From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org,
linux-kernel@vger.kernel.org, Petr Vorel <pvorel@suse.cz>,
Dave Young <dyoung@redhat.com>,
Matthew Garrett <mjg59@google.com>,
Mimi Zohar <zohar@linux.ibm.com>
Subject: [PATCH v5 9/9] selftests/kexec: make kexec_load test independent of IMA being enabled
Date: Tue, 26 Mar 2019 09:34:17 -0400 [thread overview]
Message-ID: <1553607257-18906-10-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1553607257-18906-1-git-send-email-zohar@linux.ibm.com>
Verify IMA is enabled before failing tests or emitting irrelevant
messages.
Suggested-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Dave Young <dyoung@redhat.com>
---
tools/testing/selftests/kexec/test_kexec_load.sh | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh
index 2a66c8897f55..49c6aa929137 100755
--- a/tools/testing/selftests/kexec/test_kexec_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_load.sh
@@ -1,8 +1,8 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
-# Loading a kernel image via the kexec_load syscall should fail
-# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system
-# is booted in secureboot mode.
+#
+# Prevent loading a kernel image via the kexec_load syscall when
+# signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.)
TEST="$0"
. ./kexec_common_lib.sh
@@ -18,20 +18,28 @@ if [ $? -eq 0 ]; then
log_skip "kexec_load is not enabled"
fi
+kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
+ima_appraise=$?
+
+kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
+ "IMA architecture specific policy enabled"
+arch_policy=$?
+
get_secureboot_mode
secureboot=$?
-# kexec_load should fail in secure boot mode
+# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
kexec --load $KERNEL_IMAGE > /dev/null 2>&1
if [ $? -eq 0 ]; then
kexec --unload
- if [ $secureboot -eq 1 ]; then
+ if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
log_fail "kexec_load succeeded"
- else
- log_pass "kexec_load succeeded"
+ elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
+ log_info "Either IMA or the IMA arch policy is not enabled"
fi
+ log_pass "kexec_load succeeded"
else
- if [ $secureboot -eq 1 ]; then
+ if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
log_pass "kexec_load failed"
else
log_fail "kexec_load failed"
--
2.7.5
WARNING: multiple messages have this Message-ID (diff)
From: zohar at linux.ibm.com (Mimi Zohar)
Subject: [PATCH v5 9/9] selftests/kexec: make kexec_load test independent of IMA being enabled
Date: Tue, 26 Mar 2019 09:34:17 -0400 [thread overview]
Message-ID: <1553607257-18906-10-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1553607257-18906-1-git-send-email-zohar@linux.ibm.com>
Verify IMA is enabled before failing tests or emitting irrelevant
messages.
Suggested-by: Dave Young <dyoung at redhat.com>
Signed-off-by: Mimi Zohar <zohar at linux.ibm.com>
Reviewed-by: Dave Young <dyoung at redhat.com>
---
tools/testing/selftests/kexec/test_kexec_load.sh | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh
index 2a66c8897f55..49c6aa929137 100755
--- a/tools/testing/selftests/kexec/test_kexec_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_load.sh
@@ -1,8 +1,8 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
-# Loading a kernel image via the kexec_load syscall should fail
-# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system
-# is booted in secureboot mode.
+#
+# Prevent loading a kernel image via the kexec_load syscall when
+# signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.)
TEST="$0"
. ./kexec_common_lib.sh
@@ -18,20 +18,28 @@ if [ $? -eq 0 ]; then
log_skip "kexec_load is not enabled"
fi
+kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
+ima_appraise=$?
+
+kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
+ "IMA architecture specific policy enabled"
+arch_policy=$?
+
get_secureboot_mode
secureboot=$?
