Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp4281595img; Tue, 26 Mar 2019 06:37:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqx4J7LDqyvffEQsU/lTxdtr+3mzNoYmnSnnYcW8fLStH8D7OZ5+GEbieipdFsGWBTkKvYXR X-Received: by 2002:a65:6107:: with SMTP id z7mr15226468pgu.313.1553607430878; Tue, 26 Mar 2019 06:37:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1553607430; cv=none; d=google.com; s=arc-20160816; b=MoagFgAOOdGEGdFBAZvMJk8MZfrO/5D3px/+irF07NBjQ2JHK2VCsTXbcm4xNH/HU9 8TQFi0YBu96p/oTRswQkSjh1lZn+xwuiGAmrKpkBkLb+ITfkcnbhdnmmhoyPTw7BbUsC +yYcDZpBw2S1PCa52S4dMWvTEOWmeduBx7K9x1CQekFApHMX5pNJFd8CcokRl8ZU6ruQ xR/fr5I8gloNzhT7nwzmR3pZoybAI7UzbHVcJeA/fhDDFUgIYHnTnF5C3P5wsPF3zcRW gTZ7Jz75rRAmVqS/G9FRM1hKP8mpAZGG3HtjG5NNMjuSUOtifZCJcJDxMFETmvB5zELv 1M5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from; bh=7O6+oJBOu+6zq5LF4bBs9d0lAglIn6htPJypbpUk+Ug=; b=o9R/UGMiTqCz39qphjWc2G+iDMjwf+waFzcisVw4dTG/WLlVwyELKYXSUOcCu6KmMS +LdZUr4RtkLOdrawLot6Vp4vOieQ9+5WLS/ITjVAzP44DgoBm16TLOVsv3lAREiAN/QX clzg34NVR41DpABghCQKSVBwsywZQ4zLxIDDZdc5/CE+QcsEEf43Y9GyH9/5017nOFCk HPMFR/LjeCqvAED07h1C+CQYkk87IedCCEhUKeQ0y857naB+ehLcVjoy4352LZkQqIwJ ggU9b9Wun6lVszPG9LPL6bu4ECrYvkwwLCY1buZg7cBMC+HM49yKfyOUwhTJRs7zZg7R ONOA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f191si4828518pgc.570.2019.03.26.06.36.55; Tue, 26 Mar 2019 06:37:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731708AbfCZNf5 (ORCPT + 99 others); Tue, 26 Mar 2019 09:35:57 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:60818 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731565AbfCZNf4 (ORCPT ); Tue, 26 Mar 2019 09:35:56 -0400 Received: from pps.filterd (m0098414.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x2QDZgVQ031852 for ; Tue, 26 Mar 2019 09:35:55 -0400 Received: from e06smtp01.uk.ibm.com (e06smtp01.uk.ibm.com [195.75.94.97]) by mx0b-001b2d01.pphosted.com with ESMTP id 2rfmc82e5r-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 26 Mar 2019 09:35:49 -0400 Received: from localhost by e06smtp01.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Tue, 26 Mar 2019 13:35:24 -0000 Received: from b06cxnps4075.portsmouth.uk.ibm.com (9.149.109.197) by e06smtp01.uk.ibm.com (192.168.101.131) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Tue, 26 Mar 2019 13:35:21 -0000 Received: from d06av25.portsmouth.uk.ibm.com (d06av25.portsmouth.uk.ibm.com [9.149.105.61]) by b06cxnps4075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x2QDZKci45547674 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 26 Mar 2019 13:35:20 GMT Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id CD14F11C054; Tue, 26 Mar 2019 13:35:20 +0000 (GMT) Received: from d06av25.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AEEF511C050; Tue, 26 Mar 2019 13:35:19 +0000 (GMT) Received: from localhost.ibm.com (unknown [9.80.109.68]) by d06av25.portsmouth.uk.ibm.com (Postfix) with ESMTP; Tue, 26 Mar 2019 13:35:19 +0000 (GMT) From: Mimi Zohar To: linux-integrity@vger.kernel.org Cc: linux-kselftest@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Petr Vorel , Dave Young , Matthew Garrett , Mimi Zohar Subject: [PATCH v5 9/9] selftests/kexec: make kexec_load test independent of IMA being enabled Date: Tue, 26 Mar 2019 09:34:17 -0400 X-Mailer: git-send-email 2.7.5 In-Reply-To: <1553607257-18906-1-git-send-email-zohar@linux.ibm.com> References: <1553607257-18906-1-git-send-email-zohar@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19032613-4275-0000-0000-0000031F723E X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19032613-4276-0000-0000-0000382E08D1 Message-Id: <1553607257-18906-10-git-send-email-zohar@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-03-26_10:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=960 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1903260096 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Verify IMA is enabled before failing tests or emitting irrelevant messages. Suggested-by: Dave Young Signed-off-by: Mimi Zohar Reviewed-by: Dave Young --- tools/testing/selftests/kexec/test_kexec_load.sh | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 2a66c8897f55..49c6aa929137 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh @@ -1,8 +1,8 @@ #!/bin/sh # SPDX-License-Identifier: GPL-2.0 -# Loading a kernel image via the kexec_load syscall should fail -# when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system -# is booted in secureboot mode. +# +# Prevent loading a kernel image via the kexec_load syscall when +# signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.) TEST="$0" . ./kexec_common_lib.sh @@ -18,20 +18,28 @@ if [ $? -eq 0 ]; then log_skip "kexec_load is not enabled" fi +kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" +ima_appraise=$? + +kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ + "IMA architecture specific policy enabled" +arch_policy=$? + get_secureboot_mode secureboot=$? -# kexec_load should fail in secure boot mode +# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled kexec --load $KERNEL_IMAGE > /dev/null 2>&1 if [ $? -eq 0 ]; then kexec --unload - if [ $secureboot -eq 1 ]; then + if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then log_fail "kexec_load succeeded" - else - log_pass "kexec_load succeeded" + elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then + log_info "Either IMA or the IMA arch policy is not enabled" fi + log_pass "kexec_load succeeded" else - if [ $secureboot -eq 1 ]; then + if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then log_pass "kexec_load failed" else log_fail "kexec_load failed" -- 2.7.5