1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243
|
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
#
# Loading a kernel image via the kexec_file_load syscall can verify either
# the IMA signature stored in the security.ima xattr or the PE signature,
# both signatures depending on the IMA policy, or none.
#
# To determine whether the kernel image is signed, this test depends
# on pesign and getfattr. This test also requires the kernel to be
# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC
# enabled or access to the extract-ikconfig script.
TEST="KEXEC_FILE_LOAD"
. ./kexec_common_lib.sh
trap "{ rm -f $IKCONFIG ; }" EXIT
# Some of the IMA builtin policies may require the kexec kernel image to
# be signed, but these policy rules may be replaced with a custom
# policy. Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after
# loading a custom policy. Check if it is enabled, before reading the
# IMA runtime sysfs policy file.
# Return 1 for IMA signature required and 0 for not required.
is_ima_sig_required()
{
local ret=0
kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \
"IMA kernel image signature required"
if [ $? -eq 1 ]; then
log_info "IMA signature required"
return 1
fi
# The architecture specific or a custom policy may require the
# kexec kernel image be signed. Policy rules are walked
# sequentially. As a result, a policy rule may be defined, but
# might not necessarily be used. This test assumes if a policy
# rule is specified, that is the intent.
# First check for appended signature (modsig), then xattr
if [ $ima_read_policy -eq 1 ]; then
check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
"appraise_type=imasig|modsig"
ret=$?
if [ $ret -eq 1 ]; then
log_info "IMA or appended(modsig) signature required"
else
check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
"appraise_type=imasig"
ret=$?
[ $ret -eq 1 ] && log_info "IMA signature required";
fi
fi
return $ret
}
# The kexec_file_load_test() is complicated enough, require pesign.
# Return 1 for PE signature found and 0 for not found.
check_for_pesig()
{
which pesign > /dev/null 2>&1 || log_skip "pesign not found"
pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures"
local ret=$?
if [ $ret -eq 1 ]; then
log_info "kexec kernel image PE signed"
else
log_info "kexec kernel image not PE signed"
fi
return $ret
}
# The kexec_file_load_test() is complicated enough, require getfattr.
# Return 1 for IMA signature found and 0 for not found.
check_for_imasig()
{
local ret=0
which getfattr > /dev/null 2>&1
if [ $? -eq 1 ]; then
log_skip "getfattr not found"
fi
line=$(getfattr -n security.ima -e hex --absolute-names $KERNEL_IMAGE 2>&1)
echo $line | grep -q "security.ima=0x03"
if [ $? -eq 0 ]; then
ret=1
log_info "kexec kernel image IMA signed"
else
log_info "kexec kernel image not IMA signed"
fi
return $ret
}
# Return 1 for appended signature (modsig) found and 0 for not found.
check_for_modsig()
{
local module_sig_string="~Module signature appended~"
local ret=0
tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE | \
grep -q "$module_sig_string"
if [ $? -eq 0 ]; then
ret=1
log_info "kexec kernel image modsig signed"
else
log_info "kexec kernel image not modsig signed"
fi
return $ret
}
kexec_file_load_test()
{
local succeed_msg="kexec_file_load succeeded"
local failed_msg="kexec_file_load failed"
local key_msg="try enabling the CONFIG_INTEGRITY_PLATFORM_KEYRING"
line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1)
if [ $? -eq 0 ]; then
kexec --unload --kexec-file-syscall
# In secureboot mode with an architecture specific
# policy, make sure either an IMA or PE signature exists.
if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \
[ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ] \
&& [ $ima_modsig -eq 0 ]; then
log_fail "$succeed_msg (missing sig)"
fi
if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
&& [ $pe_signed -eq 0 ]; then
log_fail "$succeed_msg (missing PE sig)"
fi
if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ] \
&& [ $ima_modsig -eq 0 ]; then
log_fail "$succeed_msg (missing IMA sig)"
fi
if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
&& [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
&& [ $ima_read_policy -eq 0 ]; then
log_fail "$succeed_msg (possibly missing IMA sig)"
fi
if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 0 ]; then
log_info "No signature verification required"
elif [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
&& [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
&& [ $ima_read_policy -eq 1 ]; then
log_info "No signature verification required"
fi
log_pass "$succeed_msg"
fi
# Check the reason for the kexec_file_load failure
echo $line | grep -q "Required key not available"
if [ $? -eq 0 ]; then
if [ $platform_keyring -eq 0 ]; then
log_pass "$failed_msg (-ENOKEY), $key_msg"
else
log_pass "$failed_msg (-ENOKEY)"
fi
fi
if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
&& [ $pe_signed -eq 0 ]; then
log_pass "$failed_msg (missing PE sig)"
fi
if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then
log_pass "$failed_msg (missing IMA sig)"
fi
if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
&& [ $ima_sig_required -eq 0 ] && [ $ima_read_policy -eq 0 ] \
&& [ $ima_signed -eq 0 ]; then
log_pass "$failed_msg (possibly missing IMA sig)"
fi
log_pass "$failed_msg"
return 0
}
# kexec requires root privileges
require_root_privileges
# get the kernel config
get_kconfig
kconfig_enabled "CONFIG_KEXEC_FILE=y" "kexec_file_load is enabled"
if [ $? -eq 0 ]; then
log_skip "kexec_file_load is not enabled"
fi
# Determine which kernel config options are enabled
kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
ima_appraise=$?
kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
"architecture specific policy enabled"
arch_policy=$?
kconfig_enabled "CONFIG_INTEGRITY_PLATFORM_KEYRING=y" \
"platform keyring enabled"
platform_keyring=$?
kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted"
ima_read_policy=$?
kconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \
"kexec signed kernel image required"
kexec_sig_required=$?
kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \
"PE signed kernel image required"
pe_sig_required=$?
is_ima_sig_required
ima_sig_required=$?
get_secureboot_mode
secureboot=$?
# Are there pe and ima signatures
if [ "$(get_arch)" == 'ppc64le' ]; then
pe_signed=0
else
check_for_pesig
pe_signed=$?
fi
check_for_imasig
ima_signed=$?
check_for_modsig
ima_modsig=$?
# Test loading the kernel image via kexec_file_load syscall
kexec_file_load_test
|