From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org,
linux-kernel@vger.kernel.org, Petr Vorel <pvorel@suse.cz>,
Dave Young <dyoung@redhat.com>,
Matthew Garrett <mjg59@google.com>,
Mimi Zohar <zohar@linux.ibm.com>
Subject: [PATCH v4a 2/2] selftests/kexec: testing CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is not enough
Date: Fri, 22 Mar 2019 15:35:51 -0400 [thread overview]
Message-ID: <1553283351-6310-2-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1553283351-6310-1-git-send-email-zohar@linux.ibm.com>
Add support for CONFIG_KEXEC_VERIFY_SIG being enabled, but not
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
tools/testing/selftests/kexec/test_kexec_file_load.sh | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh
index 57b636792086..fa7c24e8eefb 100755
--- a/tools/testing/selftests/kexec/test_kexec_file_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh
@@ -102,7 +102,8 @@ kexec_file_load_test()
log_fail "$succeed_msg (missing sig)"
fi
- if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then
+ if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
+ && [ $pe_signed -eq 0 ]; then
log_fail "$succeed_msg (missing PE sig)"
fi
@@ -137,7 +138,8 @@ kexec_file_load_test()
fi
fi
- if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then
+ if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
+ && [ $pe_signed -eq 0 ]; then
log_pass "$failed_msg (missing PE sig)"
fi
@@ -181,6 +183,10 @@ platform_keyring=$?
kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted"
ima_read_policy=$?
+kconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \
+ "kexec signed kernel image required"
+kexec_sig_required=$?
+
kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \
"PE signed kernel image required"
pe_sig_required=$?
--
2.7.5
WARNING: multiple messages have this Message-ID (diff)
From: zohar at linux.ibm.com (Mimi Zohar)
Subject: [PATCH v4a 2/2] selftests/kexec: testing CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is not enough
Date: Fri, 22 Mar 2019 15:35:51 -0400 [thread overview]
Message-ID: <1553283351-6310-2-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1553283351-6310-1-git-send-email-zohar@linux.ibm.com>
Add support for CONFIG_KEXEC_VERIFY_SIG being enabled, but not
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG.
Signed-off-by: Mimi Zohar <zohar at linux.ibm.com>
---
tools/testing/selftests/kexec/test_kexec_file_load.sh | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh
index 57b636792086..fa7c24e8eefb 100755
--- a/tools/testing/selftests/kexec/test_kexec_file_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh
@@ -102,7 +102,8 @@ kexec_file_load_test()
log_fail "$succeed_msg (missing sig)"
fi
- if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then
+ if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
+ && [ $pe_signed -eq 0 ]; then
log_fail "$succeed_msg (missing PE sig)"
fi
@@ -137,7 +138,8 @@ kexec_file_load_test()
fi
fi
- if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then
+ if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
+ && [ $pe_signed -eq 0 ]; then
log_pass "$failed_msg (missing PE sig)"
fi
@@ -181,6 +183,10 @@ platform_keyring=$?
kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted"
ima_read_policy=$?
+kconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \
+ "kexec signed kernel image required"
+kexec_sig_required=$?
+
kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \
"PE signed kernel image required"
pe_sig_required=$?
--
2.7.5
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.ibm.com (Mimi Zohar)
Subject: [PATCH v4a 2/2] selftests/kexec: testing CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is not enough
Date: Fri, 22 Mar 2019 15:35:51 -0400 [thread overview]
Message-ID: <1553283351-6310-2-git-send-email-zohar@linux.ibm.com> (raw)
Message-ID: <20190322193551.5kXAEUMAPEZ7yO3GkjuXi-RHpKn4WWiP8faVBNrQX8w@z> (raw)
In-Reply-To: <1553283351-6310-1-git-send-email-zohar@linux.ibm.com>
Add support for CONFIG_KEXEC_VERIFY_SIG being enabled, but not
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG.
