15025b0f0SMimi Zohar#!/bin/sh 25025b0f0SMimi Zohar# SPDX-License-Identifier: GPL-2.0 36038c815SMimi Zohar# 46038c815SMimi Zohar# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4 56038c815SMimi Zohar 66038c815SMimi ZoharVERBOSE="${VERBOSE:-1}" 7973b71c6SMimi ZoharIKCONFIG="/tmp/config-`uname -r`" 8973b71c6SMimi ZoharKERNEL_IMAGE="/boot/vmlinuz-`uname -r`" 9973b71c6SMimi ZoharSECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}') 106038c815SMimi Zohar 116038c815SMimi Zoharlog_info() 126038c815SMimi Zohar{ 136038c815SMimi Zohar [ $VERBOSE -ne 0 ] && echo "[INFO] $1" 146038c815SMimi Zohar} 156038c815SMimi Zohar 166038c815SMimi Zohar# The ksefltest framework requirement returns 0 for PASS. 176038c815SMimi Zoharlog_pass() 186038c815SMimi Zohar{ 196038c815SMimi Zohar [ $VERBOSE -ne 0 ] && echo "$1 [PASS]" 206038c815SMimi Zohar exit 0 216038c815SMimi Zohar} 226038c815SMimi Zohar 236038c815SMimi Zohar# The ksefltest framework requirement returns 1 for FAIL. 246038c815SMimi Zoharlog_fail() 256038c815SMimi Zohar{ 266038c815SMimi Zohar [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]" 276038c815SMimi Zohar exit 1 286038c815SMimi Zohar} 296038c815SMimi Zohar 306038c815SMimi Zohar# The ksefltest framework requirement returns 4 for SKIP. 316038c815SMimi Zoharlog_skip() 326038c815SMimi Zohar{ 336038c815SMimi Zohar [ $VERBOSE -ne 0 ] && echo "$1" 346038c815SMimi Zohar exit 4 356038c815SMimi Zohar} 365025b0f0SMimi Zohar 375025b0f0SMimi Zohar# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). 38b433a52aSMimi Zohar# (Based on kdump-lib.sh) 39b433a52aSMimi Zoharget_efivarfs_secureboot_mode() 40b433a52aSMimi Zohar{ 41b433a52aSMimi Zohar local efivarfs="/sys/firmware/efi/efivars" 42b433a52aSMimi Zohar local secure_boot_file="" 43b433a52aSMimi Zohar local setup_mode_file="" 44b433a52aSMimi Zohar local secureboot_mode=0 45b433a52aSMimi Zohar local setup_mode=0 46b433a52aSMimi Zohar 47b433a52aSMimi Zohar # Make sure that efivar_fs is mounted in the normal location 48b433a52aSMimi Zohar if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then 49b433a52aSMimi Zohar log_info "efivars is not mounted on $efivarfs" 50b433a52aSMimi Zohar return 0; 51b433a52aSMimi Zohar fi 52b433a52aSMimi Zohar secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null) 53b433a52aSMimi Zohar setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null) 54b433a52aSMimi Zohar if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then 55b433a52aSMimi Zohar secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \ 56b433a52aSMimi Zohar "$secure_boot_file"|cut -d' ' -f 5) 57b433a52aSMimi Zohar setup_mode=$(hexdump -v -e '/1 "%d\ "' \ 58b433a52aSMimi Zohar "$setup_mode_file"|cut -d' ' -f 5) 59b433a52aSMimi Zohar 60b433a52aSMimi Zohar if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then 61b433a52aSMimi Zohar log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)" 62b433a52aSMimi Zohar return 1; 63b433a52aSMimi Zohar fi 64b433a52aSMimi Zohar fi 65b433a52aSMimi Zohar return 0; 66b433a52aSMimi Zohar} 67b433a52aSMimi Zohar 6865e38e32SNageswara R Sastry# On powerpc platform, check device-tree property 6965e38e32SNageswara R Sastry# /proc/device-tree/ibm,secureboot/os-secureboot-enforcing 7065e38e32SNageswara R Sastry# to detect secureboot state. 