe_signed=$?
+
+check_for_imasig
+ima_signed=$?
+
+# Test loading the kernel image via kexec_file_load syscall
+kexec_file_load_test
diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh
index b2ecd196b382..c6f7e0957c58 100755
--- a/tools/testing/selftests/ima/test_kexec_load.sh
+++ b/tools/testing/selftests/ima/test_kexec_load.sh
@@ -14,7 +14,6 @@ get_secureboot_mode
 secureboot=$?
 
 # kexec_load should fail in secure boot mode
-KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
 kexec --load $KERNEL_IMAGE 2>&1 > /dev/null
 if [ $? -eq 0 ]; then
 	kexec --unload
-- 
2.7.5

[PATCH v3 6/7] selftests/ima: loading kernel modules

[Mimi Zohar]

While the appended kernel module signature can be verified, when loading
a kernel module via either the init_module or the finit_module syscall,
verifying the IMA signature requires access to the file descriptor,
which is only available via the finit_module syscall.  As "modprobe"
does not provide a flag allowing the syscall - init_module or
finit_module - to be specified, this patch does not load a kernel
module.

This test simply verifies that on secure boot enabled systems with
"CONFIG_IMA_ARCH_POLICY" configured, that at least an appended kernel
module signature or an IMA signature is required based on the Kconfig
and the runtime IMA policy.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
---
 tools/testing/selftests/ima/Makefile              |  2 +-
 tools/testing/selftests/ima/test_kernel_module.sh | 93 +++++++++++++++++++++++
 2 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100755 tools/testing/selftests/ima/test_kernel_module.sh

diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile
index 00270de0b637..e1c59c510e1b 100644
--- a/tools/testing/selftests/ima/Makefile
+++ b/tools/testing/selftests/ima/Makefile
@@ -4,7 +4,7 @@ uname_M := $(shell uname -m 2>/dev/null || echo not)
 ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/)
 
 ifeq ($(ARCH),x86)
-TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh
+TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh test_kernel_module.sh
 TEST_FILES := ima_common_lib.sh
 
 include ../lib.mk
diff --git a/tools/testing/selftests/ima/test_kernel_module.sh b/tools/testing/selftests/ima/test_kernel_module.sh
new file mode 100755
index 000000000000..319c601b9697
--- /dev/null
+++ b/tools/testing/selftests/ima/test_kernel_module.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+#
+# On secure boot enabled systems with "CONFIG_IMA_ARCH_POLICY" configured,
+# this test verifies that at least an appended kernel module signature or
+# an IMA signature is required.  It does not attempt to load a kernel module.
+
+TEST="KERNEL_MODULE"
+. ./ima_common_lib.sh
+
+trap "{ rm -f $IKCONFIG ; }" EXIT
+
+# Some of the IMA builtin policies may require the kernel modules to
+# be signed, but these policy rules may be replaced with a custom
+# policy.  Only CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS persists after
+# loading a custom policy.  Check if it is enabled, before reading the
+# IMA runtime sysfs policy file.
+# Return 1 for IMA signature required and 0 for not required.
+is_ima_sig_required()
+{
+	local ret=0
+
+	kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_MODULE_SIGS=y" \
+		"IMA kernel module signature required"
+	if [ $? -eq 1 ]; then
+		return 1
+	fi
+
+	# The architecture specific or a custom policy may require the
+	# kernel module to be signed.  Policy rules are walked sequentially.
+	# As a result, a policy rule may be defined, but might not necessarily
+	# be used.  This test assumes if a policy rule is specified, that is
+	# the intent.
+	if [ $ima_read_policy -eq 1 ]; then
+		check_ima_policy "appraise" "func=MODULE_CHECK" \
+			"appraise_type=imasig"
+		ret=$?
+		[ $ret -eq 1 ] && log_info "IMA signature required";
+	fi
+	return $ret
+}
+
+# loading kernel modules requires root privileges
+require_root_privileges
+
+# Are appended signatures required?
+if [ -e /sys/module/module/parameters/sig_enforce ]; then
+	sig_enforce=$(cat /sys/module/module/parameters/sig_enforce)
+	if [ $sig_enforce = "Y" ]; then
+		log_pass "appended kernel module signature required"
+	fi
+fi
+
+get_secureboot_mode
+if [ $? -eq 0 ]; then
+	log_skip "secure boot not enabled"
+fi
+
+# get the kernel config
+get_kconfig
+
+# Determine which kernel config options are enabled
+kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
+	"architecture specific policy enabled"
+arch_policy=$?
+
+kconfig_enabled "CONFIG_MODULE_SIG=y" \
+	"appended kernel modules signature enabled"
+appended_sig_enabled=$?
+
+kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted"
+ima_read_policy=$?
+
+is_ima_sig_required
+ima_sig_required=$?
+
+if [ $arch_policy -eq 0 ]; then
+	log_skip "architecture specific policy not enabled"
+fi
+
+if [ $appended_sig_enabled -eq 1 ]; then
+	log_fail "appended kernel module signature enabled, but not required"
+fi
+
+if [ $ima_sig_required -eq 1 ]; then
+	log_pass "IMA kernel module signature required"
+fi
+
+if [ $ima_read_policy -eq 1 ]; then
+	log_fail "IMA kernel module signature not required"
+else
+	log_skip "reading IMA policy not permitted"
+fi
-- 
2.7.5

