| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219 |
- #!/bin/sh
- # SPDX-License-Identifier: GPL-2.0
- #
- # Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
- VERBOSE="${VERBOSE:-1}"
- IKCONFIG="/tmp/config-`uname -r`"
- KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
- SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
- log_info()
- {
- [ $VERBOSE -ne 0 ] && echo "[INFO] $1"
- }
- # The ksefltest framework requirement returns 0 for PASS.
- log_pass()
- {
- [ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
- exit 0
- }
- # The ksefltest framework requirement returns 1 for FAIL.
- log_fail()
- {
- [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
- exit 1
- }
- # The ksefltest framework requirement returns 4 for SKIP.
- log_skip()
- {
- [ $VERBOSE -ne 0 ] && echo "$1"
- exit 4
- }
- # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
- # (Based on kdump-lib.sh)
- get_efivarfs_secureboot_mode()
- {
- local efivarfs="/sys/firmware/efi/efivars"
- local secure_boot_file=""
- local setup_mode_file=""
- local secureboot_mode=0
- local setup_mode=0
- # Make sure that efivar_fs is mounted in the normal location
- if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
- log_info "efivars is not mounted on $efivarfs"
- return 0;
- fi
- secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
- setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
- if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
- secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
- "$secure_boot_file"|cut -d' ' -f 5)
- setup_mode=$(hexdump -v -e '/1 "%d\ "' \
- "$setup_mode_file"|cut -d' ' -f 5)
- if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
- log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
- return 1;
- fi
- fi
- return 0;
- }
- # On powerpc platform, check device-tree property
- # /proc/device-tree/ibm,secureboot/os-secureboot-enforcing
- # to detect secureboot state.
- get_ppc64_secureboot_mode()
- {
- local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing"
- # Check for secure boot file existence
- if [ -f $secure_boot_file ]; then
- log_info "Secureboot is enabled (Device tree)"
- return 1;
- fi
- log_info "Secureboot is not enabled (Device tree)"
- return 0;
- }
- # Return the architecture of the system
- get_arch()
- {
- echo $(arch)
- }
- # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
- # The secure boot mode can be accessed as the last integer of
- # "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*". The efi
- # SetupMode can be similarly accessed.
- # Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
- get_secureboot_mode()
- {
- local secureboot_mode=0
- local system_arch=$(get_arch)
- if [ "$system_arch" == "ppc64le" ]; then
- get_ppc64_secureboot_mode
- secureboot_mode=$?
- else
- get_efivarfs_secureboot_mode
- secureboot_mode=$?
- fi
- if [ $secureboot_mode -eq 0 ]; then
- log_info "secure boot mode not enabled"
- fi
- return $secureboot_mode;
- }
- require_root_privileges()
- {
- if [ $(id -ru) -ne 0 ]; then
- log_skip "requires root privileges"
- fi
- }
- # Look for config option in Kconfig file.
- # Return 1 for found and 0 for not found.
- kconfig_enabled()
- {
- local config="$1"
- local msg="$2"
- grep -E -q $config $IKCONFIG
- if [ $? -eq 0 ]; then
- log_info "$msg"
- return 1
- fi
- return 0
- }
- # Attempt to get the kernel config first by checking the modules directory
- # then via proc, and finally by extracting it from the kernel image or the
- # configs.ko using scripts/extract-ikconfig.
- # Return 1 for found.
- get_kconfig()
- {
- local proc_config="/proc/config.gz"
- local module_dir="/lib/modules/`uname -r`"
- local configs_module="$module_dir/kernel/kernel/configs.ko*"
- if [ -f $module_dir/config ]; then
- IKCONFIG=$module_dir/config
- return 1
- fi
- if [ ! -f $proc_config ]; then
- modprobe configs > /dev/null 2>&1
- fi
- if [ -f $proc_config ]; then
- cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
- if [ $? -eq 0 ]; then
- return 1
- fi
- fi
- local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
- if [ ! -f $extract_ikconfig ]; then
- log_skip "extract-ikconfig not found"
- fi
- $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
- if [ $? -eq 1 ]; then
- if [ ! -f $configs_module ]; then
- log_skip "CONFIG_IKCONFIG not enabled"
- fi
- $extract_ikconfig $configs_module > $IKCONFIG
- if [ $? -eq 1 ]; then
- log_skip "CONFIG_IKCONFIG not enabled"
- fi
- fi
- return 1
- }
- # Make sure that securityfs is mounted
- mount_securityfs()
- {
- if [ -z $SECURITYFS ]; then
- SECURITYFS=/sys/kernel/security
- mount -t securityfs security $SECURITYFS
- fi
- if [ ! -d "$SECURITYFS" ]; then
- log_fail "$SECURITYFS :securityfs is not mounted"
- fi
- }
- # The policy rule format is an "action" followed by key-value pairs. This
- # function supports up to two key-value pairs, in any order.
- # For example: action func=<keyword> [appraise_type=<type>]
- # Return 1 for found and 0 for not found.
- check_ima_policy()
- {
- local action="$1"
- local keypair1="$2"
- local keypair2="$3"
- local ret=0
- mount_securityfs
- local ima_policy=$SECURITYFS/ima/policy
- if [ ! -e $ima_policy ]; then
- log_fail "$ima_policy not found"
- fi
- if [ -n $keypair2 ]; then
- grep -e "^$action.*$keypair1" "$ima_policy" | \
- grep -q -e "$keypair2"
- else
- grep -q -e "^$action.*$keypair1" "$ima_policy"
- fi
- # invert "grep -q" result, returning 1 for found.
- [ $? -eq 0 ] && ret=1
- return $ret
- }
|