7165e38e32SNageswara R Sastryget_ppc64_secureboot_mode() 7265e38e32SNageswara R Sastry{ 7365e38e32SNageswara R Sastry local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing" 7465e38e32SNageswara R Sastry # Check for secure boot file existence 7565e38e32SNageswara R Sastry if [ -f $secure_boot_file ]; then 7665e38e32SNageswara R Sastry log_info "Secureboot is enabled (Device tree)" 7765e38e32SNageswara R Sastry return 1; 7865e38e32SNageswara R Sastry fi 7965e38e32SNageswara R Sastry log_info "Secureboot is not enabled (Device tree)" 8065e38e32SNageswara R Sastry return 0; 8165e38e32SNageswara R Sastry} 8265e38e32SNageswara R Sastry 8365e38e32SNageswara R Sastry# Return the architecture of the system 8465e38e32SNageswara R Sastryget_arch() 8565e38e32SNageswara R Sastry{ 8665e38e32SNageswara R Sastry echo $(arch) 8765e38e32SNageswara R Sastry} 8865e38e32SNageswara R Sastry 89b433a52aSMimi Zohar# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). 90*c07d2475SArd Biesheuvel# The secure boot mode can be accessed as the last integer of 91*c07d2475SArd Biesheuvel# "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*". The efi 925025b0f0SMimi Zohar# SetupMode can be similarly accessed. 935025b0f0SMimi Zohar# Return 1 for SecureBoot mode enabled and SetupMode mode disabled. 945025b0f0SMimi Zoharget_secureboot_mode() 955025b0f0SMimi Zohar{ 965025b0f0SMimi Zohar local secureboot_mode=0 9765e38e32SNageswara R Sastry local system_arch=$(get_arch) 985025b0f0SMimi Zohar 9965e38e32SNageswara R Sastry if [ "$system_arch" == "ppc64le" ]; then 10065e38e32SNageswara R Sastry get_ppc64_secureboot_mode 10165e38e32SNageswara R Sastry secureboot_mode=$? 10265e38e32SNageswara R Sastry else 103b433a52aSMimi Zohar get_efivarfs_secureboot_mode 104b433a52aSMimi Zohar secureboot_mode=$? 10565e38e32SNageswara R Sastry fi 1065025b0f0SMimi Zohar 107b433a52aSMimi Zohar if [ $secureboot_mode -eq 0 ]; then 1085025b0f0SMimi Zohar log_info "secure boot mode not enabled" 109b433a52aSMimi Zohar fi 110b433a52aSMimi Zohar return $secureboot_mode; 1115025b0f0SMimi Zohar} 112c660a817SMimi Zohar 113c660a817SMimi Zoharrequire_root_privileges() 114c660a817SMimi Zohar{ 115c660a817SMimi Zohar if [ $(id -ru) -ne 0 ]; then 116c660a817SMimi Zohar log_skip "requires root privileges" 117c660a817SMimi Zohar fi 118c660a817SMimi Zohar} 119973b71c6SMimi Zohar 120973b71c6SMimi Zohar# Look for config option in Kconfig file. 121973b71c6SMimi Zohar# Return 1 for found and 0 for not found. 122973b71c6SMimi Zoharkconfig_enabled() 123973b71c6SMimi Zohar{ 124973b71c6SMimi Zohar local config="$1" 125973b71c6SMimi Zohar local msg="$2" 126973b71c6SMimi Zohar 127973b71c6SMimi Zohar grep -E -q $config $IKCONFIG 128973b71c6SMimi Zohar if [ $? -eq 0 ]; then 129973b71c6SMimi Zohar log_info "$msg" 130973b71c6SMimi Zohar return 1 131973b71c6SMimi Zohar fi 132973b71c6SMimi Zohar return 0 133973b71c6SMimi Zohar} 134973b71c6SMimi Zohar 1359be6dc80SMimi Zohar# Attempt to get the kernel config first by checking the modules directory 1369be6dc80SMimi Zohar# then via proc, and finally by extracting it from the kernel image or the 1379be6dc80SMimi Zohar# configs.ko using scripts/extract-ikconfig. 138973b71c6SMimi Zohar# Return 1 for found. 