1973b71c6SMimi Zohar#!/bin/sh 2973b71c6SMimi Zohar# SPDX-License-Identifier: GPL-2.0 3973b71c6SMimi Zohar# 4973b71c6SMimi Zohar# Loading a kernel image via the kexec_file_load syscall can verify either 5973b71c6SMimi Zohar# the IMA signature stored in the security.ima xattr or the PE signature, 6973b71c6SMimi Zohar# both signatures depending on the IMA policy, or none. 7973b71c6SMimi Zohar# 8973b71c6SMimi Zohar# To determine whether the kernel image is signed, this test depends 9973b71c6SMimi Zohar# on pesign and getfattr. This test also requires the kernel to be 10973b71c6SMimi Zohar# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC 11973b71c6SMimi Zohar# enabled or access to the extract-ikconfig script. 12973b71c6SMimi Zohar 13973b71c6SMimi ZoharTEST="KEXEC_FILE_LOAD" 14973b71c6SMimi Zohar. ./kexec_common_lib.sh 15973b71c6SMimi Zohar 16973b71c6SMimi Zohartrap "{ rm -f $IKCONFIG ; }" EXIT 17973b71c6SMimi Zohar 18973b71c6SMimi Zohar# Some of the IMA builtin policies may require the kexec kernel image to 19973b71c6SMimi Zohar# be signed, but these policy rules may be replaced with a custom 20973b71c6SMimi Zohar# policy. Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after 21973b71c6SMimi Zohar# loading a custom policy. Check if it is enabled, before reading the 22973b71c6SMimi Zohar# IMA runtime sysfs policy file. 23973b71c6SMimi Zohar# Return 1 for IMA signature required and 0 for not required. 24973b71c6SMimi Zoharis_ima_sig_required() 25973b71c6SMimi Zohar{ 26973b71c6SMimi Zohar local ret=0 27973b71c6SMimi Zohar 28973b71c6SMimi Zohar kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \ 29973b71c6SMimi Zohar "IMA kernel image signature required" 30973b71c6SMimi Zohar if [ $? -eq 1 ]; then 31973b71c6SMimi Zohar log_info "IMA signature required" 32973b71c6SMimi Zohar return 1 33973b71c6SMimi Zohar fi 34973b71c6SMimi Zohar 35973b71c6SMimi Zohar # The architecture specific or a custom policy may require the 36973b71c6SMimi Zohar # kexec kernel image be signed. Policy rules are walked 37973b71c6SMimi Zohar # sequentially. As a result, a policy rule may be defined, but 38973b71c6SMimi Zohar # might not necessarily be used. This test assumes if a policy 39973b71c6SMimi Zohar # rule is specified, that is the intent. 40973b71c6SMimi Zohar if [ $ima_read_policy -eq 1 ]; then 41973b71c6SMimi Zohar check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ 42973b71c6SMimi Zohar "appraise_type=imasig" 43973b71c6SMimi Zohar ret=$? 44973b71c6SMimi Zohar [ $ret -eq 1 ] && log_info "IMA signature required"; 45973b71c6SMimi Zohar fi 46973b71c6SMimi Zohar return $ret 47973b71c6SMimi Zohar} 48973b71c6SMimi Zohar 49973b71c6SMimi Zohar# The kexec_file_load_test() is complicated enough, require pesign. 50973b71c6SMimi Zohar# Return 1 for PE signature found and 0 for not found. 51973b71c6SMimi Zoharcheck_for_pesig() 52973b71c6SMimi Zohar{ 53973b71c6SMimi Zohar which pesign > /dev/null 2>&1 || log_skip "pesign not found" 54973b71c6SMimi Zohar 55973b71c6SMimi Zohar pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures" 56973b71c6SMimi Zohar local ret=$? 57973b71c6SMimi Zohar if [ $ret -eq 1 ]; then 58973b71c6SMimi Zohar log_info "kexec kernel image PE signed" 59973b71c6SMimi Zohar else 60973b71c6SMimi Zohar log_info "kexec kernel image not PE signed" 61973b71c6SMimi Zohar fi 62973b71c6SMimi Zohar return $ret 63973b71c6SMimi Zohar} 64973b71c6SMimi Zohar 65973b71c6SMimi Zohar# The kexec_file_load_test() is complicated enough, require getfattr. 