From: zohar at linux.ibm.com (Mimi Zohar)
Subject: [PATCH v5 0/9] selftests/kexec: add kexec tests
Date: Tue, 26 Mar 2019 09:34:08 -0400 [thread overview]
Message-ID: <1553607257-18906-1-git-send-email-zohar@linux.ibm.com> (raw)
The kernel may be configured or an IMA policy specified on the boot
command line requiring the kexec kernel image signature to be verified.
At runtime a custom IMA policy may be loaded, replacing the policy
specified on the boot command line. In addition, the arch specific
policy rules are dynamically defined based on the secure boot mode that
may require the kernel image signature to be verified.
The kernel image may have a PE signature, an IMA signature, or both. In
addition, there are two kexec syscalls - kexec_load and kexec_file_load
- but only the kexec_file_load syscall can verify signatures.
These kexec selftests verify that only properly signed kernel images are
loaded as required, based on the kernel config, the secure boot mode,
and the IMA runtime policy.
Loading a kernel image requires root privileges. To run just the KEXEC
selftests: sudo make TARGETS=kexec kselftest
Changelog v5:
- Make tests independent of IMA being enabled, folding the changes
into the kexec_file_load test.
- Add support for CONFIG_KEXEC_VERIFY_SIG being enabled, but not
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG.
Changelog v4:
- Moved the kexec tests to selftests/kexec, as requested by Dave Young.
- Removed the kernel module selftest from this patch set.
- Rewritten cover letter, removing reference to kernel modules.
Changelog v3:
- Updated tests based on Petr's review, including the defining a common
test to check for root privileges.
- Modified config, removing the CONFIG_KEXEC_VERIFY_SIG requirement.
- Updated the SPDX license to GPL-2.0 based on Shuah's review.
- Updated the secureboot mode test to check the SetupMode as well, based
on David Young's review.
Mimi Zohar (8):
selftests/kexec: move the IMA kexec_load selftest to selftests/kexec
selftests/kexec: cleanup the kexec selftest
selftests/kexec: define a set of common functions
selftests/kexec: define common logging functions
kselftest/kexec: define "require_root_privileges"
selftests/kexec: kexec_file_load syscall test
selftests/kexec: check kexec_load and kexec_file_load are enabled
selftests/kexec: make kexec_load test independent of IMA being enabled
Petr Vorel (1):
selftests/kexec: Add missing '=y' to config options
tools/testing/selftests/Makefile | 2 +-
tools/testing/selftests/ima/Makefile | 11 --
tools/testing/selftests/ima/config | 4 -
tools/testing/selftests/ima/test_kexec_load.sh | 54 ------
tools/testing/selftests/kexec/Makefile | 12 ++
tools/testing/selftests/kexec/config | 3 +
tools/testing/selftests/kexec/kexec_common_lib.sh | 175 +++++++++++++++++
.../selftests/kexec/test_kexec_file_load.sh | 208 +++++++++++++++++++++
tools/testing/selftests/kexec/test_kexec_load.sh | 47 +++++
9 files changed, 446 insertions(+), 70 deletions(-)
delete mode 100644 tools/testing/selftests/ima/Makefile
delete mode 100644 tools/testing/selftests/ima/config
delete mode 100755 tools/testing/selftests/ima/test_kexec_load.sh
create mode 100644 tools/testing/selftests/kexec/Makefile
create mode 100644 tools/testing/selftests/kexec/config
create mode 100755 tools/testing/selftests/kexec/kexec_common_lib.sh
create mode 100755 tools/testing/selftests/kexec/test_kexec_file_load.sh
create mode 100755 tools/testing/selftests/kexec/test_kexec_load.sh
--
2.7.5
WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.ibm.com (Mimi Zohar)
Subject: [PATCH v5 0/9] selftests/kexec: add kexec tests
Date: Tue, 26 Mar 2019 09:34:08 -0400 [thread overview]
Message-ID: <1553607257-18906-1-git-send-email-zohar@linux.ibm.com> (raw)
Message-ID: <20190326133408.1DCPmV98btF3zkUOaE2I8eMd_fEYGoc0C9Dt4HNFnbI@z> (raw)
The kernel may be configured or an IMA policy specified on the boot
command line requiring the kexec kernel image signature to be verified.
At runtime a custom IMA policy may be loaded, replacing the policy
specified on the boot command line. In addition, the arch specific
policy rules are dynamically defined based on the secure boot mode that
may require the kernel image signature to be verified.
The kernel image may have a PE signature, an IMA signature, or both. In
addition, there are two kexec syscalls - kexec_load and kexec_file_load
- but only the kexec_file_load syscall can verify signatures.
These kexec selftests verify that only properly signed kernel images are
loaded as required, based on the kernel config, the secure boot mode,
and the IMA runtime policy.
