Loading...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 | #!/bin/sh # SPDX-License-Identifier: GPL-2.0 # # Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4 VERBOSE="${VERBOSE:-1}" IKCONFIG="/tmp/config-`uname -r`" KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}') log_info() { [ $VERBOSE -ne 0 ] && echo "[INFO] $1" } # The ksefltest framework requirement returns 0 for PASS. log_pass() { [ $VERBOSE -ne 0 ] && echo "$1 [PASS]" exit 0 } # The ksefltest framework requirement returns 1 for FAIL. log_fail() { [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]" exit 1 } # The ksefltest framework requirement returns 4 for SKIP. log_skip() { [ $VERBOSE -ne 0 ] && echo "$1" exit 4 } # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). # (Based on kdump-lib.sh) get_efivarfs_secureboot_mode() { local efivarfs="/sys/firmware/efi/efivars" local secure_boot_file="" local setup_mode_file="" local secureboot_mode=0 local setup_mode=0 # Make sure that efivar_fs is mounted in the normal location if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then log_info "efivars is not mounted on $efivarfs" return 0; fi secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null) setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null) if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \ "$secure_boot_file"|cut -d' ' -f 5) setup_mode=$(hexdump -v -e '/1 "%d\ "' \ "$setup_mode_file"|cut -d' ' -f 5) if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)" return 1; fi fi return 0; } # On powerpc platform, check device-tree property # /proc/device-tree/ibm,secureboot/os-secureboot-enforcing # to detect secureboot state. get_ppc64_secureboot_mode() { local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing" # Check for secure boot file existence if [ -f $secure_boot_file ]; then log_info "Secureboot is enabled (Device tree)" return 1; fi log_info "Secureboot is not enabled (Device tree)" return 0; } # Return the architecture of the system get_arch() { echo $(arch) } # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). # The secure boot mode can be accessed as the last integer of # "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*". The efi # SetupMode can be similarly accessed. # Return 1 for SecureBoot mode enabled and SetupMode mode disabled. get_secureboot_mode() { local secureboot_mode=0 local system_arch=$(get_arch) if [ "$system_arch" == "ppc64le" ]; then get_ppc64_secureboot_mode secureboot_mode=$? else get_efivarfs_secureboot_mode secureboot_mode=$? fi if [ $secureboot_mode -eq 0 ]; then log_info "secure boot mode not enabled" fi return $secureboot_mode; } require_root_privileges() { if [ $(id -ru) -ne 0 ]; then log_skip "requires root privileges" fi } # Look for config option in Kconfig file. # Return 1 for found and 0 for not found. kconfig_enabled() { local config="$1" local msg="$2" grep -E -q $config $IKCONFIG if [ $? -eq 0 ]; then log_info "$msg" return 1 fi return 0 } # Attempt to get the kernel config first by checking the modules directory # then via proc, and finally by extracting it from the kernel image or the # configs.ko using scripts/extract-ikconfig. # Return 1 for found. get_kconfig() { local proc_config="/proc/config.gz" local module_dir="/lib/modules/`uname -r`" local configs_module="$module_dir/kernel/kernel/configs.ko*" if [ -f $module_dir/config ]; then IKCONFIG=$module_dir/config return 1 fi if [ ! -f $proc_config ]; then modprobe configs > /dev/null 2>&1 fi if [ -f $proc_config ]; then cat $proc_config | gunzip > $IKCONFIG 2>/dev/null if [ $? -eq 0 ]; then return 1 fi fi local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig" if [ ! -f $extract_ikconfig ]; then log_skip "extract-ikconfig not found" fi $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null if [ $? -eq 1 ]; then if [ ! -f $configs_module ]; then log_skip "CONFIG_IKCONFIG not enabled" fi $extract_ikconfig $configs_module > $IKCONFIG if [ $? -eq 1 ]; then log_skip "CONFIG_IKCONFIG not enabled" fi fi return 1 } # Make sure that securityfs is mounted mount_securityfs() { if [ -z $SECURITYFS ]; then SECURITYFS=/sys/kernel/security mount -t securityfs security $SECURITYFS fi if [ ! -d "$SECURITYFS" ]; then log_fail "$SECURITYFS :securityfs is not mounted" fi } # The policy rule format is an "action" followed by key-value pairs. This # function supports up to two key-value pairs, in any order. # For example: action func=<keyword> [appraise_type=<type>] # Return 1 for found and 0 for not found. check_ima_policy() { local action="$1" local keypair1="$2" local keypair2="$3" local ret=0 mount_securityfs local ima_policy=$SECURITYFS/ima/policy if [ ! -e $ima_policy ]; then log_fail "$ima_policy not found" fi if [ -n $keypair2 ]; then grep -e "^$action.*$keypair1" "$ima_policy" | \ grep -q -e "$keypair2" else grep -q -e "^$action.*$keypair1" "$ima_policy" fi # invert "grep -q" result, returning 1 for found. [ $? -eq 0 ] && ret=1 return $ret } |