Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp973675img; Fri, 22 Mar 2019 12:37:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqx/zbCRJILc6vTbCq3qxLV6WTdGAxC2fyT+yhWYYWGDmn6SJg8GRHO092NrNRUhIDEitJ5Z X-Received: by 2002:a62:39d6:: with SMTP id u83mr10933375pfj.161.1553283463133; Fri, 22 Mar 2019 12:37:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553283463; cv=none; d=google.com; s=arc-20160816; b=jvZSx1uawMV/KxVMmgYnm7NRQX2Bv1IC+Co7bWyXzUYr4SDInc6rzXXng9rRx99rAm YGJq22cOlhabzfGAy85q3xEk1OFrNzOm/TiRCDD9PoNgdPjhjUlcff8mhaKrk2TUldpX bOGreU0+4MWGhvA6uF/9NT4zKTU8JfNn78j9WIggBcZGX8tlmPokusQsdETuzUY1Clel 7tuJurAgerNg7sWCcbm0jOG3GAjAFzZlq2/dpelcJ7lVOaMI3UkNxlFetwlWvF86jGIz 9Q/+ljU3WMDGrxwyBFaHKAz+f7ZjsjdTvyOoz8Jv+fWLNz77VWoCV5lF4+CYFRodIvPC /dXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from; bh=GUepmPB2iIPo/Y6T02+2hpfumNTpSzBrREPvFtN2mec=; b=CKFGwoeI+dsREFw1GukvBS3jNPk+UdEWOCXMPKkisZsebFFcQzxWKhzBpHIiPCaP7w K4r+ZT+QQ+Frf0n+duAuzwfn55kH5257er7oPJjzoL2euYQkkkGxtLigH17qPn7Ip8HC 4MZh5Z198z94MjFeKRcfE8V/2GkRsNtVjcV6nqwobicRiTIXEW4iJv3RWtMeAREURjS0 BcIWkbrgO+LVL6wG8HNj1VtiAfoUolIPR9XAJRHjXBciIT4ytJAHtTRRzhc0+pBfy6m+ eTBKtFvbq96Yk4t701GDhZWeUlwWGEXON+eukIgxP9U/1umc+wq7J7+XDBAzA7iXl3AH EyCg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p19si7712853plq.29.2019.03.22.12.37.27; Fri, 22 Mar 2019 12:37:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727283AbfCVTgi (ORCPT + 99 others); Fri, 22 Mar 2019 15:36:38 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:56288 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726472AbfCVTgh (ORCPT ); Fri, 22 Mar 2019 15:36:37 -0400 Received: from pps.filterd (m0098416.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2MJYcVP059669 for ; Fri, 22 Mar 2019 15:36:36 -0400 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0b-001b2d01.pphosted.com with ESMTP id 2rd5x008qy-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 22 Mar 2019 15:36:35 -0400 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 22 Mar 2019 19:36:25 -0000 Received: from b06cxnps4074.portsmouth.uk.ibm.com (9.149.109.196) by e06smtp01.uk.ibm.com (192.168.101.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Fri, 22 Mar 2019 19:36:22 -0000 Received: from d06av24.portsmouth.uk.ibm.com (d06av24.portsmouth.uk.ibm.com [9.149.105.60]) by b06cxnps4074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2MJaUNU37355676 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 22 Mar 2019 19:36:30 GMT Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3E77242041; Fri, 22 Mar 2019 19:36:30 +0000 (GMT) Received: from d06av24.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3400D42042; Fri, 22 Mar 2019 19:36:29 +0000 (GMT) Received: from dhcp-9-31-103-153.watson.ibm.com (unknown [9.31.103.153]) by d06av24.portsmouth.uk.ibm.com (Postfix) with ESMTP; Fri, 22 Mar 2019 19:36:29 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v4a 1/2] selftests/kexec: make tests independent of IMA being enabled Date: Fri, 22 Mar 2019 15:35:50 -0400 X-Mailer: git-send-email 2.7.5 X-TM-AS-GCONF: 00 x-cbid: 19032219-4275-0000-0000-0000031E2F76 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19032219-4276-0000-0000-0000382CBC96 Message-Id: <1553283351-6310-1-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-22_11:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=6 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=991 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903220139 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Verify IMA is enabled before failing tests or emitting irrelevant messages. Also, don't skip the test if signatures are not required. Suggested-by: Dave Young Signed-off-by: Mimi Zohar --- Dave, if this patch resolves the outstanding issues, I can fold these changes into the original