• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2# SPDX-License-Identifier: GPL-2.0-or-later
3# Copyright (c) 2020 Microsoft Corporation
4# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
5# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
6#
7# Verify that kexec cmdline is measured correctly.
8# Test attempts to kexec the existing running kernel image.
9# To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
10
11TST_NEEDS_CMDS="grep kexec sed"
12TST_CNT=3
13TST_NEEDS_DEVICE=1
14TST_SETUP="setup"
15
16. ima_setup.sh
17
18IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}"
19REQUIRED_POLICY='^measure.*func=KEXEC_CMDLINE'
20
21measure()
22{
23	local cmdline="$1"
24	local algorithm digest expected_digest found
25
26	printf "$cmdline" > file1
27	grep "kexec-cmdline" $ASCII_MEASUREMENTS > file2
28
29	while read found
30	do
31		algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
32		digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
33
34		expected_digest=$(compute_digest $algorithm file1)
35
36		if [ "$digest" = "$expected_digest" ]; then
37			return 0
38		fi
39	done < file2
40
41	return 1
42}
43
44setup()
45{
46	tst_res TINFO "using kernel $IMA_KEXEC_IMAGE"
47
48	if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
49		tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
50	fi
51
52	if check_policy_readable; then
53		require_ima_policy_content "$REQUIRED_POLICY"
54		policy_readable=1
55	fi
56}
57
58kexec_failure_hint()
59{
60	local sb_enabled
61
62	if tst_cmd_available bootctl; then
63		if bootctl status 2>/dev/null | grep -qi 'Secure Boot: enabled'; then
64			sb_enabled=1
65		fi
66	elif tst_cmd_available dmesg; then
67		if dmesg | grep -qi 'Secure boot enabled'; then
68			sb_enabled=1
69		fi
70	fi
71	if [ "$sb_enabled" ]; then
72		tst_res TWARN "secure boot is enabled, kernel image may not be signed"
73	fi
74
75	if check_ima_policy_content '^appraise.*func=KEXEC_KERNEL_CHECK'; then
76		tst_res TWARN "'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not be signed"
77	fi
78}
79
80kexec_test()
81{
82	local param="$1"
83	local cmdline="$2"
84	local res=TFAIL
85	local kexec_cmd
86
87	kexec_cmd="$param=$cmdline"
88	if [ "$param" = '--reuse-cmdline' ]; then
89		cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
90		kexec_cmd="$param"
91	fi
92
93	kexec_cmd="kexec -s -l $IMA_KEXEC_IMAGE $kexec_cmd"
94	tst_res TINFO "testing $kexec_cmd"
95	if ! $kexec_cmd 2>err; then
96		kexec_failure_hint
97		tst_brk TBROK "kexec failed: $(cat err)"
98	fi
99
100	ROD kexec -su
101	if ! measure "$cmdline"; then
102		if [ "$policy_readable" != 1 ]; then
103			tst_res TWARN "policy not readable, it might not contain required policy '$REQUIRED_POLICY'"
104			res=TBROK
105		fi
106		tst_brk $res "unable to find a correct measurement"
107	fi
108	tst_res TPASS "kexec cmdline was measured correctly"
109}
110
111test()
112{
113	case $1 in
114	1) kexec_test '--reuse-cmdline';;
115	2) kexec_test '--append' 'foo';;
116	3) kexec_test '--command-line' 'bar';;
117	esac
118}
119
120tst_run
121