139973b71c6SMimi Zoharget_kconfig() 140973b71c6SMimi Zohar{ 141973b71c6SMimi Zohar local proc_config="/proc/config.gz" 142973b71c6SMimi Zohar local module_dir="/lib/modules/`uname -r`" 1439be6dc80SMimi Zohar local configs_module="$module_dir/kernel/kernel/configs.ko*" 1449be6dc80SMimi Zohar 1459be6dc80SMimi Zohar if [ -f $module_dir/config ]; then 1469be6dc80SMimi Zohar IKCONFIG=$module_dir/config 1479be6dc80SMimi Zohar return 1 1489be6dc80SMimi Zohar fi 149973b71c6SMimi Zohar 150973b71c6SMimi Zohar if [ ! -f $proc_config ]; then 151973b71c6SMimi Zohar modprobe configs > /dev/null 2>&1 152973b71c6SMimi Zohar fi 153973b71c6SMimi Zohar if [ -f $proc_config ]; then 154973b71c6SMimi Zohar cat $proc_config | gunzip > $IKCONFIG 2>/dev/null 155973b71c6SMimi Zohar if [ $? -eq 0 ]; then 156973b71c6SMimi Zohar return 1 157973b71c6SMimi Zohar fi 158973b71c6SMimi Zohar fi 159973b71c6SMimi Zohar 160973b71c6SMimi Zohar local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig" 161973b71c6SMimi Zohar if [ ! -f $extract_ikconfig ]; then 162973b71c6SMimi Zohar log_skip "extract-ikconfig not found" 163973b71c6SMimi Zohar fi 164973b71c6SMimi Zohar 165973b71c6SMimi Zohar $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null 166973b71c6SMimi Zohar if [ $? -eq 1 ]; then 167973b71c6SMimi Zohar if [ ! -f $configs_module ]; then 168973b71c6SMimi Zohar log_skip "CONFIG_IKCONFIG not enabled" 169973b71c6SMimi Zohar fi 170973b71c6SMimi Zohar $extract_ikconfig $configs_module > $IKCONFIG 171973b71c6SMimi Zohar if [ $? -eq 1 ]; then 172973b71c6SMimi Zohar log_skip "CONFIG_IKCONFIG not enabled" 173973b71c6SMimi Zohar fi 174973b71c6SMimi Zohar fi 175973b71c6SMimi Zohar return 1 176973b71c6SMimi Zohar} 177973b71c6SMimi Zohar 178973b71c6SMimi Zohar# Make sure that securityfs is mounted 179973b71c6SMimi Zoharmount_securityfs() 180973b71c6SMimi Zohar{ 181973b71c6SMimi Zohar if [ -z $SECURITYFS ]; then 182973b71c6SMimi Zohar SECURITYFS=/sys/kernel/security 183973b71c6SMimi Zohar mount -t securityfs security $SECURITYFS 184973b71c6SMimi Zohar fi 185973b71c6SMimi Zohar 186973b71c6SMimi Zohar if [ ! -d "$SECURITYFS" ]; then 187973b71c6SMimi Zohar log_fail "$SECURITYFS :securityfs is not mounted" 188973b71c6SMimi Zohar fi 189973b71c6SMimi Zohar} 190973b71c6SMimi Zohar 191973b71c6SMimi Zohar# The policy rule format is an "action" followed by key-value pairs. This 192973b71c6SMimi Zohar# function supports up to two key-value pairs, in any order. 193973b71c6SMimi Zohar# For example: action func=<keyword> [appraise_type=<type>] 194973b71c6SMimi Zohar# Return 1 for found and 0 for not found. 195973b71c6SMimi Zoharcheck_ima_policy() 196973b71c6SMimi Zohar{ 197973b71c6SMimi Zohar local action="$1" 198973b71c6SMimi Zohar local keypair1="$2" 199973b71c6SMimi Zohar local keypair2="$3" 200973b71c6SMimi Zohar local ret=0 201973b71c6SMimi Zohar 202973b71c6SMimi Zohar mount_securityfs 203973b71c6SMimi Zohar 204973b71c6SMimi Zohar local ima_policy=$SECURITYFS/ima/policy 205973b71c6SMimi Zohar if [ ! -e $ima_policy ]; then 206973b71c6SMimi Zohar log_fail "$ima_policy not found" 207973b71c6SMimi Zohar fi 208973b71c6SMimi Zohar 209973b71c6SMimi Zohar if [ -n $keypair2 ]; then 210973b71c6SMimi Zohar grep -e "^$action.*$keypair1" "$ima_policy" | \ 211973b71c6SMimi Zohar grep -q -e "$keypair2" 212973b71c6SMimi Zohar else 213973b71c6SMimi Zohar grep -q -e "^$action.*$keypair1" "$ima_policy" 214973b71c6SMimi Zohar fi 215973b71c6SMimi Zohar 216973b71c6SMimi Zohar # invert "grep -q" result, returning 1 for found. 217973b71c6SMimi Zohar [ $? -eq 0 ] && ret=1 218973b71c6SMimi Zohar return $ret 219973b71c6SMimi Zohar} 220