linux-kselftest.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: zohar at linux.ibm.com (Mimi Zohar)
Subject: [PATCH v5 9/9] selftests/kexec: make kexec_load test independent of IMA being enabled
Date: Tue, 26 Mar 2019 09:34:17 -0400	[thread overview]
Message-ID: <1553607257-18906-10-git-send-email-zohar@linux.ibm.com> (raw)
In-Reply-To: <1553607257-18906-1-git-send-email-zohar@linux.ibm.com>

Verify IMA is enabled before failing tests or emitting irrelevant
messages.

Suggested-by: Dave Young <dyoung at redhat.com>
Signed-off-by: Mimi Zohar <zohar at linux.ibm.com>
Reviewed-by: Dave Young <dyoung at redhat.com>
---
 tools/testing/selftests/kexec/test_kexec_load.sh | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh
index 2a66c8897f55..49c6aa929137 100755
--- a/tools/testing/selftests/kexec/test_kexec_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_load.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0
-# Loading a kernel image via the kexec_load syscall should fail
-# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system
-# is booted in secureboot mode.
+#
+# Prevent loading a kernel image via the kexec_load syscall when
+# signatures are required.  (Dependent on CONFIG_IMA_ARCH_POLICY.)
 
 TEST="$0"
 . ./kexec_common_lib.sh
@@ -18,20 +18,28 @@ if [ $? -eq 0 ]; then
 	log_skip "kexec_load is not enabled"
 fi
 
+kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
+ima_appraise=$?
+
+kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
+	"IMA architecture specific policy enabled"
+arch_policy=$?
+
 get_secureboot_mode
 secureboot=$?
 
-# kexec_load should fail in secure boot mode
+# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
 kexec --load $KERNEL_IMAGE > /dev/null 2>&1
 if [ $? -eq 0 ]; then
 	kexec --unload
-	if [ $secureboot -eq 1 ]; then
+	if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
 		log_fail "kexec_load succeeded"
-	else
-		log_pass "kexec_load succeeded"
+	elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
+		log_info "Either IMA or the IMA arch policy is not enabled"
 	fi
+	log_pass "kexec_load succeeded"
 else
-	if [ $secureboot -eq 1 ]; then
+	if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
 		log_pass "kexec_load failed"
 	else
 		log_fail "kexec_load failed"
-- 
2.7.5

WARNING: multiple messages have this Message-ID (diff)
From: zohar@linux.ibm.com (Mimi Zohar)
Subject: [PATCH v5 9/9] selftests/kexec: make kexec_load test independent of IMA being enabled
Date: Tue, 26 Mar 2019 09:34:17 -0400	[thread overview]
Message-ID: <1553607257-18906-10-git-send-email-zohar@linux.ibm.com> (raw)
Message-ID: <20190326133417.9F9y8id3CUdYI0fx92p4Nv9bIR_9jLBc69mXM3ZKcNU@z> (raw)
In-Reply-To: <1553607257-18906-1-git-send-email-zohar@linux.ibm.com>

Verify IMA is enabled before failing tests or emitting irrelevant
messages.

Suggested-by: Dave Young <dyoung at redhat.com>
Signed-off-by: Mimi Zohar <zohar at linux.ibm.com>
Reviewed-by: Dave Young <dyoung at redhat.com>
---
 tools/testing/selftests/kexec/test_kexec_load.sh | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh
index 2a66c8897f55..49c6aa929137 100755
--- a/tools/testing/selftests/kexec/test_kexec_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_load.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
 # SPDX-License-Identifier: GPL-2.0
-# Loading a kernel image via the kexec_load syscall should fail
-# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system
-# is booted in secureboot mode.
+#
+# Prevent loading a kernel image via the kexec_load syscall when
+# signatures are required.  (Dependent on CONFIG_IMA_ARCH_POLICY.)
 
 TEST="$0"
 . ./kexec_common_lib.sh
@@ -18,20 +18,28 @@ if [ $? -eq 0 ]; then
 	log_skip "kexec_load is not enabled"
 fi
 
+kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
+ima_appraise=$?
+
+kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
+	"IMA architecture specific policy enabled"
+arch_policy=$?
+
 get_secureboot_mode
 secureboot=$?
 
-# kexec_load should fail in secure boot mode
+# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
 kexec --load $KERNEL_IMAGE > /dev/null 2>&1
 if [ $? -eq 0 ]; then
 	kexec --unload
-	if [ $secureboot -eq 1 ]; then
+	if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
 		log_fail "kexec_load succeeded"
-	else
-		log_pass "kexec_load succeeded"
+	elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
+		log_info "Either IMA or the IMA arch policy is not enabled"
 	fi
+	log_pass "kexec_load succeeded"
 else
-	if [ $secureboot -eq 1 ]; then
+	if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
 		log_pass "kexec_load failed"
 	else
 		log_fail "kexec_load failed"
-- 
2.7.5

  parent reply	other threads:[~2019-03-26 13:34 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-26 13:34 [PATCH v5 0/9] selftests/kexec: add kexec tests zohar
2019-03-26 13:34 ` Mimi Zohar
2019-03-26 13:34 ` [PATCH v5 1/9] selftests/kexec: move the IMA kexec_load selftest to selftests/kexec zohar
2019-03-26 13:34   ` Mimi Zohar
2019-03-27 11:54   ` pvorel
2019-03-27 11:54     ` Petr Vorel
2019-03-26 13:34 ` [PATCH v5 2/9] selftests/kexec: cleanup the kexec selftest zohar
2019-03-26 13:34   ` Mimi Zohar
2019-03-26 13:34 ` [PATCH v5 3/9] selftests/kexec: define a set of common functions zohar
2019-03-26 13:34   ` Mimi Zohar
2019-03-26 13:34 ` [PATCH v5 4/9] selftests/kexec: define common logging functions zohar
2019-03-26 13:34   ` Mimi Zohar
2019-03-27 11:45   ` pvorel
2019-03-27 11:45     ` Petr Vorel
2019-03-26 13:34 ` [PATCH v5 5/9] kselftest/kexec: define "require_root_privileges" zohar
2019-03-26 13:34   ` Mimi Zohar
2019-03-26 13:34 ` [PATCH v5 6/9] selftests/kexec: kexec_file_load syscall test zohar
2019-03-26 13:34   ` Mimi Zohar
2019-03-26 13:34 ` [PATCH v5 7/9] selftests/kexec: Add missing '=y' to config options zohar
2019-03-26 13:34   ` Mimi Zohar
2019-03-26 13:34 ` [PATCH v5 8/9] selftests/kexec: check kexec_load and kexec_file_load are enabled zohar
2019-03-26 13:34   ` Mimi Zohar
2019-03-27 11:53   ` pvorel
2019-03-27 11:53     ` Petr Vorel
2019-03-26 13:34 ` zohar [this message]
2019-03-26 13:34   ` [PATCH v5 9/9] selftests/kexec: make kexec_load test independent of IMA being enabled Mimi Zohar
2019-03-27 11:56   ` pvorel
2019-03-27 11:56     ` Petr Vorel
2019-04-03 14:06 ` [PATCH] selftests/kexec: update get_secureboot_mode zohar
2019-04-03 14:06   ` Mimi Zohar
2019-04-05 12:47   ` pvorel
2019-04-05 12:47     ` Petr Vorel
2019-04-05 18:35     ` zohar
2019-04-05 18:35       ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1553607257-18906-10-git-send-email-zohar@linux.ibm.com \
    --to=linux-kselftest@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).