[PATCH v3 7/7] selftests/ima: Add missing '=y' to config options

[Mimi Zohar]

From: Petr Vorel <pvorel@suse.cz>

so the file can be used as kernel config snippet.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
[zohar@linux.ibm.com: remove CONFIG_KEXEC_VERIFY_SIG from config]
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
 tools/testing/selftests/ima/config | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/tools/testing/selftests/ima/config b/tools/testing/selftests/ima/config
index 6bc86d4d9bb4..8962e862b2b8 100644
--- a/tools/testing/selftests/ima/config
+++ b/tools/testing/selftests/ima/config
@@ -1,4 +1,3 @@
-CONFIG_IMA_APPRAISE
-CONFIG_IMA_ARCH_POLICY
-CONFIG_SECURITYFS
-CONFIG_KEXEC_VERIFY_SIG
+CONFIG_IMA_APPRAISE=y
+CONFIG_IMA_ARCH_POLICY=y
+CONFIG_SECURITYFS=y
-- 
2.7.5

Re: [PATCH v3 2/7] selftests/ima: define a set of common functions

[Petr Vorel]

Hi Mimi,

> Define, update and move get_secureboot_mode() to a common file for use
> by other tests.

> Updated to check both the efivar SecureBoot-$(UUID) and
> SetupMode-$(UUID), based on Dave Young's review.

> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> Cc: Dave Young <dyoung@redhat.com>

Minor comment below.

...
> +++ b/tools/testing/selftests/ima/ima_common_lib.sh
> @@ -0,0 +1,36 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0
> +
> +# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
> +# The secure boot mode can be accessed either as the last integer
> +# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from
> +# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data".  The efi
> +# SetupMode can be similarly accessed.
> +# Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
> +get_secureboot_mode()
> +{
> +	local efivarfs="/sys/firmware/efi/efivars"
> +	local secure_boot_file=$efivarfs/../vars/SecureBoot-*/data
> +	local setup_mode_file=$efivarfs/../vars/SetupMode-*/data
Sorry for nitpicking, but also quote variables these two variables
containing string:
	local secure_boot_file="$efivarfs/../vars/SecureBoot-*/data"
	local setup_mode_file="$efivarfs/../vars/SetupMode-*/data"

> +	local secureboot_mode=0
> +	local setup_mode=0
> +
> +	# Make sure that efivars is mounted in the normal location
> +	if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
> +		log_skip "efivars is not mounted on $efivarfs"
> +	fi
> +
> +	if [ ! -e $secure_boot_file ] || [ ! -e $setup_mode_file ]; then
I prefer to quote every variable in [ ] (at least for -f -e -z -n,
to prevent shell behavior on empty (I know it's not necessary here):

f=; [ -e $f ]; echo $?
0
vs.
f=; [ -e "$f" ]; echo $?
1


Kind regards,
Petr

Re: [PATCH v3 0/7] selftests/ima: add kexec and kernel module tests

[Petr Vorel]

