1973b71c6SMimi Zohar#!/bin/sh
2973b71c6SMimi Zohar# SPDX-License-Identifier: GPL-2.0
3973b71c6SMimi Zohar#
4973b71c6SMimi Zohar# Loading a kernel image via the kexec_file_load syscall can verify either
5973b71c6SMimi Zohar# the IMA signature stored in the security.ima xattr or the PE signature,
6973b71c6SMimi Zohar# both signatures depending on the IMA policy, or none.
7973b71c6SMimi Zohar#
8973b71c6SMimi Zohar# To determine whether the kernel image is signed, this test depends
9973b71c6SMimi Zohar# on pesign and getfattr.  This test also requires the kernel to be
10973b71c6SMimi Zohar# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC
11973b71c6SMimi Zohar# enabled or access to the extract-ikconfig script.
12973b71c6SMimi Zohar
13973b71c6SMimi ZoharTEST="KEXEC_FILE_LOAD"
14973b71c6SMimi Zohar. ./kexec_common_lib.sh
15973b71c6SMimi Zohar
16973b71c6SMimi Zohartrap "{ rm -f $IKCONFIG ; }" EXIT
17973b71c6SMimi Zohar
18973b71c6SMimi Zohar# Some of the IMA builtin policies may require the kexec kernel image to
19973b71c6SMimi Zohar# be signed, but these policy rules may be replaced with a custom
20973b71c6SMimi Zohar# policy.  Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after
21973b71c6SMimi Zohar# loading a custom policy.  Check if it is enabled, before reading the
22973b71c6SMimi Zohar# IMA runtime sysfs policy file.
23973b71c6SMimi Zohar# Return 1 for IMA signature required and 0 for not required.
24973b71c6SMimi Zoharis_ima_sig_required()
25973b71c6SMimi Zohar{
26973b71c6SMimi Zohar	local ret=0
27973b71c6SMimi Zohar
28973b71c6SMimi Zohar	kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \
29973b71c6SMimi Zohar		"IMA kernel image signature required"
30973b71c6SMimi Zohar	if [ $? -eq 1 ]; then
31973b71c6SMimi Zohar		log_info "IMA signature required"
32973b71c6SMimi Zohar		return 1
33973b71c6SMimi Zohar	fi
34973b71c6SMimi Zohar
35973b71c6SMimi Zohar	# The architecture specific or a custom policy may require the
36973b71c6SMimi Zohar	# kexec kernel image be signed.  Policy rules are walked
37973b71c6SMimi Zohar	# sequentially.  As a result, a policy rule may be defined, but
38973b71c6SMimi Zohar	# might not necessarily be used.  This test assumes if a policy
39973b71c6SMimi Zohar	# rule is specified, that is the intent.
40973b71c6SMimi Zohar	if [ $ima_read_policy -eq 1 ]; then
41973b71c6SMimi Zohar		check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
42973b71c6SMimi Zohar			"appraise_type=imasig"
43973b71c6SMimi Zohar		ret=$?
44973b71c6SMimi Zohar		[ $ret -eq 1 ] && log_info "IMA signature required";
45973b71c6SMimi Zohar	fi
46973b71c6SMimi Zohar	return $ret
47973b71c6SMimi Zohar}
48973b71c6SMimi Zohar
49973b71c6SMimi Zohar# The kexec_file_load_test() is complicated enough, require pesign.
50973b71c6SMimi Zohar# Return 1 for PE signature found and 0 for not found.
51973b71c6SMimi Zoharcheck_for_pesig()
52973b71c6SMimi Zohar{
53973b71c6SMimi Zohar	which pesign > /dev/null 2>&1 || log_skip "pesign not found"
54973b71c6SMimi Zohar
55973b71c6SMimi Zohar	pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures"
56973b71c6SMimi Zohar	local ret=$?
57973b71c6SMimi Zohar	if [ $ret -eq 1 ]; then
58973b71c6SMimi Zohar		log_info "kexec kernel image PE signed"
59973b71c6SMimi Zohar	else
60973b71c6SMimi Zohar		log_info "kexec kernel image not PE signed"
61973b71c6SMimi Zohar	fi
62973b71c6SMimi Zohar	return $ret
63973b71c6SMimi Zohar}
64973b71c6SMimi Zohar
65973b71c6SMimi Zohar# The kexec_file_load_test() is complicated enough, require getfattr.
