The kernel is in lockdown mode when secureboot is enabled and hence
debugfs cannot be used. But the error printed after running tests does
not indicate this currently:
>TAP version 13
>1..6
># selftests: damon: debugfs_attrs.sh
># cat: /sys/kernel/debug/damon/monitor_on: Operation not permitted
># _debugfs_common.sh: line 48: [: =: unary operator expected
># cat: /sys/kernel/debug/damon/attrs: Operation not permitted
># _debugfs_common.sh: line 11: /sys/kernel/debug/damon/attrs: Operation
> not permitted
># writing 1 2 3 4 5 to /sys/kernel/debug/damon/attrs doesn't return 0
># expected because: valid input
># _debugfs_common.sh: line 16: /sys/kernel/debug/damon/attrs: Operation
> not permitted
>not ok 1 selftests: damon: debugfs_attrs.sh # exit=1
After adding the check for secureboot, the output is as follows:
>TAP version 13
>1..6
># selftests: damon: debugfs_attrs.sh
># debugfs cannot work with secureboot enabled
>not ok 1 selftests: damon: debugfs_attrs.sh # exit=1
Signed-off-by: Gautam <[email protected]>
---
tools/testing/selftests/damon/_chk_dependency.sh | 10 ++++++++++
1 file changed, 10 insertions(+)
mode change 100644 => 100755 tools/testing/selftests/damon/_chk_dependency.sh
diff --git a/tools/testing/selftests/damon/_chk_dependency.sh b/tools/testing/selftests/damon/_chk_dependency.sh
old mode 100644
new mode 100755
index 0189db81550b..6e45c1fe230e
--- a/tools/testing/selftests/damon/_chk_dependency.sh
+++ b/tools/testing/selftests/damon/_chk_dependency.sh
@@ -26,3 +26,13 @@ do
exit 1
fi
done
+
+secureboot_error="Operation not permitted"
+for f in attrs target_ids monitor_on
+do
+ status=$( cat "$DBGFS/$f" 2>&1 )
+ if [ "${status#*$secureboot_error}" != "$status" ]; then
+ echo "debugfs cannot work with secureboot enabled"
+ exit 1
+ fi
+done
--
2.36.1
Hi Gautam,
On Sat, 25 Jun 2022 01:22:39 +0530 Gautam <[email protected]> wrote:
> The kernel is in lockdown mode when secureboot is enabled and hence
> debugfs cannot be used. But the error printed after running tests does
> not indicate this currently:
>
> >TAP version 13
> >1..6
> ># selftests: damon: debugfs_attrs.sh
> ># cat: /sys/kernel/debug/damon/monitor_on: Operation not permitted
> ># _debugfs_common.sh: line 48: [: =: unary operator expected
> ># cat: /sys/kernel/debug/damon/attrs: Operation not permitted
> ># _debugfs_common.sh: line 11: /sys/kernel/debug/damon/attrs: Operation
> > not permitted
> ># writing 1 2 3 4 5 to /sys/kernel/debug/damon/attrs doesn't return 0
> ># expected because: valid input
> ># _debugfs_common.sh: line 16: /sys/kernel/debug/damon/attrs: Operation
> > not permitted
> >not ok 1 selftests: damon: debugfs_attrs.sh # exit=1
>
>
> After adding the check for secureboot, the output is as follows:
>
> >TAP version 13
> >1..6
> ># selftests: damon: debugfs_attrs.sh
> ># debugfs cannot work with secureboot enabled
> >not ok 1 selftests: damon: debugfs_attrs.sh # exit=1
>
>
> Signed-off-by: Gautam <[email protected]>
> ---
> tools/testing/selftests/damon/_chk_dependency.sh | 10 ++++++++++
> 1 file changed, 10 insertions(+)
> mode change 100644 => 100755 tools/testing/selftests/damon/_chk_dependency.sh
>
> diff --git a/tools/testing/selftests/damon/_chk_dependency.sh b/tools/testing/selftests/damon/_chk_dependency.sh
> old mode 100644
> new mode 100755
> index 0189db81550b..6e45c1fe230e
> --- a/tools/testing/selftests/damon/_chk_dependency.sh
> +++ b/tools/testing/selftests/damon/_chk_dependency.sh
> @@ -26,3 +26,13 @@ do
> exit 1
> fi
> done
> +
> +secureboot_error="Operation not permitted"
> +for f in attrs target_ids monitor_on
> +do
> + status=$( cat "$DBGFS/$f" 2>&1 )
> + if [ "${status#*$secureboot_error}" != "$status" ]; then
> + echo "debugfs cannot work with secureboot enabled"
I think the check makes sense, but I think there could be more reasons for the
read error other than secure boot. How about making the error mesage more
clear for the error case and our guess? E.g., "permission for reading
$DBGFS/$f denied; maybe secureboot enabled?"