Hi Mimi,

> Mimi Zohar (6):
>   selftests/ima: cleanup the kexec selftest
>   selftests/ima: define a set of common functions
>   selftests/ima: define common logging functions
>   kselftest/ima: define "require_root_privileges"
>   selftests/ima: kexec_file_load syscall test
>   selftests/ima: loading kernel modules
Whole patchset LGTM.
Reviewed-by: Petr Vorel <pvorel@suse.cz>

> Petr Vorel (1):
>   selftests/ima: Add missing '=y' to config options

>  tools/testing/selftests/ima/Makefile               |   3 +-
>  tools/testing/selftests/ima/config                 |   7 +-
>  tools/testing/selftests/ima/ima_common_lib.sh      | 173 +++++++++++++++++++
>  tools/testing/selftests/ima/test_kernel_module.sh  |  93 ++++++++++
>  .../testing/selftests/ima/test_kexec_file_load.sh  | 190 +++++++++++++++++++++
>  tools/testing/selftests/ima/test_kexec_load.sh     |  53 ++----
>  6 files changed, 476 insertions(+), 43 deletions(-)
>  create mode 100755 tools/testing/selftests/ima/ima_common_lib.sh
>  create mode 100755 tools/testing/selftests/ima/test_kernel_module.sh
>  create mode 100755 tools/testing/selftests/ima/test_kexec_file_load.sh


Kind regards,
Petr

Re: [PATCH v3 5/7] selftests/ima: kexec_file_load syscall test

[Dave Young]

Hi Mimi,
On 03/11/19 at 07:41am, Mimi Zohar wrote:
> The kernel can be configured to verify PE signed kernel images, IMA
> kernel image signatures, both types of signatures, or none.  This test
> verifies only properly signed kernel images are loaded into memory,
> based on the kernel configuration and runtime policies.

I understand this is for IMA testing only, but I still wonder if this
can be expanded to common kexec tests, like
tools/testing/selftests/kexec/kexec_load.sh
tools/testing/selftests/kexec/kexec_file_load.sh

Is it possible for ima/test_kexec_load.sh to call the
../kexec/kexec_load.sh, probably add extra argument eg "ima"?

Frankly I did not read and followup much about the testing code changes,
not sure if it is doable or not.  The code sharing under testing folder
seems not very good.  For example the basic check_root is needed by
different parts, but all have its own implementation.  Anyway this is
not the duty of this patch set.
Also the selftests/lib/ is not a folder for sharing code for different
tests, it looks a standalone test instead.

So if split kexec tests to another folder is not doable please just
ignore the comment.

BTW, does CONFIG_KEXEC* is checked?  in case a kernel without KEXEC or
KEXEC_FILE compiled in then the tests can just return directly.

> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> Reviewed-by: Petr Vorel <pvorel@suse.cz>
> ---
>  tools/testing/selftests/ima/Makefile               |   2 +-
>  tools/testing/selftests/ima/ima_common_lib.sh      |  99 +++++++++++
>  .../testing/selftests/ima/test_kexec_file_load.sh  | 190 +++++++++++++++++++++
>  tools/testing/selftests/ima/test_kexec_load.sh     |   1 -
>  4 files changed, 290 insertions(+), 2 deletions(-)
>  create mode 100755 tools/testing/selftests/ima/test_kexec_file_load.sh
> 
> diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile
> index 04501516831b..00270de0b637 100644
> --- a/tools/testing/selftests/ima/Makefile
> +++ b/tools/testing/selftests/ima/Makefile
> @@ -4,7 +4,7 @@ uname_M := $(shell uname -m 2>/dev/null || echo not)
>  ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/)
>  
>  ifeq ($(ARCH),x86)
> -TEST_PROGS := test_kexec_load.sh
> +TEST_PROGS := test_kexec_load.sh test_kexec_file_load.sh
>  TEST_FILES := ima_common_lib.sh
>  
>  include ../lib.mk
> diff --git a/tools/testing/selftests/ima/ima_common_lib.sh b/tools/testing/selftests/ima/ima_common_lib.sh
> index 8ab7fcc0b221..d5ed28f9170c 100755
> --- a/tools/testing/selftests/ima/ima_common_lib.sh
> +++ b/tools/testing/selftests/ima/ima_common_lib.sh
> @@ -4,6 +4,9 @@
>  # Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
>  
>  VERBOSE="${VERBOSE:-1}"
> +IKCONFIG="/tmp/config-`uname -r`"
> +KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
> +SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
>  
>  log_info()
>  {
> @@ -72,3 +75,99 @@ require_root_privileges()
>  		log_skip "requires root privileges"
>  	fi
>  }
> +
> +# Look for config option in Kconfig file.
> +# Return 1 for found and 0 for not found.
> +kconfig_enabled()
> +{
> +	local config="$1"
> +	local msg="$2"
> +
> +	grep -E -q $config $IKCONFIG
> +	if [ $? -eq 0 ]; then
> +		log_info "$msg"
> +		return 1
> +	fi
> +	return 0
> +}
> +
> +# Attempt to get the kernel config first via proc, and then by
> +# extracting it from the kernel image or the configs.ko using
> +# scripts/extract-ikconfig.
> +# Return 1 for found.
> +get_kconfig()
> +{
> +	local proc_config="/proc/config.gz"
> +	local module_dir="/lib/modules/`uname -r`"
> +	local configs_module="$module_dir/kernel/kernel/configs.ko"
> +
> +	if [ ! -f $proc_config ]; then
> +		modprobe configs > /dev/null 2>&1
> +	fi
> +	if [ -f $proc_config ]; then
> +		cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
> +		if [ $? -eq 0 ]; then
> +			return 1
> +		fi
> +	fi
> +
> +	local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
> +	if [ ! -f $extract_ikconfig ]; then
> +		log_skip "extract-ikconfig not found"
> +	fi
> +
> +	$extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
> +	if [ $? -eq 1 ]; then
> +		if [ ! -f $configs_module ]; then
> +			log_skip "CONFIG_IKCONFIG not enabled"
> +		fi
> +		$extract_ikconfig $configs_module > $IKCONFIG
> +		if [ $? -eq 1 ]; then
> +			log_skip "CONFIG_IKCONFIG not enabled"
> +		fi
> +	fi
> +	return 1
> +}
> +
> +# Make sure that securityfs is mounted
> +mount_securityfs()
> +{
> +	if [ -z $SECURITYFS ]; then
> +		SECURITYFS=/sys/kernel/security
> +		mount -t securityfs security $SECURITYFS
> +	fi
> +
> +	if [ ! -d "$SECURITYFS" ]; then
> +		log_fail "$SECURITYFS :securityfs is not mounted"
> +	fi
> +}
> +
> +# The policy rule format is an "action" followed by key-value pairs.  This
> +# function supports up to two key-value pairs, in any order.
> +# For example: action func=<keyword> [appraise_type=<type>]
> +# Return 1 for found and 0 for not found.
> +check_ima_policy()