-# kexec_load should fail in secure boot mode
+# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
kexec --load $KERNEL_IMAGE > /dev/null 2>&1
if [ $? -eq 0 ]; then
kexec --unload
- if [ $secureboot -eq 1 ]; then
+ if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
log_fail "kexec_load succeeded"
- else
- log_pass "kexec_load succeeded"
+ elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
+ log_info "Either IMA or the IMA arch policy is not enabled"
fi
+ log_pass "kexec_load succeeded"
else
- if [ $secureboot -eq 1 ]; then
+ if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
log_pass "kexec_load failed"
else
log_fail "kexec_load failed"
--
2.7.5
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.ibm.com (Mimi Zohar)
Subject: [PATCH v5 9/9] selftests/kexec: make kexec_load test independent of IMA being enabled
Date: Tue, 26 Mar 2019 09:34:17 -0400 [thread overview]
Message-ID: <1553607257-18906-10-git-send-email-zohar@linux.ibm.com> (raw)
Message-ID: <20190326133417.9F9y8id3CUdYI0fx92p4Nv9bIR_9jLBc69mXM3ZKcNU@z> (raw)
In-Reply-To: <1553607257-18906-1-git-send-email-zohar@linux.ibm.com>
Verify IMA is enabled before failing tests or emitting irrelevant
messages.
Suggested-by: Dave Young <dyoung at redhat.com>
Signed-off-by: Mimi Zohar <zohar at linux.ibm.com>
Reviewed-by: Dave Young <dyoung at redhat.com>
---
tools/testing/selftests/kexec/test_kexec_load.sh | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh
index 2a66c8897f55..49c6aa929137 100755
--- a/tools/testing/selftests/kexec/test_kexec_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_load.sh
@@ -1,8 +1,8 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
-# Loading a kernel image via the kexec_load syscall should fail
-# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system
-# is booted in secureboot mode.
+#
+# Prevent loading a kernel image via the kexec_load syscall when
+# signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.)
TEST="$0"
. ./kexec_common_lib.sh
@@ -18,20 +18,28 @@ if [ $? -eq 0 ]; then
log_skip "kexec_load is not enabled"
fi
+kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
+ima_appraise=$?
+
+kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
+ "IMA architecture specific policy enabled"
+arch_policy=$?
+
get_secureboot_mode
secureboot=$?
-# kexec_load should fail in secure boot mode
+# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
kexec --load $KERNEL_IMAGE > /dev/null 2>&1
if [ $? -eq 0 ]; then
kexec --unload
- if [ $secureboot -eq 1 ]; then
+ if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
log_fail "kexec_load succeeded"
- else
- log_pass "kexec_load succeeded"
+ elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
+ log_info "Either IMA or the IMA arch policy is not enabled"
fi
+ log_pass "kexec_load succeeded"
else
- if [ $secureboot -eq 1 ]; then
+ if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
log_pass "kexec_load failed"
else
log_fail "kexec_load failed"
--
2.7.5
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
Matthew Garrett <mjg59@google.com>, Petr Vorel <pvorel@suse.cz>,
Mimi Zohar <zohar@linux.ibm.com>,
linux-kselftest@vger.kernel.org, Dave Young <dyoung@redhat.com>
Subject: [PATCH v5 9/9] selftests/kexec: make kexec_load test independent of IMA being enabled
Date: Tue, 26 Mar 2019 09:34:17 -0400 [thread overview]
Message-ID: <1553607257-18906-10-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1553607257-18906-1-git-send-email-zohar@linux.ibm.com>
Verify IMA is enabled before failing tests or emitting irrelevant
messages.
Suggested-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Dave Young <dyoung@redhat.com>
---
tools/testing/selftests/kexec/test_kexec_load.sh | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh
index 2a66c8897f55..49c6aa929137 100755
--- a/tools/testing/selftests/kexec/test_kexec_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_load.sh
@@ -1,8 +1,8 @@
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
-# Loading a kernel image via the kexec_load syscall should fail
-# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system
-# is booted in secureboot mode.
+#
+# Prevent loading a kernel image via the kexec_load syscall when
+# signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.)