Loading a kernel image requires root privileges. To run just the KEXEC
selftests: sudo make TARGETS=kexec kselftest
Changelog v5:
- Make tests independent of IMA being enabled, folding the changes
into the kexec_file_load test.
- Add support for CONFIG_KEXEC_VERIFY_SIG being enabled, but not
CONFIG_KEXEC_BZIMAGE_VERIFY_SIG.
Changelog v4:
- Moved the kexec tests to selftests/kexec, as requested by Dave Young.
- Removed the kernel module selftest from this patch set.
- Rewritten cover letter, removing reference to kernel modules.
Changelog v3:
- Updated tests based on Petr's review, including the defining a common
test to check for root privileges.
- Modified config, removing the CONFIG_KEXEC_VERIFY_SIG requirement.
- Updated the SPDX license to GPL-2.0 based on Shuah's review.
- Updated the secureboot mode test to check the SetupMode as well, based
on David Young's review.
Mimi Zohar (8):
selftests/kexec: move the IMA kexec_load selftest to selftests/kexec
selftests/kexec: cleanup the kexec selftest
selftests/kexec: define a set of common functions
selftests/kexec: define common logging functions
kselftest/kexec: define "require_root_privileges"
selftests/kexec: kexec_file_load syscall test
selftests/kexec: check kexec_load and kexec_file_load are enabled
selftests/kexec: make kexec_load test independent of IMA being enabled
Petr Vorel (1):
selftests/kexec: Add missing '=y' to config options
tools/testing/selftests/Makefile | 2 +-
tools/testing/selftests/ima/Makefile | 11 --
tools/testing/selftests/ima/config | 4 -
tools/testing/selftests/ima/test_kexec_load.sh | 54 ------
tools/testing/selftests/kexec/Makefile | 12 ++
tools/testing/selftests/kexec/config | 3 +
tools/testing/selftests/kexec/kexec_common_lib.sh | 175 +++++++++++++++++
.../selftests/kexec/test_kexec_file_load.sh | 208 +++++++++++++++++++++
tools/testing/selftests/kexec/test_kexec_load.sh | 47 +++++
9 files changed, 446 insertions(+), 70 deletions(-)
delete mode 100644 tools/testing/selftests/ima/Makefile
delete mode 100644 tools/testing/selftests/ima/config
delete mode 100755 tools/testing/selftests/ima/test_kexec_load.sh
create mode 100644 tools/testing/selftests/kexec/Makefile
create mode 100644 tools/testing/selftests/kexec/config
create mode 100755 tools/testing/selftests/kexec/kexec_common_lib.sh
create mode 100755 tools/testing/selftests/kexec/test_kexec_file_load.sh
create mode 100755 tools/testing/selftests/kexec/test_kexec_load.sh
--
2.7.5
next reply other threads:[~2019-03-26 13:34 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-26 13:34 zohar [this message]
2019-03-26 13:34 ` [PATCH v5 0/9] selftests/kexec: add kexec tests Mimi Zohar
2019-03-26 13:34 ` [PATCH v5 1/9] selftests/kexec: move the IMA kexec_load selftest to selftests/kexec zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-27 11:54 ` pvorel
2019-03-27 11:54 ` Petr Vorel
2019-03-26 13:34 ` [PATCH v5 2/9] selftests/kexec: cleanup the kexec selftest zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` [PATCH v5 3/9] selftests/kexec: define a set of common functions zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` [PATCH v5 4/9] selftests/kexec: define common logging functions zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-27 11:45 ` pvorel
2019-03-27 11:45 ` Petr Vorel
2019-03-26 13:34 ` [PATCH v5 5/9] kselftest/kexec: define "require_root_privileges" zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` [PATCH v5 6/9] selftests/kexec: kexec_file_load syscall test zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` [PATCH v5 7/9] selftests/kexec: Add missing '=y' to config options zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` [PATCH v5 8/9] selftests/kexec: check kexec_load and kexec_file_load are enabled zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-27 11:53 ` pvorel
2019-03-27 11:53 ` Petr Vorel
2019-03-26 13:34 ` [PATCH v5 9/9] selftests/kexec: make kexec_load test independent of IMA being enabled zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-27 11:56 ` pvorel
2019-03-27 11:56 ` Petr Vorel
2019-04-03 14:06 ` [PATCH] selftests/kexec: update get_secureboot_mode zohar
2019-04-03 14:06 ` Mimi Zohar
2019-04-05 12:47 ` pvorel
2019-04-05 12:47 ` Petr Vorel
2019-04-05 18:35 ` zohar
2019-04-05 18:35 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1553607257-18906-1-git-send-email-zohar@linux.ibm.com \
--to=linux-kselftest@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).