> + exit 1
This is not a test failure but we are just skipping the test as running the
test here makes no sense. Hence I think '$ksft_skip' could be a better return
code.
Thanks,
SJ
> + fi
> +done
> --
> 2.36.1
The kernel is in lockdown mode when secureboot is enabled and hence
debugfs cannot be used. Add support for this and other general cases
where debugfs cannot be read and communicate the same to the user before
running tests.
Signed-off-by: Gautam <[email protected]>
---
Changes in v2:
1. Modify the error message to account for general cases.
2. Change the return code so that the test is skipped.
tools/testing/selftests/damon/_chk_dependency.sh | 10 ++++++++++
1 file changed, 10 insertions(+)
mode change 100644 => 100755 tools/testing/selftests/damon/_chk_dependency.sh
diff --git a/tools/testing/selftests/damon/_chk_dependency.sh b/tools/testing/selftests/damon/_chk_dependency.sh
old mode 100644
new mode 100755
index 0189db81550b..aae7ff8c2080
--- a/tools/testing/selftests/damon/_chk_dependency.sh
+++ b/tools/testing/selftests/damon/_chk_dependency.sh
@@ -26,3 +26,13 @@ do
exit 1
fi
done
+
+secureboot_error="Operation not permitted"
+for f in attrs target_ids monitor_on
+do
+ status=$( cat "$DBGFS/$f" 2>&1 )
+ if [ "${status#*$secureboot_error}" != "$status" ]; then
+ echo "Permission for reading $DBGFS/$f denied; maybe secureboot enabled?"
+ exit $ksft_skip
+ fi
+done
--
2.36.1
The kernel is in lockdown mode when secureboot is enabled and hence
debugfs cannot be used. Add support for this and other general cases
where debugfs cannot be read and communicate the same to the user before
running tests.
Signed-off-by: Gautam <[email protected]>
---
Changes in v2:
1. Modify the error message to account for general cases.
2. Change the return code so that the test is skipped.
Changes in v3:
1. Change the name of variable holding the error message.
tools/testing/selftests/damon/_chk_dependency.sh | 10 ++++++++++
1 file changed, 10 insertions(+)
mode change 100644 => 100755 tools/testing/selftests/damon/_chk_dependency.sh
diff --git a/tools/testing/selftests/damon/_chk_dependency.sh b/tools/testing/selftests/damon/_chk_dependency.sh
old mode 100644
new mode 100755
index 0189db81550b..0328ac0b5a5e
--- a/tools/testing/selftests/damon/_chk_dependency.sh
+++ b/tools/testing/selftests/damon/_chk_dependency.sh
@@ -26,3 +26,13 @@ do
exit 1
fi
done
+
+permission_error="Operation not permitted"
+for f in attrs target_ids monitor_on
+do
+ status=$( cat "$DBGFS/$f" 2>&1 )
+ if [ "${status#*$permission_error}" != "$status" ]; then
+ echo "Permission for reading $DBGFS/$f denied; maybe secureboot enabled?"
+ exit $ksft_skip
+ fi
+done
--
2.36.1
Hi Gautam,
On Sat, 25 Jun 2022 14:05:13 +0530 Gautam <[email protected]> wrote:
> The kernel is in lockdown mode when secureboot is enabled and hence
> debugfs cannot be used. Add support for this and other general cases
> where debugfs cannot be read and communicate the same to the user before
> running tests.
>
> Signed-off-by: Gautam <[email protected]>
All looks good, thank you! I left one comment below, though. After fixing it,
you may have
Reviewed-by: SeongJae Park <[email protected]>
> ---
> Changes in v2:
> 1. Modify the error message to account for general cases.