66973b71c6SMimi Zohar# Return 1 for IMA signature found and 0 for not found.
67973b71c6SMimi Zoharcheck_for_imasig()
68973b71c6SMimi Zohar{
69973b71c6SMimi Zohar	local ret=0
70973b71c6SMimi Zohar
71973b71c6SMimi Zohar	which getfattr > /dev/null 2>&1
72973b71c6SMimi Zohar	if [ $?	-eq 1 ]; then
73973b71c6SMimi Zohar		log_skip "getfattr not found"
74973b71c6SMimi Zohar	fi
75973b71c6SMimi Zohar
76973b71c6SMimi Zohar	line=$(getfattr -n security.ima -e hex --absolute-names $KERNEL_IMAGE 2>&1)
77973b71c6SMimi Zohar	echo $line | grep -q "security.ima=0x03"
78973b71c6SMimi Zohar	if [ $? -eq 0 ]; then
79973b71c6SMimi Zohar		ret=1
80973b71c6SMimi Zohar		log_info "kexec kernel image IMA signed"
81973b71c6SMimi Zohar	else
82973b71c6SMimi Zohar		log_info "kexec kernel image not IMA signed"
83973b71c6SMimi Zohar	fi
84973b71c6SMimi Zohar	return $ret
85973b71c6SMimi Zohar}
86973b71c6SMimi Zohar
87973b71c6SMimi Zoharkexec_file_load_test()
88973b71c6SMimi Zohar{
89973b71c6SMimi Zohar	local succeed_msg="kexec_file_load succeeded"
90973b71c6SMimi Zohar	local failed_msg="kexec_file_load failed"
91973b71c6SMimi Zohar	local key_msg="try enabling the CONFIG_INTEGRITY_PLATFORM_KEYRING"
92973b71c6SMimi Zohar
93973b71c6SMimi Zohar	line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1)
94973b71c6SMimi Zohar
95973b71c6SMimi Zohar	if [ $? -eq 0 ]; then
96973b71c6SMimi Zohar		kexec --unload --kexec-file-syscall
97973b71c6SMimi Zohar
98973b71c6SMimi Zohar		# In secureboot mode with an architecture  specific
99973b71c6SMimi Zohar		# policy, make sure either an IMA or PE signature exists.
100973b71c6SMimi Zohar		if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \
101973b71c6SMimi Zohar			[ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then
102973b71c6SMimi Zohar			log_fail "$succeed_msg (missing sig)"
103973b71c6SMimi Zohar		fi
104973b71c6SMimi Zohar
105973b71c6SMimi Zohar		if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
106973b71c6SMimi Zohar		     && [ $pe_signed -eq 0 ]; then
107973b71c6SMimi Zohar			log_fail "$succeed_msg (missing PE sig)"
108973b71c6SMimi Zohar		fi
109973b71c6SMimi Zohar
110973b71c6SMimi Zohar		if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then
111973b71c6SMimi Zohar			log_fail "$succeed_msg (missing IMA sig)"
112973b71c6SMimi Zohar		fi
113973b71c6SMimi Zohar
114973b71c6SMimi Zohar		if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
115973b71c6SMimi Zohar		    && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
116973b71c6SMimi Zohar	            && [ $ima_read_policy -eq 0 ]; then
117973b71c6SMimi Zohar			log_fail "$succeed_msg (possibly missing IMA sig)"
118973b71c6SMimi Zohar		fi
119973b71c6SMimi Zohar
120973b71c6SMimi Zohar		if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 0 ]; then
121973b71c6SMimi Zohar			log_info "No signature verification required"
122973b71c6SMimi Zohar		elif [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
123973b71c6SMimi Zohar		    && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
124973b71c6SMimi Zohar	            && [ $ima_read_policy -eq 1 ]; then
125973b71c6SMimi Zohar			log_info "No signature verification required"
126973b71c6SMimi Zohar		fi
127973b71c6SMimi Zohar
128973b71c6SMimi Zohar		log_pass "$succeed_msg"
129973b71c6SMimi Zohar	fi
130973b71c6SMimi Zohar
131973b71c6SMimi Zohar	# Check the reason for the kexec_file_load failure
