kexec_common_lib.sh 5.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219
  1. #!/bin/sh
  2. # SPDX-License-Identifier: GPL-2.0
  3. #
  4. # Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
  5. VERBOSE="${VERBOSE:-1}"
  6. IKCONFIG="/tmp/config-`uname -r`"
  7. KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
  8. SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
  9. log_info()
  10. {
  11. [ $VERBOSE -ne 0 ] && echo "[INFO] $1"
  12. }
  13. # The ksefltest framework requirement returns 0 for PASS.
  14. log_pass()
  15. {
  16. [ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
  17. exit 0
  18. }
  19. # The ksefltest framework requirement returns 1 for FAIL.
  20. log_fail()
  21. {
  22. [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
  23. exit 1
  24. }
  25. # The ksefltest framework requirement returns 4 for SKIP.
  26. log_skip()
  27. {
  28. [ $VERBOSE -ne 0 ] && echo "$1"
  29. exit 4
  30. }
  31. # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
  32. # (Based on kdump-lib.sh)
  33. get_efivarfs_secureboot_mode()
  34. {
  35. local efivarfs="/sys/firmware/efi/efivars"
  36. local secure_boot_file=""
  37. local setup_mode_file=""
  38. local secureboot_mode=0
  39. local setup_mode=0
  40. # Make sure that efivar_fs is mounted in the normal location
  41. if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
  42. log_info "efivars is not mounted on $efivarfs"
  43. return 0;
  44. fi
  45. secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
  46. setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
  47. if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
  48. secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
  49. "$secure_boot_file"|cut -d' ' -f 5)
  50. setup_mode=$(hexdump -v -e '/1 "%d\ "' \
  51. "$setup_mode_file"|cut -d' ' -f 5)
  52. if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
  53. log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
  54. return 1;
  55. fi
  56. fi
  57. return 0;
  58. }
  59. # On powerpc platform, check device-tree property
  60. # /proc/device-tree/ibm,secureboot/os-secureboot-enforcing
  61. # to detect secureboot state.
  62. get_ppc64_secureboot_mode()
  63. {
  64. local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing"
  65. # Check for secure boot file existence
  66. if [ -f $secure_boot_file ]; then
  67. log_info "Secureboot is enabled (Device tree)"
  68. return 1;
  69. fi
  70. log_info "Secureboot is not enabled (Device tree)"
  71. return 0;
  72. }
  73. # Return the architecture of the system
  74. get_arch()
  75. {
  76. echo $(arch)
  77. }
  78. # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
  79. # The secure boot mode can be accessed as the last integer of
  80. # "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*". The efi
  81. # SetupMode can be similarly accessed.
  82. # Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
  83. get_secureboot_mode()
  84. {
  85. local secureboot_mode=0
  86. local system_arch=$(get_arch)
  87. if [ "$system_arch" == "ppc64le" ]; then
  88. get_ppc64_secureboot_mode
  89. secureboot_mode=$?
  90. else
  91. get_efivarfs_secureboot_mode
  92. secureboot_mode=$?
  93. fi
  94. if [ $secureboot_mode -eq 0 ]; then
  95. log_info "secure boot mode not enabled"
  96. fi
  97. return $secureboot_mode;
  98. }
  99. require_root_privileges()
  100. {
  101. if [ $(id -ru) -ne 0 ]; then
  102. log_skip "requires root privileges"
  103. fi
  104. }
  105. # Look for config option in Kconfig file.
  106. # Return 1 for found and 0 for not found.
  107. kconfig_enabled()
  108. {
  109. local config="$1"
  110. local msg="$2"
  111. grep -E -q $config $IKCONFIG
  112. if [ $? -eq 0 ]; then
  113. log_info "$msg"
  114. return 1
  115. fi
  116. return 0
  117. }
  118. # Attempt to get the kernel config first by checking the modules directory
  119. # then via proc, and finally by extracting it from the kernel image or the
  120. # configs.ko using scripts/extract-ikconfig.
  121. # Return 1 for found.
  122. get_kconfig()
  123. {
  124. local proc_config="/proc/config.gz"
  125. local module_dir="/lib/modules/`uname -r`"
  126. local configs_module="$module_dir/kernel/kernel/configs.ko*"
  127. if [ -f $module_dir/config ]; then
  128. IKCONFIG=$module_dir/config
  129. return 1
  130. fi
  131. if [ ! -f $proc_config ]; then
  132. modprobe configs > /dev/null 2>&1
  133. fi
  134. if [ -f $proc_config ]; then
  135. cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
  136. if [ $? -eq 0 ]; then
  137. return 1
  138. fi
  139. fi
  140. local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
  141. if [ ! -f $extract_ikconfig ]; then
  142. log_skip "extract-ikconfig not found"
  143. fi
  144. $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
  145. if [ $? -eq 1 ]; then
  146. if [ ! -f $configs_module ]; then
  147. log_skip "CONFIG_IKCONFIG not enabled"
  148. fi
  149. $extract_ikconfig $configs_module > $IKCONFIG
  150. if [ $? -eq 1 ]; then
  151. log_skip "CONFIG_IKCONFIG not enabled"
  152. fi
  153. fi
  154. return 1
  155. }
  156. # Make sure that securityfs is mounted
  157. mount_securityfs()
  158. {
  159. if [ -z $SECURITYFS ]; then
  160. SECURITYFS=/sys/kernel/security
  161. mount -t securityfs security $SECURITYFS
  162. fi
  163. if [ ! -d "$SECURITYFS" ]; then
  164. log_fail "$SECURITYFS :securityfs is not mounted"
  165. fi
  166. }
  167. # The policy rule format is an "action" followed by key-value pairs. This
  168. # function supports up to two key-value pairs, in any order.
  169. # For example: action func=<keyword> [appraise_type=<type>]
  170. # Return 1 for found and 0 for not found.
  171. check_ima_policy()
  172. {
  173. local action="$1"
  174. local keypair1="$2"
  175. local keypair2="$3"
  176. local ret=0
  177. mount_securityfs
  178. local ima_policy=$SECURITYFS/ima/policy
  179. if [ ! -e $ima_policy ]; then
  180. log_fail "$ima_policy not found"
  181. fi
  182. if [ -n $keypair2 ]; then
  183. grep -e "^$action.*$keypair1" "$ima_policy" | \
  184. grep -q -e "$keypair2"
  185. else
  186. grep -q -e "^$action.*$keypair1" "$ima_policy"
  187. fi
  188. # invert "grep -q" result, returning 1 for found.
  189. [ $? -eq 0 ] && ret=1
  190. return $ret
  191. }