> 2. Change the return code so that the test is skipped.
>
> Changes in v3:
> 1. Change the name of variable holding the error message.
>
> tools/testing/selftests/damon/_chk_dependency.sh | 10 ++++++++++
> 1 file changed, 10 insertions(+)
> mode change 100644 => 100755 tools/testing/selftests/damon/_chk_dependency.sh
I think this permission change is unnecessary?
Thanks,
SJ
>
> diff --git a/tools/testing/selftests/damon/_chk_dependency.sh b/tools/testing/selftests/damon/_chk_dependency.sh
> old mode 100644
> new mode 100755
> index 0189db81550b..0328ac0b5a5e
> --- a/tools/testing/selftests/damon/_chk_dependency.sh
> +++ b/tools/testing/selftests/damon/_chk_dependency.sh
> @@ -26,3 +26,13 @@ do
> exit 1
> fi
> done
> +
> +permission_error="Operation not permitted"
> +for f in attrs target_ids monitor_on
> +do
> + status=$( cat "$DBGFS/$f" 2>&1 )
> + if [ "${status#*$permission_error}" != "$status" ]; then
> + echo "Permission for reading $DBGFS/$f denied; maybe secureboot enabled?"
> + exit $ksft_skip
> + fi
> +done
> --
> 2.36.1
The kernel is in lockdown mode when secureboot is enabled and hence
debugfs cannot be used. Add support for this and other general cases
where debugfs cannot be read and communicate the same to the user before
running tests.
Signed-off-by: Gautam <[email protected]>
---
Changes in v2:
1. Modify the error message to account for general cases.
2. Change the return code so that the test is skipped.
Changes in v3:
1. Change the name of variable holding the error message.
Changes in v4:
1. Correct the mode of the source file.
tools/testing/selftests/damon/_chk_dependency.sh | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/tools/testing/selftests/damon/_chk_dependency.sh b/tools/testing/selftests/damon/_chk_dependency.sh
index 0189db81550b..0328ac0b5a5e 100644
--- a/tools/testing/selftests/damon/_chk_dependency.sh
+++ b/tools/testing/selftests/damon/_chk_dependency.sh
@@ -26,3 +26,13 @@ do
exit 1
fi
done
+
+permission_error="Operation not permitted"
+for f in attrs target_ids monitor_on
+do
+ status=$( cat "$DBGFS/$f" 2>&1 )
+ if [ "${status#*$permission_error}" != "$status" ]; then
+ echo "Permission for reading $DBGFS/$f denied; maybe secureboot enabled?"
+ exit $ksft_skip
+ fi
+done
--
2.36.1
Hi Gautam,
On Sun, 26 Jun 2022 01:22:45 +0530 Gautam <[email protected]> wrote:
> The kernel is in lockdown mode when secureboot is enabled and hence
> debugfs cannot be used. Add support for this and other general cases
> where debugfs cannot be read and communicate the same to the user before
> running tests.
>
> Signed-off-by: Gautam <[email protected]>
Reviewed-by: SeongJae Park <[email protected]>
Thanks,
SJ
> ---
> Changes in v2:
> 1. Modify the error message to account for general cases.
> 2. Change the return code so that the test is skipped.
>
> Changes in v3:
> 1. Change the name of variable holding the error message.
>
> Changes in v4:
> 1. Correct the mode of the source file.
>
> tools/testing/selftests/damon/_chk_dependency.sh | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/tools/testing/selftests/damon/_chk_dependency.sh b/tools/testing/selftests/damon/_chk_dependency.sh
> index 0189db81550b..0328ac0b5a5e 100644
> --- a/tools/testing/selftests/damon/_chk_dependency.sh
> +++ b/tools/testing/selftests/damon/_chk_dependency.sh
> @@ -26,3 +26,13 @@ do
> exit 1
> fi
> done
> +
> +permission_error="Operation not permitted"
> +for f in attrs target_ids monitor_on
> +do
> + status=$( cat "$DBGFS/$f" 2>&1 )
> + if [ "${status#*$permission_error}" != "$status" ]; then
> + echo "Permission for reading $DBGFS/$f denied; maybe secureboot enabled?"
