• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#!/bin/sh
2# SPDX-License-Identifier: GPL-2.0-or-later
3# Copyright (c) 2020 Microsoft Corporation
4# Copyright (c) 2020 Petr Vorel <pvorel@suse.cz>
5# Author: Lachlan Sneff <t-josne@linux.microsoft.com>
6#
7# Verify that kexec cmdline is measured correctly.
8# Test attempts to kexec the existing running kernel image.
9# To kexec a different kernel image export IMA_KEXEC_IMAGE=<pathname>.
10
11TST_NEEDS_CMDS="grep kexec sed"
12TST_CNT=3
13TST_SETUP="setup"
14
15IMA_KEXEC_IMAGE="${IMA_KEXEC_IMAGE:-/boot/vmlinuz-$(uname -r)}"
16REQUIRED_POLICY='^measure.*func=KEXEC_CMDLINE'
17
18measure()
19{
20	local cmdline="$1"
21	local algorithm digest expected_digest found
22
23	printf "$cmdline" > file1
24	grep "kexec-cmdline" $ASCII_MEASUREMENTS > file2
25
26	while read found
27	do
28		algorithm=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f1)
29		digest=$(echo "$found" | cut -d' ' -f4 | cut -d':' -f2)
30
31		expected_digest=$(compute_digest $algorithm file1)
32
33		if [ "$digest" = "$expected_digest" ]; then
34			return 0
35		fi
36	done < file2
37
38	return 1
39}
40
41setup()
42{
43	tst_res TINFO "using kernel $IMA_KEXEC_IMAGE"
44
45	if [ ! -f "$IMA_KEXEC_IMAGE" ]; then
46		tst_brk TCONF "kernel image not found, specify path in \$IMA_KEXEC_IMAGE"
47	fi
48
49	if check_policy_readable; then
50		require_ima_policy_content "$REQUIRED_POLICY"
51		policy_readable=1
52	fi
53}
54
55kexec_failure_hint()
56{
57	local sb_enabled
58
59	if tst_cmd_available bootctl; then
60		if bootctl status 2>/dev/null | grep -qi 'Secure Boot: enabled'; then
61			sb_enabled=1
62		fi
63	elif tst_cmd_available dmesg; then
64		if dmesg | grep -qi 'Secure boot enabled'; then
65			sb_enabled=1
66		fi
67	fi
68	if [ "$sb_enabled" ]; then
69		tst_res TWARN "secure boot is enabled, kernel image may not be signed"
70	fi
71
72	if check_ima_policy_content '^appraise.*func=KEXEC_KERNEL_CHECK'; then
73		tst_res TWARN "'func=KEXEC_KERNEL_CHECK' appraise policy loaded, kernel image may not be signed"
74	fi
75}
76
77kexec_test()
78{
79	local param="$1"
80	local cmdline="$2"
81	local res=TFAIL
82	local kexec_cmd
83
84	kexec_cmd="$param=$cmdline"
85	if [ "$param" = '--reuse-cmdline' ]; then
86		cmdline="$(sed 's/BOOT_IMAGE=[^ ]* //' /proc/cmdline)"
87		kexec_cmd="$param"
88	fi
89
90	kexec_cmd="kexec -s -l $IMA_KEXEC_IMAGE $kexec_cmd"
91	tst_res TINFO "testing $kexec_cmd"
92	if ! $kexec_cmd 2>err; then
93		kexec_failure_hint
94		tst_brk TBROK "kexec failed: $(cat err)"
95	fi
96
97	ROD kexec -su
98	if ! measure "$cmdline"; then
99		if [ "$policy_readable" != 1 ]; then
100			tst_res TWARN "policy not readable, it might not contain required policy '$REQUIRED_POLICY'"
101			res=TBROK
102		fi
103		tst_brk $res "unable to find a correct measurement"
104	fi
105	tst_res TPASS "kexec cmdline was measured correctly"
106}
107
108test()
109{
110	case $1 in
111	1) kexec_test '--reuse-cmdline';;
112	2) kexec_test '--append' 'foo';;
113	3) kexec_test '--command-line' 'bar';;
114	esac
115}
116
117. ima_setup.sh
118tst_run
119