132973b71c6SMimi Zohar	echo $line | grep -q "Required key not available"
133973b71c6SMimi Zohar	if [ $? -eq 0 ]; then
134973b71c6SMimi Zohar		if [ $platform_keyring -eq 0 ]; then
135973b71c6SMimi Zohar			log_pass "$failed_msg (-ENOKEY), $key_msg"
136973b71c6SMimi Zohar		else
137973b71c6SMimi Zohar			log_pass "$failed_msg (-ENOKEY)"
138973b71c6SMimi Zohar		fi
139973b71c6SMimi Zohar	fi
140973b71c6SMimi Zohar
141973b71c6SMimi Zohar	if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
142973b71c6SMimi Zohar	     && [ $pe_signed -eq 0 ]; then
143973b71c6SMimi Zohar		log_pass "$failed_msg (missing PE sig)"
144973b71c6SMimi Zohar	fi
145973b71c6SMimi Zohar
146973b71c6SMimi Zohar	if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then
147973b71c6SMimi Zohar		log_pass "$failed_msg (missing IMA sig)"
148973b71c6SMimi Zohar	fi
149973b71c6SMimi Zohar
150973b71c6SMimi Zohar	if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
151973b71c6SMimi Zohar	    && [ $ima_sig_required -eq 0 ] && [ $ima_read_policy -eq 0 ] \
152973b71c6SMimi Zohar	    && [ $ima_signed -eq 0 ]; then
153973b71c6SMimi Zohar		log_pass "$failed_msg (possibly missing IMA sig)"
154973b71c6SMimi Zohar	fi
155973b71c6SMimi Zohar
156973b71c6SMimi Zohar	log_pass "$failed_msg"
157973b71c6SMimi Zohar	return 0
158973b71c6SMimi Zohar}
159973b71c6SMimi Zohar
160973b71c6SMimi Zohar# kexec requires root privileges
161973b71c6SMimi Zoharrequire_root_privileges
162973b71c6SMimi Zohar
163973b71c6SMimi Zohar# get the kernel config
164973b71c6SMimi Zoharget_kconfig
165973b71c6SMimi Zohar
166973b71c6SMimi Zohar# Determine which kernel config options are enabled
167973b71c6SMimi Zoharkconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
168973b71c6SMimi Zoharima_appraise=$?
169973b71c6SMimi Zohar
170973b71c6SMimi Zoharkconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
171973b71c6SMimi Zohar	"architecture specific policy enabled"
172973b71c6SMimi Zohararch_policy=$?
173973b71c6SMimi Zohar
174973b71c6SMimi Zoharkconfig_enabled "CONFIG_INTEGRITY_PLATFORM_KEYRING=y" \
175973b71c6SMimi Zohar	"platform keyring enabled"
176973b71c6SMimi Zoharplatform_keyring=$?
177973b71c6SMimi Zohar
178973b71c6SMimi Zoharkconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted"
179973b71c6SMimi Zoharima_read_policy=$?
180973b71c6SMimi Zohar
181973b71c6SMimi Zoharkconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \
182973b71c6SMimi Zohar	"kexec signed kernel image required"
183973b71c6SMimi Zoharkexec_sig_required=$?
184973b71c6SMimi Zohar
185973b71c6SMimi Zoharkconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \
186973b71c6SMimi Zohar	"PE signed kernel image required"
187973b71c6SMimi Zoharpe_sig_required=$?
188973b71c6SMimi Zohar
189973b71c6SMimi Zoharis_ima_sig_required
190973b71c6SMimi Zoharima_sig_required=$?
191973b71c6SMimi Zohar
192973b71c6SMimi Zoharget_secureboot_mode
193973b71c6SMimi Zoharsecureboot=$?
194973b71c6SMimi Zohar
195973b71c6SMimi Zohar# Are there pe and ima signatures
196973b71c6SMimi Zoharcheck_for_pesig
197973b71c6SMimi Zoharpe_signed=$?
198973b71c6SMimi Zohar
199973b71c6SMimi Zoharcheck_for_imasig
200973b71c6SMimi Zoharima_signed=$?
201973b71c6SMimi Zohar
202973b71c6SMimi Zohar# Test loading the kernel image via kexec_file_load syscall
203973b71c6SMimi Zoharkexec_file_load_test
204