Received: by 2002:ac0:8c9a:0:0:0:0:0 with SMTP id r26csp3133344ima; Sun, 3 Feb 2019 14:25:16 -0800 (PST) X-Google-Smtp-Source: ALg8bN7wWZbYN2frxarAmkp8cxvLMYy6ZZ3tuIp0MNNuQ1m53UFZETsZ+NV/O3IPCKWDW0hYUIdU X-Received: by 2002:a17:902:6683:: with SMTP id e3mr46835577plk.93.1549232716212; Sun, 03 Feb 2019 14:25:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549232716; cv=none; d=google.com; s=arc-20160816; b=TLh0h+c8F0lwE0YXaM7WXvvth+Vdby0HorbML+U94u7QDn8rZunETD8ayycTbM3tom cJXtRYuUL7pMctGOV0MCqQaWKXuciDgEFEwemeEU95O8pAmGCEKHVgvC4dv3sIksBDHE EATfGPnRcXIcPoEw80WRWCxLOSr5GA8aiKeKZZj+901ZeGk5qnlwKLPExtfSsAIGri56 qt2JuR6X7mI9Cek20Nbn2MjDjaenB7teQtEw8+iOdIv02uxvnpGeQBmQIIqMiRcRZypf mpnR4i1n4I+xxFgUWlEqS03grPHihPZPc90KTI5vPtIcf9RuuTH57bdN0zrohH8gsDn2 kYbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:reply-to:message-id :subject:cc:to:from:date; bh=aJ4Ta8Q+qRm0F+7v8r16fh0ssVZUGdReZN4GZ8+dJRE=; b=CuDyrjiY7wR06cq3ujuCLL3Lzc6nJam/M9/nKqCXG/ThVFdNvrVALJnNdKWa/07XQt NPVmLiVk+vwGoL7iwCVCPVGxTTe7BcEaQnM29zR7TQwCZYFdvvWRhbTuCXVPlzifLstW 3v7AvBcvblU1XFTnuoAfWNgCQTPgAxPPheDUPNIVaN8+IuieyM0Z8iCbcZeLppKx5eEG /60cQ7ZmmiDF+qNQPtZoQAMRCZPdDYJuKp1Kfg4TA4HfElh5oQ+Zr+sMQbWz10hwgNiU qrN8jZYmi96lkkOi1GgHnc2AP4k8xYqY17v0nhTGT+/AROG4FpHpR/PVpNjdc0YiObC3 OJiQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e13si11165803pfi.271.2019.02.03.14.24.31; Sun, 03 Feb 2019 14:25:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728024AbfBCWDD (ORCPT + 99 others); Sun, 3 Feb 2019 17:03:03 -0500 Received: from mx2.suse.de ([195.135.220.15]:33794 "EHLO mx1.suse.de" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726673AbfBCWDD (ORCPT ); Sun, 3 Feb 2019 17:03:03 -0500 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx1.suse.de (Postfix) with ESMTP id AEC8FAE7A; Sun, 3 Feb 2019 22:03:00 +0000 (UTC) Date: Sun, 3 Feb 2019 23:02:58 +0100 From: Petr Vorel To: Mimi Zohar Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, kexec@lists.infradead.org, David Howells , Dave Young , Eric Biederman , Shuah Khan Subject: Re: [PATCH 3/3] selftests/ima: kexec_file_load syscall test Message-ID: <20190203220258.GC4022@x230> Reply-To: Petr Vorel References: <1548960936-7800-1-git-send-email-zohar@linux.ibm.com> <1548960936-7800-4-git-send-email-zohar@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1548960936-7800-4-git-send-email-zohar@linux.ibm.com> User-Agent: Mutt/1.10.1 (2018-07-13) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Mimi, > The kernel can be configured to verify PE signed kernel images, IMA > kernel image signatures, both types of signatures, or none. This test > verifies only properly signed kernel images are loaded into memory, > based on the kernel configuration and runtime policies. > Signed-off-by: Mimi Zohar Reviewed-by: Petr Vorel ... > +++ b/tools/testing/selftests/ima/test_kexec_file_load.sh > @@ -0,0 +1,250 @@ > +#!/bin/sh > +# SPDX-License-Identifier: GPL-2.0+ # SPDX-License-Identifier: GPL-2.0-or-later > +# > +# Loading a kernel image via the kexec_file_load syscall can verify either > +# the IMA signature stored in the security.ima xattr or the PE signature, > +# both signatures depending on the IMA policy, or none. > +# > +# To determine whether the kernel image is signed, this test depends > +# on pesign and getfattr. This test also requires the kernel to be > +# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC > +# enabled or access to the extract-ikconfig script. > + > +VERBOSE=1 Maybe allow to disable verbose without source change? VERBOSE="${VERBOSE:-1}" > +EXTRACT_IKCONFIG=$(ls /lib/modules/`uname -r`/source/scripts/extract-ikconfig) > +IKCONFIG=/tmp/config-`uname -r` > +PROC_CONFIG="/proc/config.gz" > +KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" > +PESIGN=/usr/bin/pesign > +GETFATTR=/usr/bin/getfattr > + > +TEST="$0" > +. ./common_lib.sh > + > +# Kselftest framework requirement - SKIP code is 4. > +ksft_skip=4 > + > +kconfig_enabled() > +{ > + RC=0 > + egrep -q $1 $IKCONFIG > + if [ $? -eq 0 ]; then > + RC=1 > + fi > + return $RC > +} This would be enough (grep with -e returns only 0 or 1): kconfig_enabled() { grep -E -q $1 $IKCONFIG } > + > +# policy rule format: action func= [appraise_type=] > +check_ima_policy() > +{ > + IMA_POLICY=/sys/kernel/security/ima/policy > + > + RC=0 > + if [ $# -eq 3 ]; then > + grep -e $2 $IMA_POLICY | grep -e "^$1.*$3" 2>&1 >/dev/null > + else > + grep -e $2 $IMA_POLICY | grep -e "^$1" 2>&1 >/dev/null > + fi > + if [ $? -eq 0 ]; then > + RC=1 > + fi > + return $RC > +} This would be enough and more descriptive: check_ima_policy() { local action="$1" local keyword="$2" local type="$3" [ -n "$type" ] && type="appraise_type=$type" grep -q "^$action.*func=$keyword.*$type" /sys/kernel/security/ima/policy } > + > +check_kconfig_options() > +{ > + # Attempt to get the kernel config first via proc, and then by > + # extracting it from the kernel image using scripts/extract-ikconfig. > + if [ ! -f $PROC_CONFIG ]; then > + modprobe configs 2>/dev/null > + fi > + if [ -f $PROC_CONFIG ]; then > + cat $PROC_CONFIG > $IKCONFIG > + fi > + > + if [ ! -f $IKCONFIG ]; then > + if [ ! -f $EXTRACT_IKCONFIG ]; then > + echo "$TEST: requires access to extract-ikconfig" >&2 > + exit $ksft_skip > + fi > + > + $EXTRACT_IKCONFIG $KERNEL_IMAGE > $IKCONFIG > + kconfig_enabled "CONFIG_IKCONFIG=y" > + if [ $? -eq 0 ]; then > + echo "$TEST: requires the kernel to be built with CONFIG_IKCONFIG" >&2 > + exit $ksft_skip > + fi > + fi > + > + kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" > + pe_sig_required=$? > + if [ $VERBOSE -ne 0 ] && [ $pe_sig_required -eq 1 ]; then > + echo "$TEST: [INFO] PE signed kernel image required" > + fi Checks for $VERBOSE here and in other kconfig_enabled usages bellow are a bit redundant. And you check for assigned variable now and then later on, you use these variables as global (and reset $ima_sig_required in check_runtime(). How about using functions instead: log_info() { echo "$TEST: [INFO] $1" } (Reducing some duplicity, IMHO helper functions in shell library used in all selftest tests would be useful) kconfig_enabled() { local config="$1" local msg="$2" local ret grep -E -q $config $IKCONFIG ret=$? [ $VERBOSE -ne 0 ] && [ $ret -eq 1 ] && log_info "$msg" return $ret } ima_sig_enabled() { kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \ "PE signed kernel image required" } ima_sig_enabled() { kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \ "IMA kernel image signature required" } Warning is printed each time, but that's deliberate. If it's not wanted, it can be moved into setup. ... > +check_kconfig_options > +check_for_apps > +check_runtime > +check_for_sigs > +kexec_file_load_test > +rc=$? > +exit $rc These two are redundant. Kind regards, Petr