> +{
> +	local action="$1"
> +	local keypair1="$2"
> +	local keypair2="$3"
> +	local ret=0
> +
> +	mount_securityfs
> +
> +	local ima_policy=$SECURITYFS/ima/policy
> +	if [ ! -e $ima_policy ]; then
> +		log_fail "$ima_policy not found"
> +	fi
> +
> +	if [ -n $keypair2 ]; then
> +		grep -e "^$action.*$keypair1" "$ima_policy" | \
> +			grep -q -e "$keypair2"
> +	else
> +		grep -q -e "^$action.*$keypair1" "$ima_policy"
> +	fi
> +
> +	# invert "grep -q" result, returning 1 for found.
> +	[ $? -eq 0 ] && ret=1
> +	return $ret
> +}
> diff --git a/tools/testing/selftests/ima/test_kexec_file_load.sh b/tools/testing/selftests/ima/test_kexec_file_load.sh
> new file mode 100755
> index 000000000000..dbccfb109c68
> --- /dev/null
> +++ b/tools/testing/selftests/ima/test_kexec_file_load.sh
> @@ -0,0 +1,190 @@
> +#!/bin/sh
> +# SPDX-License-Identifier: GPL-2.0
> +#
> +# Loading a kernel image via the kexec_file_load syscall can verify either
> +# the IMA signature stored in the security.ima xattr or the PE signature,
> +# both signatures depending on the IMA policy, or none.
> +#
> +# To determine whether the kernel image is signed, this test depends
> +# on pesign and getfattr.  This test also requires the kernel to be
> +# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC
> +# enabled or access to the extract-ikconfig script.
> +
> +TEST="KEXEC_FILE_LOAD"
> +. ./ima_common_lib.sh
> +
> +trap "{ rm -f $IKCONFIG ; }" EXIT
> +
> +# Some of the IMA builtin policies may require the kexec kernel image to
> +# be signed, but these policy rules may be replaced with a custom
> +# policy.  Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after
> +# loading a custom policy.  Check if it is enabled, before reading the
> +# IMA runtime sysfs policy file.
> +# Return 1 for IMA signature required and 0 for not required.
> +is_ima_sig_required()
> +{
> +	local ret=0
> +
> +	kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \
> +		"IMA kernel image signature required"
> +	if [ $? -eq 1 ]; then
> +		log_info "IMA signature required"
> +		return 1
> +	fi
> +
> +	# The architecture specific or a custom policy may require the
> +	# kexec kernel image be signed.  Policy rules are walked
> +	# sequentially.  As a result, a policy rule may be defined, but
> +	# might not necessarily be used.  This test assumes if a policy
> +	# rule is specified, that is the intent.
> +	if [ $ima_read_policy -eq 1 ]; then
> +		check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
> +			"appraise_type=imasig"
> +		ret=$?
> +		[ $ret -eq 1 ] && log_info "IMA signature required";
> +	fi
> +	return $ret
> +}
> +
> +# The kexec_file_load_test() is complicated enough, require pesign.
> +# Return 1 for PE signature found and 0 for not found.
> +check_for_pesig()
> +{
> +	which pesign > /dev/null 2>&1 || log_skip "pesign not found"
> +
> +	pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures"
> +	local ret=$?
> +	if [ $ret -eq 1 ]; then
> +		log_info "kexec kernel image PE signed"
> +	else
> +		log_info "kexec kernel image not PE signed"
> +	fi
> +	return $ret
> +}
> +
> +# The kexec_file_load_test() is complicated enough, require getfattr.
> +# Return 1 for IMA signature found and 0 for not found.
> +check_for_imasig()
> +{
> +	local ret=0
> +
> +	which getfattr > /dev/null 2>&1
> +	if [ $?	-eq 1 ]; then
> +		log_skip "getfattr not found"
> +	fi
> +
> +	line=$(getfattr -n security.ima -e hex --absolute-names $KERNEL_IMAGE 2>&1)
> +	echo $line | grep -q "security.ima=0x03"
> +	if [ $? -eq 0 ]; then
> +		ret=1
> +		log_info "kexec kernel image IMA signed"
> +	else
