| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647 |
- #!/bin/sh
- # SPDX-License-Identifier: GPL-2.0
- #
- # Prevent loading a kernel image via the kexec_load syscall when
- # signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.)
- TEST="$0"
- . ./kexec_common_lib.sh
- # kexec requires root privileges
- require_root_privileges
- # get the kernel config
- get_kconfig
- kconfig_enabled "CONFIG_KEXEC=y" "kexec_load is enabled"
- if [ $? -eq 0 ]; then
- log_skip "kexec_load is not enabled"
- fi
- kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
- ima_appraise=$?
- kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
- "IMA architecture specific policy enabled"
- arch_policy=$?
- get_secureboot_mode
- secureboot=$?
- # kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
- kexec --load $KERNEL_IMAGE > /dev/null 2>&1
- if [ $? -eq 0 ]; then
- kexec --unload
- if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
- log_fail "kexec_load succeeded"
- elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
- log_info "Either IMA or the IMA arch policy is not enabled"
- fi
- log_pass "kexec_load succeeded"
- else
- if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
- log_pass "kexec_load failed"
- else
- log_fail "kexec_load failed"
- fi
- fi
|