[PATCH 1/2] ima_kexec.sh: Detect kernel image

[PATCH 1/2] ima_kexec.sh: Detect kernel image

[Petr Vorel]

Sometimes BOOT_IMAGE contains partition which does not point to /boot
e.g. BOOT_IMAGE=(hd0,gpt1)/opensuse-tumbleweed/6.18.3-1-default/linux-30afdbce3ab6d0eff8f42b71df1a66f4baf2daf8
on Tumbleweed aarch64. Therefore detect common kernel image paths.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 .../security/integrity/ima/tests/ima_kexec.sh | 28 ++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
index d6eb0829d8..7688690af2 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
@@ -42,7 +42,7 @@ measure()
 
 setup()
 {
-	local arch
+	local arch f uname
 
 	if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
 		for arg in $(cat /proc/cmdline); do
@@ -63,6 +63,32 @@ setup()
 		fi
 	fi
 
+	if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
+		uname="$(uname -r)"
+
+		# x86_64
+		f="/boot/vmlinuz-$uname"
+
+		# ppc64le, s390x
+		if [ ! -f "$f" ]; then
+			f="/boot/vmlinux-$uname"
+		fi
+
+		# aarch64
+		if [ ! -f "$f" ]; then
+			f="/boot/Image-$uname"
+		fi
+
+		# aarch64 often uses compression
+		if [ ! -f "$f" ]; then
+			f="$(ls /boot/Image-$uname.* || true)"
+		fi
+
+		if [ -f "$f" ]; then
+			IMA_KEXEC_IMAGE="$f"
+		fi
+	fi
+
 	if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
 		tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
 	fi
-- 
2.51.0

[PATCH 2/2] ima_kexec.sh: Document kernel config dependencies

[Petr Vorel]

CONFIG_HAVE_IMA_KEXEC=y is enough for test, ie. test is working with:

    # CONFIG_IMA_KEXEC is not set
    CONFIG_HAVE_IMA_KEXEC=y

Probably obvious as CONFIG_HAVE_IMA_KEXEC is arch specific and
CONFIG_IMA_KEXEC is "TPM PCRs are only reset on a hard reboot."
and ima_kexec.c requires CONFIG_HAVE_IMA_KEXEC (only parts are skipped
when CONFIG_IMA_KEXEC not set) but better to clarify for users.

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 testcases/kernel/security/integrity/ima/tests/ima_kexec.sh | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
index 7688690af2..de595fcdd7 100755
--- a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
+++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
@@ -6,8 +6,11 @@
 #
 # Verify that kexec cmdline is measured correctly.
 # Test attempts to kexec the existing running kernel image.
+#
 # To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
 # Test requires example IMA policy loadable with LTP_IMA_LOAD_POLICY=1.
+#
+# Test requires CONFIG_HAVE_IMA_KEXEC=y (CONFIG_IMA_KEXEC is not mandatory).
 
 TST_NEEDS_CMDS="grep kexec sed"
 TST_CNT=3
-- 
2.51.0

Re: [PATCH 1/2] ima_kexec.sh: Detect kernel image

[Petr Vorel]

Hi all,

...
> +	if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
> +		uname="$(uname -r)"
> +
> +		# x86_64
> +		f="/boot/vmlinuz-$uname"
> +
> +		# ppc64le, s390x
> +		if [ ! -f "$f" ]; then
> +			f="/boot/vmlinux-$uname"
> +		fi
> +
> +		# aarch64
> +		if [ ! -f "$f" ]; then
> +			f="/boot/Image-$uname"
> +		fi
> +
> +		# aarch64 often uses compression
> +		if [ ! -f "$f" ]; then
> +			f="$(ls /boot/Image-$uname.* || true)"
> +		fi
> +
> +		if [ -f "$f" ]; then
> +			IMA_KEXEC_IMAGE="$f"
> +		fi
> +	fi
> +
>  	if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
>  		tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
>  	fi

I'm sorry for the noise, I found our s390x emulation actually uses
/boot/image-$uname.  I suggest in the end to merge with following diff.

