1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
|
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
#
# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
VERBOSE="${VERBOSE:-1}"
IKCONFIG="/tmp/config-`uname -r`"
KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
log_info()
{
[ $VERBOSE -ne 0 ] && echo "[INFO] $1"
}
# The ksefltest framework requirement returns 0 for PASS.
log_pass()
{
[ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
exit 0
}
# The ksefltest framework requirement returns 1 for FAIL.
log_fail()
{
[ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
exit 1
}
# The ksefltest framework requirement returns 4 for SKIP.
log_skip()
{
[ $VERBOSE -ne 0 ] && echo "$1"
exit 4
}
# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
# (Based on kdump-lib.sh)
get_efivarfs_secureboot_mode()
{
local efivarfs="/sys/firmware/efi/efivars"
local secure_boot_file=""
local setup_mode_file=""
local secureboot_mode=0
local setup_mode=0
# Make sure that efivar_fs is mounted in the normal location
if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
log_info "efivars is not mounted on $efivarfs"
return 0;
fi
secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
"$secure_boot_file"|cut -d' ' -f 5)
setup_mode=$(hexdump -v -e '/1 "%d\ "' \
"$setup_mode_file"|cut -d' ' -f 5)
if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
return 1;
fi
fi
return 0;
}
# On powerpc platform, check device-tree property
# /proc/device-tree/ibm,secureboot/os-secureboot-enforcing
# to detect secureboot state.
get_ppc64_secureboot_mode()
{
local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing"
# Check for secure boot file existence
if [ -f $secure_boot_file ]; then
log_info "Secureboot is enabled (Device tree)"
return 1;
fi
log_info "Secureboot is not enabled (Device tree)"
return 0;
}
# Return the architecture of the system
get_arch()
{
echo $(arch)
}
# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
# The secure boot mode can be accessed as the last integer of
# "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*". The efi
# SetupMode can be similarly accessed.
# Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
get_secureboot_mode()
{
local secureboot_mode=0
local system_arch=$(get_arch)
if [ "$system_arch" == "ppc64le" ]; then
get_ppc64_secureboot_mode
secureboot_mode=$?
else
get_efivarfs_secureboot_mode
secureboot_mode=$?
fi
if [ $secureboot_mode -eq 0 ]; then
log_info "secure boot mode not enabled"
fi
return $secureboot_mode;
}
require_root_privileges()
{
if [ $(id -ru) -ne 0 ]; then
log_skip "requires root privileges"
fi
}
# Look for config option in Kconfig file.
# Return 1 for found and 0 for not found.
kconfig_enabled()
{
local config="$1"
local msg="$2"
grep -E -q $config $IKCONFIG
if [ $? -eq 0 ]; then
log_info "$msg"
return 1
fi
return 0
}
# Attempt to get the kernel config first by checking the modules directory
# then via proc, and finally by extracting it from the kernel image or the
# configs.ko using scripts/extract-ikconfig.
# Return 1 for found.
get_kconfig()
{
local proc_config="/proc/config.gz"
local module_dir="/lib/modules/`uname -r`"
local configs_module="$module_dir/kernel/kernel/configs.ko*"
if [ -f $module_dir/config ]; then
IKCONFIG=$module_dir/config
return 1
fi
if [ ! -f $proc_config ]; then
modprobe configs > /dev/null 2>&1
fi
if [ -f $proc_config ]; then
cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
if [ $? -eq 0 ]; then
return 1
fi
fi
local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
if [ ! -f $extract_ikconfig ]; then
log_skip "extract-ikconfig not found"
fi
$extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
if [ $? -eq 1 ]; then
if [ ! -f $configs_module ]; then
log_skip "CONFIG_IKCONFIG not enabled"
fi
$extract_ikconfig $configs_module > $IKCONFIG
if [ $? -eq 1 ]; then
log_skip "CONFIG_IKCONFIG not enabled"
fi
fi
return 1
}
# Make sure that securityfs is mounted
mount_securityfs()
{
if [ -z $SECURITYFS ]; then
SECURITYFS=/sys/kernel/security
mount -t securityfs security $SECURITYFS
fi
if [ ! -d "$SECURITYFS" ]; then
log_fail "$SECURITYFS :securityfs is not mounted"
fi
}
# The policy rule format is an "action" followed by key-value pairs. This
# function supports up to two key-value pairs, in any order.
# For example: action func=<keyword> [appraise_type=<type>]
# Return 1 for found and 0 for not found.
check_ima_policy()
{
local action="$1"
local keypair1="$2"
local keypair2="$3"
local ret=0
mount_securityfs
local ima_policy=$SECURITYFS/ima/policy
if [ ! -e $ima_policy ]; then
log_fail "$ima_policy not found"
fi
if [ -n $keypair2 ]; then
grep -e "^$action.*$keypair1" "$ima_policy" | \
grep -q -e "$keypair2"
else
grep -q -e "^$action.*$keypair1" "$ima_policy"
fi
# invert "grep -q" result, returning 1 for found.
[ $? -eq 0 ] && ret=1
return $ret
}
|