> + exit $ksft_skip
> + fi
> +done
> --
> 2.36.1
On 6/25/22 2:03 PM, SeongJae Park wrote:
> Hi Gautam,
>
> On Sun, 26 Jun 2022 01:22:45 +0530 Gautam <[email protected]> wrote:
>
>> The kernel is in lockdown mode when secureboot is enabled and hence
>> debugfs cannot be used. Add support for this and other general cases
>> where debugfs cannot be read and communicate the same to the user before
>> running tests.
>>
>> Signed-off-by: Gautam <[email protected]>
>
> Reviewed-by: SeongJae Park <[email protected]>
>
>
> Thanks,
> SJ
>
>> ---
>> Changes in v2:
>> 1. Modify the error message to account for general cases.
>> 2. Change the return code so that the test is skipped.
>>
>> Changes in v3:
>> 1. Change the name of variable holding the error message.
>>
>> Changes in v4:
>> 1. Correct the mode of the source file.
>>
>> tools/testing/selftests/damon/_chk_dependency.sh | 10 ++++++++++
>> 1 file changed, 10 insertions(+)
>>
>> diff --git a/tools/testing/selftests/damon/_chk_dependency.sh b/tools/testing/selftests/damon/_chk_dependency.sh
>> index 0189db81550b..0328ac0b5a5e 100644
>> --- a/tools/testing/selftests/damon/_chk_dependency.sh
>> +++ b/tools/testing/selftests/damon/_chk_dependency.sh
>> @@ -26,3 +26,13 @@ do
>> exit 1
>> fi
>> done
>> +
>> +permission_error="Operation not permitted"
>> +for f in attrs target_ids monitor_on
>> +do
>> + status=$( cat "$DBGFS/$f" 2>&1 )
>> + if [ "${status#*$permission_error}" != "$status" ]; then
>> + echo "Permission for reading $DBGFS/$f denied; maybe secureboot enabled?"
btw - does this run as a regular user or does it need root privilege?
If so add a test for that and skip with a message.
>> + exit $ksft_skip
>> + fi
>> +done
>> --
>> 2.36.1
>
thanks,
-- Shuah
From: SeongJae Park <[email protected]>
Hi Shuah,
On Mon, 27 Jun 2022 11:00:18 -0600 Shuah Khan <[email protected]> wrote:
[...]
> >> --- a/tools/testing/selftests/damon/_chk_dependency.sh
> >> +++ b/tools/testing/selftests/damon/_chk_dependency.sh
> >> @@ -26,3 +26,13 @@ do
> >> exit 1
> >> fi
> >> done
> >> +
> >> +permission_error="Operation not permitted"
> >> +for f in attrs target_ids monitor_on
> >> +do
> >> + status=$( cat "$DBGFS/$f" 2>&1 )
> >> + if [ "${status#*$permission_error}" != "$status" ]; then
> >> + echo "Permission for reading $DBGFS/$f denied; maybe secureboot enabled?"
>
> btw - does this run as a regular user or does it need root privilege?
> If so add a test for that and skip with a message.
It needs the root permission, and does the check at the beginning[1].
[1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/testing/selftests/damon/_chk_dependency.sh?h=v5.19-rc4#n9
Thanks,
SJ
> >> + exit $ksft_skip
> >> + fi
> >> +done
> >> --
> >> 2.36.1
> >
> thanks,
> -- Shuah
On 6/27/22 12:57 PM, SeongJae Park wrote:
> From: SeongJae Park <[email protected]>
>
> Hi Shuah,
>
> On Mon, 27 Jun 2022 11:00:18 -0600 Shuah Khan <[email protected]> wrote:
>
> [...]
>>>> --- a/tools/testing/selftests/damon/_chk_dependency.sh
>>>> +++ b/tools/testing/selftests/damon/_chk_dependency.sh
>>>> @@ -26,3 +26,13 @@ do
>>>> exit 1
>>>> fi
>>>> done
>>>> +
>>>> +permission_error="Operation not permitted"
>>>> +for f in attrs target_ids monitor_on
>>>> +do
>>>> + status=$( cat "$DBGFS/$f" 2>&1 )
>>>> + if [ "${status#*$permission_error}" != "$status" ]; then
>>>> + echo "Permission for reading $DBGFS/$f denied; maybe secureboot enabled?"
