From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_MUTT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id BE274C43381 for ; Thu, 28 Feb 2019 22:20:47 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 95E632133D for ; Thu, 28 Feb 2019 22:20:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732415AbfB1WUp (ORCPT ); Thu, 28 Feb 2019 17:20:45 -0500 Received: from mx2.suse.de ([195.135.220.15]:52372 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727988AbfB1WUm (ORCPT ); Thu, 28 Feb 2019 17:20:42 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id 407DAB183; Thu, 28 Feb 2019 22:20:41 +0000 (UTC) Date: Thu, 28 Feb 2019 23:20:39 +0100 From: Petr Vorel To: Mimi Zohar Cc: linux-kselftest@vger.kernel.org, Shuah Khan , linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2 4/5] selftests/ima: kexec_file_load syscall test Message-ID: <20190228222039.GD20335@dell5510> Reply-To: Petr Vorel References: <1551223620-11586-1-git-send-email-zohar@linux.ibm.com> <1551223620-11586-5-git-send-email-zohar@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1551223620-11586-5-git-send-email-zohar@linux.ibm.com> User-Agent: Mutt/1.11.3 (2019-02-01) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Mimi, > The kernel can be configured to verify PE signed kernel images, IMA > kernel image signatures, both types of signatures, or none. This test > verifies only properly signed kernel images are loaded into memory, > based on the kernel configuration and runtime policies. > Signed-off-by: Mimi Zohar > --- a/tools/testing/selftests/ima/common_lib.sh ... > +# Look for config option in Kconfig file. > +# Return 1 for found and 0 for not found. I'd revert the return value (for shell is 0 as ok), but matter of preference. > +kconfig_enabled() > +{ > + local config="$1" > + local msg="$2" > + > + grep -E -q $config $IKCONFIG > + if [ $? -eq 0 ]; then > + log_info "$msg" > + return 1 > + fi > + return 0 > +} > + > +# Attempt to get the kernel config first via proc, and then by > +# extracting it from the kernel image or the configs.ko using > +# scripts/extract-ikconfig. > +# Return 1 for found and 0 for not found. "and 0 for not found": This is not true as it uses log_skip which exits. And you don't read this value anywhere. > +get_kconfig() > +{ > + local proc_config="/proc/config.gz" > + local module_dir="/lib/modules/`uname -r`" > + local configs_module="$module_dir/kernel/kernel/configs.ko" > + > + if [ ! -f $proc_config ]; then > + modprobe configs > /dev/null 2>&1 > + fi > + if [ -f $proc_config ]; then > + cat $proc_config | gunzip > $IKCONFIG 2>/dev/null > + if [ $? -eq 0 ]; then > + return 1 > + fi > + fi > + > + local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig" > + if [ ! -f $extract_ikconfig ]; then > + log_skip "extract-ikconfig not found" > + fi > + > + $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null > + if [ $? -eq 1 ]; then > + if [ ! -f $configs_module ]; then > + log_skip "CONFIG_IKCONFIG not enabled" > + fi > + $extract_ikconfig $configs_module > $IKCONFIG > + if [ $? -eq 1 ]; then > + log_skip "CONFIG_IKCONFIG not enabled" > + fi > + fi > + return 1 > +} Kind regards, Petr