TEST="$0"
. ./kexec_common_lib.sh
@@ -18,20 +18,28 @@ if [ $? -eq 0 ]; then
log_skip "kexec_load is not enabled"
fi
+kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
+ima_appraise=$?
+
+kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
+ "IMA architecture specific policy enabled"
+arch_policy=$?
+
get_secureboot_mode
secureboot=$?
-# kexec_load should fail in secure boot mode
+# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
kexec --load $KERNEL_IMAGE > /dev/null 2>&1
if [ $? -eq 0 ]; then
kexec --unload
- if [ $secureboot -eq 1 ]; then
+ if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
log_fail "kexec_load succeeded"
- else
- log_pass "kexec_load succeeded"
+ elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
+ log_info "Either IMA or the IMA arch policy is not enabled"
fi
+ log_pass "kexec_load succeeded"
else
- if [ $secureboot -eq 1 ]; then
+ if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
log_pass "kexec_load failed"
else
log_fail "kexec_load failed"
--
2.7.5
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2019-03-26 13:35 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-26 13:34 [PATCH v5 0/9] selftests/kexec: add kexec tests Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` zohar
2019-03-26 13:34 ` [PATCH v5 1/9] selftests/kexec: move the IMA kexec_load selftest to selftests/kexec Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` zohar
2019-03-27 11:54 ` Petr Vorel
2019-03-27 11:54 ` Petr Vorel
2019-03-27 11:54 ` Petr Vorel
2019-03-27 11:54 ` pvorel
2019-03-26 13:34 ` [PATCH v5 2/9] selftests/kexec: cleanup the kexec selftest Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` zohar
2019-03-26 13:34 ` [PATCH v5 3/9] selftests/kexec: define a set of common functions Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` zohar
2019-03-26 13:34 ` [PATCH v5 4/9] selftests/kexec: define common logging functions Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` zohar
2019-03-27 11:45 ` pvorel
2019-03-27 11:45 ` Petr Vorel
2019-03-26 13:34 ` [PATCH v5 5/9] kselftest/kexec: define "require_root_privileges" Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` zohar
2019-03-26 13:34 ` [PATCH v5 6/9] selftests/kexec: kexec_file_load syscall test Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` zohar
2019-03-26 13:34 ` [PATCH v5 7/9] selftests/kexec: Add missing '=y' to config options Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` zohar
2019-03-26 13:34 ` [PATCH v5 8/9] selftests/kexec: check kexec_load and kexec_file_load are enabled Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` zohar
2019-03-27 11:53 ` Petr Vorel
2019-03-27 11:53 ` Petr Vorel
2019-03-27 11:53 ` Petr Vorel
2019-03-27 11:53 ` pvorel
2019-03-26 13:34 ` Mimi Zohar [this message]
2019-03-26 13:34 ` [PATCH v5 9/9] selftests/kexec: make kexec_load test independent of IMA being enabled Mimi Zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` zohar
2019-03-27 11:56 ` Petr Vorel
2019-03-27 11:56 ` Petr Vorel
2019-03-27 11:56 ` Petr Vorel
2019-03-27 11:56 ` pvorel
2019-04-03 14:06 ` [PATCH] selftests/kexec: update get_secureboot_mode Mimi Zohar
2019-04-03 14:06 ` Mimi Zohar
2019-04-03 14:06 ` Mimi Zohar
2019-04-03 14:06 ` zohar
2019-04-05 12:47 ` Petr Vorel
2019-04-05 12:47 ` Petr Vorel
2019-04-05 12:47 ` Petr Vorel
2019-04-05 12:47 ` pvorel
2019-04-05 18:35 ` Mimi Zohar
2019-04-05 18:35 ` Mimi Zohar
2019-04-05 18:35 ` Mimi Zohar
2019-04-05 18:35 ` zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1553607257-18906-10-git-send-email-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dyoung@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=mjg59@google.com \
--cc=pvorel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.