66973b71c6SMimi Zohar# Return 1 for IMA signature found and 0 for not found. 67973b71c6SMimi Zoharcheck_for_imasig() 68973b71c6SMimi Zohar{ 69973b71c6SMimi Zohar local ret=0 70973b71c6SMimi Zohar 71973b71c6SMimi Zohar which getfattr > /dev/null 2>&1 72973b71c6SMimi Zohar if [ $? -eq 1 ]; then 73973b71c6SMimi Zohar log_skip "getfattr not found" 74973b71c6SMimi Zohar fi 75973b71c6SMimi Zohar 76973b71c6SMimi Zohar line=$(getfattr -n security.ima -e hex --absolute-names $KERNEL_IMAGE 2>&1) 77973b71c6SMimi Zohar echo $line | grep -q "security.ima=0x03" 78973b71c6SMimi Zohar if [ $? -eq 0 ]; then 79973b71c6SMimi Zohar ret=1 80973b71c6SMimi Zohar log_info "kexec kernel image IMA signed" 81973b71c6SMimi Zohar else 82973b71c6SMimi Zohar log_info "kexec kernel image not IMA signed" 83973b71c6SMimi Zohar fi 84973b71c6SMimi Zohar return $ret 85973b71c6SMimi Zohar} 86973b71c6SMimi Zohar 87973b71c6SMimi Zoharkexec_file_load_test() 88973b71c6SMimi Zohar{ 89973b71c6SMimi Zohar local succeed_msg="kexec_file_load succeeded" 90973b71c6SMimi Zohar local failed_msg="kexec_file_load failed" 91973b71c6SMimi Zohar local key_msg="try enabling the CONFIG_INTEGRITY_PLATFORM_KEYRING" 92973b71c6SMimi Zohar 93973b71c6SMimi Zohar line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1) 94973b71c6SMimi Zohar 95973b71c6SMimi Zohar if [ $? -eq 0 ]; then 96973b71c6SMimi Zohar kexec --unload --kexec-file-syscall 97973b71c6SMimi Zohar 98973b71c6SMimi Zohar # In secureboot mode with an architecture specific 99973b71c6SMimi Zohar # policy, make sure either an IMA or PE signature exists. 100973b71c6SMimi Zohar if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \ 101973b71c6SMimi Zohar [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then 102973b71c6SMimi Zohar log_fail "$succeed_msg (missing sig)" 103973b71c6SMimi Zohar fi 104973b71c6SMimi Zohar 105973b71c6SMimi Zohar if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \ 106973b71c6SMimi Zohar && [ $pe_signed -eq 0 ]; then 107973b71c6SMimi Zohar log_fail "$succeed_msg (missing PE sig)" 108973b71c6SMimi Zohar fi 109973b71c6SMimi Zohar 110973b71c6SMimi Zohar if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then 111973b71c6SMimi Zohar log_fail "$succeed_msg (missing IMA sig)" 112973b71c6SMimi Zohar fi 113973b71c6SMimi Zohar 114973b71c6SMimi Zohar if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ 115973b71c6SMimi Zohar && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \ 116973b71c6SMimi Zohar && [ $ima_read_policy -eq 0 ]; then 117973b71c6SMimi Zohar log_fail "$succeed_msg (possibly missing IMA sig)" 118973b71c6SMimi Zohar fi 119973b71c6SMimi Zohar 120973b71c6SMimi Zohar if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 0 ]; then 121973b71c6SMimi Zohar log_info "No signature verification required" 122973b71c6SMimi Zohar elif [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ 123973b71c6SMimi Zohar && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \ 124973b71c6SMimi Zohar && [ $ima_read_policy -eq 1 ]; then 125973b71c6SMimi Zohar log_info "No signature verification required" 126973b71c6SMimi Zohar fi 127973b71c6SMimi Zohar 128973b71c6SMimi Zohar log_pass "$succeed_msg" 129973b71c6SMimi Zohar fi 130973b71c6SMimi Zohar 