patches. (Reminder, these patches will need to be updated to support the "lockdown" patch set.) .../selftests/kexec/test_kexec_file_load.sh | 27 ++++++++++++++-------- tools/testing/selftests/kexec/test_kexec_load.sh | 24 ++++++++++++------- 2 files changed, 33 insertions(+), 18 deletions(-) diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh index 1d2e5e799523..57b636792086 100755 --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -110,11 +110,20 @@ kexec_file_load_test() log_fail "$succeed_msg (missing IMA sig)" fi - if [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] \ - && [ $ima_read_policy -eq 0 ] && [ $ima_signed -eq 0 ]; then + if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ + && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \ + && [ $ima_read_policy -eq 0 ]; then log_fail "$succeed_msg (possibly missing IMA sig)" fi + if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 0 ]; then + log_info "No signature verification required" + elif [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ + && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \ + && [ $ima_read_policy -eq 1 ]; then + log_info "No signature verification required" + fi + log_pass "$succeed_msg" fi @@ -136,8 +145,9 @@ kexec_file_load_test() log_pass "$failed_msg (missing IMA sig)" fi - if [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] \ - && [ $ima_read_policy -eq 0 ] && [ $ima_signed -eq 0 ]; then + if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ + && [ $ima_sig_required -eq 0 ] && [ $ima_read_policy -eq 0 ] \ + && [ $ima_signed -eq 0 ]; then log_pass "$failed_msg (possibly missing IMA sig)" fi @@ -157,6 +167,9 @@ if [ $? -eq 0 ]; then fi # Determine which kernel config options are enabled +kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" +ima_appraise=$? + kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ "architecture specific policy enabled" arch_policy=$? @@ -178,12 +191,6 @@ ima_sig_required=$? get_secureboot_mode secureboot=$? -if [ $secureboot -eq 0 ] && [ $arch_policy -eq 0 ] && \ - [ $pe_sig_required -eq 0 ] && [ $ima_sig_required -eq 0 ] && \ - [ $ima_read_policy -eq 1 ]; then - log_skip "No signature verification required" -fi - # Are there pe and ima signatures check_for_pesig pe_signed=$? diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 2a66c8897f55..49c6aa929137 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -1,8 +1,8 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0 -# Loading a kernel image via the kexec_load syscall should fail -# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system -# is booted in secureboot mode. +# +# Prevent loading a kernel image via the kexec_load syscall when +# signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.) TEST="$0" . ./kexec_common_lib.sh @@ -18,20 +18,28 @@ if [ $? -eq 0 ]; then log_skip "kexec_load is not enabled" fi +kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" +ima_appraise=$? + +kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ + "IMA architecture specific policy enabled" +arch_policy=$? + get_secureboot_mode secureboot=$? -# kexec_load should fail in secure boot mode +# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled kexec --load $KERNEL_IMAGE > /dev/null 2>&1 if [ $? -eq 0 ]; then kexec --unload - if [ $secureboot -eq 1 ]; then + if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then log_fail "kexec_load succeeded" - else - log_pass "kexec_load succeeded" + elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then + log_info "Either IMA or the IMA arch policy is not enabled" fi + log_pass "kexec_load succeeded" else - if [ $secureboot -eq 1 ]; then + if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then log_pass "kexec_load failed" else log_fail "kexec_load failed" -- 2.7.5