Signed-off-by: Mimi Zohar <zohar at linux.ibm.com>
---
tools/testing/selftests/kexec/test_kexec_file_load.sh | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh
index 57b636792086..fa7c24e8eefb 100755
--- a/tools/testing/selftests/kexec/test_kexec_file_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh
@@ -102,7 +102,8 @@ kexec_file_load_test()
log_fail "$succeed_msg (missing sig)"
fi
- if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then
+ if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
+ && [ $pe_signed -eq 0 ]; then
log_fail "$succeed_msg (missing PE sig)"
fi
@@ -137,7 +138,8 @@ kexec_file_load_test()
fi
fi
- if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then
+ if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
+ && [ $pe_signed -eq 0 ]; then
log_pass "$failed_msg (missing PE sig)"
fi
@@ -181,6 +183,10 @@ platform_keyring=$?
kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted"
ima_read_policy=$?
+kconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \
+ "kexec signed kernel image required"
+kexec_sig_required=$?
+
kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \
"PE signed kernel image required"
pe_sig_required=$?
--
2.7.5
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
Matthew Garrett <mjg59@google.com>, Petr Vorel <pvorel@suse.cz>,
Mimi Zohar <zohar@linux.ibm.com>,
linux-kselftest@vger.kernel.org, Dave Young <dyoung@redhat.com>
Subject: [PATCH v4a 2/2] selftests/kexec: testing CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is not enough
Date: Fri, 22 Mar 2019 15:35:51 -0400 [thread overview]
Message-ID: <1553283351-6310-2-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1553283351-6310-1-git-send-email-zohar@linux.ibm.com>
Add support for CONFIG_KEXEC_VERIFY_SIG being enabled, but not
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
tools/testing/selftests/kexec/test_kexec_file_load.sh | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh
index 57b636792086..fa7c24e8eefb 100755
--- a/tools/testing/selftests/kexec/test_kexec_file_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh
@@ -102,7 +102,8 @@ kexec_file_load_test()
log_fail "$succeed_msg (missing sig)"
fi
- if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then
+ if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
+ && [ $pe_signed -eq 0 ]; then
log_fail "$succeed_msg (missing PE sig)"
fi
@@ -137,7 +138,8 @@ kexec_file_load_test()
fi
fi
- if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then
+ if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
+ && [ $pe_signed -eq 0 ]; then
log_pass "$failed_msg (missing PE sig)"
fi
@@ -181,6 +183,10 @@ platform_keyring=$?
kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted"
ima_read_policy=$?
+kconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \
+ "kexec signed kernel image required"
+kexec_sig_required=$?
+
kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \
"PE signed kernel image required"
pe_sig_required=$?
--
2.7.5
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2019-03-22 19:36 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-22 19:35 [PATCH v4a 1/2] selftests/kexec: make tests independent of IMA being enabled Mimi Zohar
2019-03-22 19:35 ` Mimi Zohar
2019-03-22 19:35 ` Mimi Zohar
2019-03-22 19:35 ` zohar
2019-03-22 19:35 ` Mimi Zohar [this message]
2019-03-22 19:35 ` [PATCH v4a 2/2] selftests/kexec: testing CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is not enough Mimi Zohar
2019-03-22 19:35 ` Mimi Zohar
2019-03-22 19:35 ` zohar
2019-03-25 8:09 ` [PATCH v4a 1/2] selftests/kexec: make tests independent of IMA being enabled Dave Young
2019-03-25 8:09 ` Dave Young
2019-03-25 8:09 ` Dave Young
2019-03-25 8:09 ` dyoung
2019-03-25 20:37 ` Mimi Zohar
2019-03-25 20:37 ` Mimi Zohar
2019-03-25 20:37 ` Mimi Zohar
2019-03-25 20:37 ` zohar
2019-03-26 7:49 ` Dave Young
2019-03-26 7:49 ` Dave Young
2019-03-26 7:49 ` Dave Young
2019-03-26 7:49 ` dyoung
2019-03-26 13:56 ` Mimi Zohar
2019-03-26 13:56 ` Mimi Zohar
2019-03-26 13:56 ` Mimi Zohar
2019-03-26 13:56 ` zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1553283351-6310-2-git-send-email-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dyoung@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mjg59@google.com \
--cc=pvorel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.