test_kexec_load.sh 1.2 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647
  1. #!/bin/sh
  2. # SPDX-License-Identifier: GPL-2.0
  3. #
  4. # Prevent loading a kernel image via the kexec_load syscall when
  5. # signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.)
  6. TEST="$0"
  7. . ./kexec_common_lib.sh
  8. # kexec requires root privileges
  9. require_root_privileges
  10. # get the kernel config
  11. get_kconfig
  12. kconfig_enabled "CONFIG_KEXEC=y" "kexec_load is enabled"
  13. if [ $? -eq 0 ]; then
  14. log_skip "kexec_load is not enabled"
  15. fi
  16. kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
  17. ima_appraise=$?
  18. kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
  19. "IMA architecture specific policy enabled"
  20. arch_policy=$?
  21. get_secureboot_mode
  22. secureboot=$?
  23. # kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
  24. kexec --load $KERNEL_IMAGE > /dev/null 2>&1
  25. if [ $? -eq 0 ]; then
  26. kexec --unload
  27. if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
  28. log_fail "kexec_load succeeded"
  29. elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
  30. log_info "Either IMA or the IMA arch policy is not enabled"
  31. fi
  32. log_pass "kexec_load succeeded"
  33. else
  34. if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
  35. log_pass "kexec_load failed"
  36. else
  37. log_fail "kexec_load failed"
  38. fi
  39. fi