> +		log_info "kexec kernel image not IMA signed"
> +	fi
> +	return $ret
> +}
> +
> +kexec_file_load_test()
> +{
> +	local succeed_msg="kexec_file_load succeeded"
> +	local failed_msg="kexec_file_load failed"
> +	local key_msg="try enabling the CONFIG_INTEGRITY_PLATFORM_KEYRING"
> +
> +	line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1)
> +
> +	if [ $? -eq 0 ]; then
> +		kexec --unload --kexec-file-syscall
> +
> +		# In secureboot mode with an architecture  specific
> +		# policy, make sure either an IMA or PE signature exists.
> +		if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \
> +			[ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then
> +			log_fail "$succeed_msg (missing sig)"
> +		fi
> +
> +		if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then
> +			log_fail "$succeed_msg (missing PE sig)"
> +		fi
> +
> +		if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then
> +			log_fail "$succeed_msg (missing IMA sig)"
> +		fi
> +
> +		if [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] \
> +		    && [ $ima_read_policy -eq 0 ] && [ $ima_signed -eq 0 ]; then
> +			log_fail "$succeed_msg (possibly missing IMA sig)"
> +		fi
> +
> +		log_pass "$succeed_msg"
> +	fi
> +
> +	# Check the reason for the kexec_file_load failure
> +	echo $line | grep -q "Required key not available"
> +	if [ $? -eq 0 ]; then
> +		if [ $platform_keyring -eq 0 ]; then
> +			log_pass "$failed_msg (-ENOKEY), $key_msg"
> +		else
> +			log_pass "$failed_msg (-ENOKEY)"
> +		fi
> +	fi
> +
> +	if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then
> +		log_pass "$failed_msg (missing PE sig)"
> +	fi
> +
> +	if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then
> +		log_pass "$failed_msg (missing IMA sig)"
> +	fi
> +
> +	if [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] \
> +	    && [ $ima_read_policy -eq 0 ] && [ $ima_signed -eq 0 ]; then
> +		log_pass "$failed_msg (possibly missing IMA sig)"
> +	fi
> +
> +	log_pass "$failed_msg"
> +	return 0
> +}
> +
> +# kexec requires root privileges
> +require_root_privileges
> +
> +# get the kernel config
> +get_kconfig
> +
> +# Determine which kernel config options are enabled
> +kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
> +	"architecture specific policy enabled"
> +arch_policy=$?
> +
> +kconfig_enabled "CONFIG_INTEGRITY_PLATFORM_KEYRING=y" \
> +	"platform keyring enabled"
> +platform_keyring=$?
> +
> +kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted"
> +ima_read_policy=$?
> +
> +kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \
> +	"PE signed kernel image required"
> +pe_sig_required=$?
> +
> +is_ima_sig_required
> +ima_sig_required=$?
> +
> +get_secureboot_mode
> +secureboot=$?
> +
> +if [ $secureboot -eq 0 ] && [ $arch_policy -eq 0 ] && \
> +   [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] && \
> +   [ $ima_read_policy -eq 1 ]; then
> +	log_skip "No signature verification required"
> +fi
> +
> +# Are there pe and ima signatures
> +check_for_pesig
> +pe_signed=$?
> +
> +check_for_imasig
> +ima_signed=$?
> +
> +# Test loading the kernel image via kexec_file_load syscall
> +kexec_file_load_test
> diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh
> index b2ecd196b382..c6f7e0957c58 100755
> --- a/tools/testing/selftests/ima/test_kexec_load.sh
> +++ b/tools/testing/selftests/ima/test_kexec_load.sh
> @@ -14,7 +14,6 @@ get_secureboot_mode
>  secureboot=$?
>  
>  # kexec_load should fail in secure boot mode
> -KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
>  kexec --load $KERNEL_IMAGE 2>&1 > /dev/null
>  if [ $? -eq 0 ]; then
>  	kexec --unload
> -- 
> 2.7.5
> 