>>
>> btw - does this run as a regular user or does it need root privilege?
>> If so add a test for that and skip with a message.
>
> It needs the root permission, and does the check at the beginning[1].
>
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/testing/selftests/damon/_chk_dependency.sh?h=v5.19-rc4#n9
>
>
Great. Thank you. I will pull this one in for linux-kselftest next
for Linux 5.20-rc1
thanks,
-- Shuah
Cc'ing everyone as I forgot to group reply before. Also, I have included the
example outputs in this reply.
On Tue, Jun 28, 2022 at 12:12:15AM +0530, Gautam Menghani wrote:
> On Mon, Jun 27, 2022 at 11:00:18AM -0600, Shuah Khan wrote:
> > On 6/25/22 2:03 PM, SeongJae Park wrote:
> > > Hi Gautam,
> > >
> > > On Sun, 26 Jun 2022 01:22:45 +0530 Gautam <[email protected]> wrote:
> > >
> > > > The kernel is in lockdown mode when secureboot is enabled and hence
> > > > debugfs cannot be used. Add support for this and other general cases
> > > > where debugfs cannot be read and communicate the same to the user before
> > > > running tests.
> > > >
> > > > Signed-off-by: Gautam <[email protected]>
> > >
> > > Reviewed-by: SeongJae Park <[email protected]>
> > >
> > >
> > > Thanks,
> > > SJ
> > >
> > > > ---
> > > > Changes in v2:
> > > > 1. Modify the error message to account for general cases.
> > > > 2. Change the return code so that the test is skipped.
> > > >
> > > > Changes in v3:
> > > > 1. Change the name of variable holding the error message.
> > > >
> > > > Changes in v4:
> > > > 1. Correct the mode of the source file.
> > > >
> > > > tools/testing/selftests/damon/_chk_dependency.sh | 10 ++++++++++
> > > > 1 file changed, 10 insertions(+)
> > > >
> > > > diff --git a/tools/testing/selftests/damon/_chk_dependency.sh b/tools/testing/selftests/damon/_chk_dependency.sh
> > > > index 0189db81550b..0328ac0b5a5e 100644
> > > > --- a/tools/testing/selftests/damon/_chk_dependency.sh
> > > > +++ b/tools/testing/selftests/damon/_chk_dependency.sh
> > > > @@ -26,3 +26,13 @@ do
> > > > exit 1
> > > > fi
> > > > done
> > > > +
> > > > +permission_error="Operation not permitted"
> > > > +for f in attrs target_ids monitor_on
> > > > +do
> > > > + status=$( cat "$DBGFS/$f" 2>&1 )
> > > > + if [ "${status#*$permission_error}" != "$status" ]; then
> > > > + echo "Permission for reading $DBGFS/$f denied; maybe secureboot enabled?"
> >
> > btw - does this run as a regular user or does it need root privilege?
> > If so add a test for that and skip with a message.
>
> Yes this condition is reachable only with root user. If damon tests are run
> as regular user, the root check condition already skips the tests.
>
> Tests output as regular user:
> +TAP version 13
> +1..6
> +# selftests: damon: debugfs_attrs.sh
> +# Run as root
> +ok 1 selftests: damon: debugfs_attrs.sh # SKIP
> +# selftests: damon: debugfs_schemes.sh
> +# Run as root
>
> Tests output as root user:
> +TAP version 13
> +1..6
> +# selftests: damon: debugfs_attrs.sh
> +# Permission for reading /sys/kernel/debug/damon/attrs denied; maybe secureboot enabled?
> +ok 1 selftests: damon: debugfs_attrs.sh # SKIP
> +# selftests: damon: debugfs_schemes.sh
> +# Permission for reading /sys/kernel/debug/damon/attrs denied; maybe secureboot enabled?
>
> Is any change needed in this patch?
>
> > > > + exit $ksft_skip
> > > > + fi
> > > > +done
> > > > --
> > > > 2.36.1
> > >
> > thanks,
> > -- Shuah