Kind regards,
Petr

+++ testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
@@ -69,18 +69,16 @@ setup()
 	if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
 		uname="$(uname -r)"
 
-		# x86_64
-		f="/boot/vmlinuz-$uname"
-
-		# ppc64le, s390x
-		if [ ! -f "$f" ]; then
-			f="/boot/vmlinux-$uname"
-		fi
-
-		# aarch64
-		if [ ! -f "$f" ]; then
-			f="/boot/Image-$uname"
-		fi
+		for f in \
+			/boot/vmlinuz-$uname \
+			/boot/vmlinux-$uname \
+			/boot/Image-$uname \
+			/boot/image-$uname \
+		; do
+			if [ -f "$f" ]; then
+				break
+			fi
+		done
 
 		# aarch64 often uses compression
 		if [ ! -f "$f" ]; then

Re: [PATCH 2/2] ima_kexec.sh: Document kernel config dependencies

[Mimi Zohar]

On Wed, 2026-01-07 at 16:57 +0100, Petr Vorel wrote:
> CONFIG_HAVE_IMA_KEXEC=y is enough for test, ie. test is working with:
> 
>     # CONFIG_IMA_KEXEC is not set
>     CONFIG_HAVE_IMA_KEXEC=y
> 
> Probably obvious as CONFIG_HAVE_IMA_KEXEC is arch specific and
> CONFIG_IMA_KEXEC is "TPM PCRs are only reset on a hard reboot."
> and ima_kexec.c requires CONFIG_HAVE_IMA_KEXEC (only parts are skipped
> when CONFIG_IMA_KEXEC not set) but better to clarify for users.
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>  testcases/kernel/security/integrity/ima/tests/ima_kexec.sh | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> index 7688690af2..de595fcdd7 100755
> --- a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> +++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> @@ -6,8 +6,11 @@
>  #
>  # Verify that kexec cmdline is measured correctly.
>  # Test attempts to kexec the existing running kernel image.
> +#
>  # To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
>  # Test requires example IMA policy loadable with LTP_IMA_LOAD_POLICY=1.
> +#
> +# Test requires CONFIG_HAVE_IMA_KEXEC=y (CONFIG_IMA_KEXEC is not mandatory).

Correct.  The test verifies that the kernel image is measured.  It does not
execute the kexec, so there is no need for carrying the IMA measurement list
across kexec (CONFIG_IMA_KEXEC).

>  
>  TST_NEEDS_CMDS="grep kexec sed"
>  TST_CNT=3

Re: [PATCH 2/2] ima_kexec.sh: Document kernel config dependencies

[Petr Vorel]

Hi Mimi, all,

> On Wed, 2026-01-07 at 16:57 +0100, Petr Vorel wrote:
> > CONFIG_HAVE_IMA_KEXEC=y is enough for test, ie. test is working with:

> >     # CONFIG_IMA_KEXEC is not set
> >     CONFIG_HAVE_IMA_KEXEC=y

> > Probably obvious as CONFIG_HAVE_IMA_KEXEC is arch specific and
> > CONFIG_IMA_KEXEC is "TPM PCRs are only reset on a hard reboot."
> > and ima_kexec.c requires CONFIG_HAVE_IMA_KEXEC (only parts are skipped
> > when CONFIG_IMA_KEXEC not set) but better to clarify for users.

> > Signed-off-by: Petr Vorel <pvorel@suse.cz>
> > ---
> >  testcases/kernel/security/integrity/ima/tests/ima_kexec.sh | 3 +++
> >  1 file changed, 3 insertions(+)

> > diff --git a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> > index 7688690af2..de595fcdd7 100755
> > --- a/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> > +++ b/testcases/kernel/security/integrity/ima/tests/ima_kexec.sh
> > @@ -6,8 +6,11 @@

> >  # Verify that kexec cmdline is measured correctly.
> >  # Test attempts to kexec the existing running kernel image.
> > +#
> >  # To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
> >  # Test requires example IMA policy loadable with LTP_IMA_LOAD_POLICY=1.
> > +#
> > +# Test requires CONFIG_HAVE_IMA_KEXEC=y (CONFIG_IMA_KEXEC is not mandatory).

> Correct.  The test verifies that the kernel image is measured.  It does not
> execute the kexec, so there is no need for carrying the IMA measurement list
> across kexec (CONFIG_IMA_KEXEC).

Thanks for having a look! I merged with your RBT (as we dicussed).

Kind regards,
Petr

> >  TST_NEEDS_CMDS="grep kexec sed"
> >  TST_CNT=3