131973b71c6SMimi Zohar # Check the reason for the kexec_file_load failure 132973b71c6SMimi Zohar echo $line | grep -q "Required key not available" 133973b71c6SMimi Zohar if [ $? -eq 0 ]; then 134973b71c6SMimi Zohar if [ $platform_keyring -eq 0 ]; then 135973b71c6SMimi Zohar log_pass "$failed_msg (-ENOKEY), $key_msg" 136973b71c6SMimi Zohar else 137973b71c6SMimi Zohar log_pass "$failed_msg (-ENOKEY)" 138973b71c6SMimi Zohar fi 139973b71c6SMimi Zohar fi 140973b71c6SMimi Zohar 141973b71c6SMimi Zohar if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \ 142973b71c6SMimi Zohar && [ $pe_signed -eq 0 ]; then 143973b71c6SMimi Zohar log_pass "$failed_msg (missing PE sig)" 144973b71c6SMimi Zohar fi 145973b71c6SMimi Zohar 146973b71c6SMimi Zohar if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then 147973b71c6SMimi Zohar log_pass "$failed_msg (missing IMA sig)" 148973b71c6SMimi Zohar fi 149973b71c6SMimi Zohar 150973b71c6SMimi Zohar if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ 151973b71c6SMimi Zohar && [ $ima_sig_required -eq 0 ] && [ $ima_read_policy -eq 0 ] \ 152973b71c6SMimi Zohar && [ $ima_signed -eq 0 ]; then 153973b71c6SMimi Zohar log_pass "$failed_msg (possibly missing IMA sig)" 154973b71c6SMimi Zohar fi 155973b71c6SMimi Zohar 156973b71c6SMimi Zohar log_pass "$failed_msg" 157973b71c6SMimi Zohar return 0 158973b71c6SMimi Zohar} 159973b71c6SMimi Zohar 160973b71c6SMimi Zohar# kexec requires root privileges 161973b71c6SMimi Zoharrequire_root_privileges 162973b71c6SMimi Zohar 163973b71c6SMimi Zohar# get the kernel config 164973b71c6SMimi Zoharget_kconfig 165973b71c6SMimi Zohar 166973b71c6SMimi Zohar# Determine which kernel config options are enabled 167973b71c6SMimi Zoharkconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" 168973b71c6SMimi Zoharima_appraise=$? 169973b71c6SMimi Zohar 170973b71c6SMimi Zoharkconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ 171973b71c6SMimi Zohar "architecture specific policy enabled" 172973b71c6SMimi Zohararch_policy=$? 173973b71c6SMimi Zohar 174973b71c6SMimi Zoharkconfig_enabled "CONFIG_INTEGRITY_PLATFORM_KEYRING=y" \ 175973b71c6SMimi Zohar "platform keyring enabled" 176973b71c6SMimi Zoharplatform_keyring=$? 177973b71c6SMimi Zohar 178973b71c6SMimi Zoharkconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted" 179973b71c6SMimi Zoharima_read_policy=$? 180973b71c6SMimi Zohar 181973b71c6SMimi Zoharkconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \ 182973b71c6SMimi Zohar "kexec signed kernel image required" 183973b71c6SMimi Zoharkexec_sig_required=$? 184973b71c6SMimi Zohar 185973b71c6SMimi Zoharkconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \ 186973b71c6SMimi Zohar "PE signed kernel image required" 187973b71c6SMimi Zoharpe_sig_required=$? 188973b71c6SMimi Zohar 189973b71c6SMimi Zoharis_ima_sig_required 190973b71c6SMimi Zoharima_sig_required=$? 191973b71c6SMimi Zohar 192973b71c6SMimi Zoharget_secureboot_mode 193973b71c6SMimi Zoharsecureboot=$? 194973b71c6SMimi Zohar 195973b71c6SMimi Zohar# Are there pe and ima signatures 196973b71c6SMimi Zoharcheck_for_pesig 197973b71c6SMimi Zoharpe_signed=$? 198973b71c6SMimi Zohar 199973b71c6SMimi Zoharcheck_for_imasig 200973b71c6SMimi Zoharima_signed=$? 201973b71c6SMimi Zohar 202973b71c6SMimi Zohar# Test loading the kernel image via kexec_file_load syscall 203973b71c6SMimi Zoharkexec_file_load_test 204