Thanks
Dave

Re: [PATCH v3 5/7] selftests/ima: kexec_file_load syscall test

[Mimi Zohar]

On Tue, 2019-03-12 at 20:10 +0800, Dave Young wrote:
> Hi Mimi,
> On 03/11/19 at 07:41am, Mimi Zohar wrote:
> > The kernel can be configured to verify PE signed kernel images, IMA
> > kernel image signatures, both types of signatures, or none.  This test
> > verifies only properly signed kernel images are loaded into memory,
> > based on the kernel configuration and runtime policies.
> 
> I understand this is for IMA testing only, but I still wonder if this
> can be expanded to common kexec tests, like
> tools/testing/selftests/kexec/kexec_load.sh
> tools/testing/selftests/kexec/kexec_file_load.sh
> 
> Is it possible for ima/test_kexec_load.sh to call the
> ../kexec/kexec_load.sh, probably add extra argument eg "ima"?

These kexec tests are meant to coordinate between the different
methods of verifying the kexec kernel image signatures.  Nothing about
them is IMA specific.  Moving these tests to
tools/testing/selftests/kexec makes sense.

> 
> Frankly I did not read and followup much about the testing code changes,
> not sure if it is doable or not.  The code sharing under testing folder
> seems not very good.  For example the basic check_root is needed by
> different parts, but all have its own implementation.  Anyway this is
> not the duty of this patch set.
> Also the selftests/lib/ is not a folder for sharing code for different
> tests, it looks a standalone test instead.

Shuah suggested upstreaming these tests first and defer introducing a
common set of functions to later.

> So if split kexec tests to another folder is not doable please just
> ignore the comment.

Left in the selftests/ima is a similar test for kernel modules, which
uses the "common" functions.  So either we wait to move the kexec
tests or allow them to reach into the ima directory and use the
ima_common_lib functions.

> 
> BTW, does CONFIG_KEXEC* is checked?  in case a kernel without KEXEC or
> KEXEC_FILE compiled in then the tests can just return directly.

Good point.  Now that there is a common function for reading the
Kconfig, I'll add that check to both the test_kexec_load.sh and
test_kexec_file_load.sh tests respectively.

Mimi

Re: [PATCH v3 5/7] selftests/ima: kexec_file_load syscall test

[Petr Vorel]

Hi Mimi, Dave,

> > Frankly I did not read and followup much about the testing code changes,
> > not sure if it is doable or not.  The code sharing under testing folder
> > seems not very good.  For example the basic check_root is needed by
> > different parts, but all have its own implementation.  Anyway this is
> > not the duty of this patch set.
> > Also the selftests/lib/ is not a folder for sharing code for different
> > tests, it looks a standalone test instead.
Yes. Thus lib/ folder name is a bit confusing.

> Shuah suggested upstreaming these tests first and defer introducing a
> common set of functions to later.
Make sense.

> > So if split kexec tests to another folder is not doable please just
> > ignore the comment.

> Left in the selftests/ima is a similar test for kernel modules, which
> uses the "common" functions.  So either we wait to move the kexec
> tests or allow them to reach into the ima directory and use the
> ima_common_lib functions.
I guess just load ima_common_lib.sh for now would be good enough.
@Dave: BTW I has starting to work on kselftest common library.
I thought I'd spent some time on it before posting it, but I might even send
the small part I've done so far so we can discuss it.

> > BTW, does CONFIG_KEXEC* is checked?  in case a kernel without KEXEC or
> > KEXEC_FILE compiled in then the tests can just return directly.

> Good point.  Now that there is a common function for reading the
> Kconfig, I'll add that check to both the test_kexec_load.sh and
> test_kexec_file_load.sh tests respectively.

> Mimi


Kind regards,
Petr

Re: [PATCH v3 5/7] selftests/ima: kexec_file_load syscall test

[Mimi Zohar]

On Wed, 2019-03-13 at 11:14 +0100, Petr Vorel wrote:

> > > So if split kexec tests to another folder is not doable please just
> > > ignore the comment.
> 
> > Left in the selftests/ima is a similar test for kernel modules, which
> > uses the "common" functions.  So either we wait to move the kexec
> > tests or allow them to reach into the ima directory and use the
> > ima_common_lib functions.
> I guess just load ima_common_lib.sh for now would be good enough.

After thinking about it some more, I've decided to remove the kernel
module test from this patch set and to simply move everything from the
selftests/ima to selftests/kexec.

The kernel module test will access scripts/kexec/kexec_common_lib.sh
until there is a generic set of functions.

Mimi