1973b71c6SMimi Zohar#!/bin/sh 2973b71c6SMimi Zohar# SPDX-License-Identifier: GPL-2.0 3973b71c6SMimi Zohar# 4973b71c6SMimi Zohar# Loading a kernel image via the kexec_file_load syscall can verify either 5973b71c6SMimi Zohar# the IMA signature stored in the security.ima xattr or the PE signature, 6973b71c6SMimi Zohar# both signatures depending on the IMA policy, or none. 7973b71c6SMimi Zohar# 8973b71c6SMimi Zohar# To determine whether the kernel image is signed, this test depends 9973b71c6SMimi Zohar# on pesign and getfattr. This test also requires the kernel to be 10973b71c6SMimi Zohar# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC 11973b71c6SMimi Zohar# enabled or access to the extract-ikconfig script. 12973b71c6SMimi Zohar 13973b71c6SMimi ZoharTEST="KEXEC_FILE_LOAD" 14973b71c6SMimi Zohar. ./kexec_common_lib.sh 15973b71c6SMimi Zohar 16973b71c6SMimi Zohartrap "{ rm -f $IKCONFIG ; }" EXIT 17973b71c6SMimi Zohar 18973b71c6SMimi Zohar# Some of the IMA builtin policies may require the kexec kernel image to 19973b71c6SMimi Zohar# be signed, but these policy rules may be replaced with a custom 20973b71c6SMimi Zohar# policy. Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after 21973b71c6SMimi Zohar# loading a custom policy. Check if it is enabled, before reading the 22973b71c6SMimi Zohar# IMA runtime sysfs policy file. 23973b71c6SMimi Zohar# Return 1 for IMA signature required and 0 for not required. 24973b71c6SMimi Zoharis_ima_sig_required() 25973b71c6SMimi Zohar{ 26973b71c6SMimi Zohar local ret=0 27973b71c6SMimi Zohar 28973b71c6SMimi Zohar kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \ 29973b71c6SMimi Zohar "IMA kernel image signature required" 30973b71c6SMimi Zohar if [ $? -eq 1 ]; then 31973b71c6SMimi Zohar log_info "IMA signature required" 32973b71c6SMimi Zohar return 1 33973b71c6SMimi Zohar fi 34973b71c6SMimi Zohar 35973b71c6SMimi Zohar # The architecture specific or a custom policy may require the 36973b71c6SMimi Zohar # kexec kernel image be signed. Policy rules are walked 37973b71c6SMimi Zohar # sequentially. As a result, a policy rule may be defined, but 38973b71c6SMimi Zohar # might not necessarily be used. This test assumes if a policy 39973b71c6SMimi Zohar # rule is specified, that is the intent. 40cbc0425dSMimi Zohar 41cbc0425dSMimi Zohar # First check for appended signature (modsig), then xattr 42973b71c6SMimi Zohar if [ $ima_read_policy -eq 1 ]; then 43973b71c6SMimi Zohar check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ 44cbc0425dSMimi Zohar "appraise_type=imasig|modsig" 45cbc0425dSMimi Zohar ret=$? 46cbc0425dSMimi Zohar if [ $ret -eq 1 ]; then 47cbc0425dSMimi Zohar log_info "IMA or appended(modsig) signature required" 48cbc0425dSMimi Zohar else 49cbc0425dSMimi Zohar check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ 50973b71c6SMimi Zohar "appraise_type=imasig" 51973b71c6SMimi Zohar ret=$? 52973b71c6SMimi Zohar [ $ret -eq 1 ] && log_info "IMA signature required"; 53973b71c6SMimi Zohar fi 54cbc0425dSMimi Zohar fi 55973b71c6SMimi Zohar return $ret 56973b71c6SMimi Zohar} 57973b71c6SMimi Zohar 58973b71c6SMimi Zohar# The kexec_file_load_test() is complicated enough, require pesign. 59973b71c6SMimi Zohar# Return 1 for PE signature found and 0 for not found. 60973b71c6SMimi Zoharcheck_for_pesig() 61973b71c6SMimi Zohar{ 62973b71c6SMimi Zohar which pesign > /dev/null 2>&1 || log_skip "pesign not found" 63973b71c6SMimi Zohar 64973b71c6SMimi Zohar pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures" 65973b71c6SMimi Zohar local ret=$? 66973b71c6SMimi Zohar if [ $ret -eq 1 ]; then 67973b71c6SMimi Zohar log_info "kexec kernel image PE signed" 68973b71c6SMimi Zohar else 69973b71c6SMimi Zohar log_info "kexec kernel image not PE signed" 70973b71c6SMimi Zohar fi 71973b71c6SMimi Zohar return $ret 72973b71c6SMimi Zohar} 73973b71c6SMimi Zohar 74973b71c6SMimi Zohar# The kexec_file_load_test() is complicated enough, require getfattr. 75973b71c6SMimi Zohar# Return 1 for IMA signature found and 0 for not found. 76973b71c6SMimi Zoharcheck_for_imasig() 77973b71c6SMimi Zohar{ 78973b71c6SMimi Zohar local ret=0 79973b71c6SMimi Zohar 80973b71c6SMimi Zohar which getfattr > /dev/null 2>&1 81973b71c6SMimi Zohar if [ $? -eq 1 ]; then 82973b71c6SMimi Zohar log_skip "getfattr not found" 83973b71c6SMimi Zohar fi 84973b71c6SMimi Zohar 85973b71c6SMimi Zohar line=$(getfattr -n security.ima -e hex --absolute-names $KERNEL_IMAGE 2>&1) 86973b71c6SMimi Zohar echo $line | grep -q "security.ima=0x03" 87973b71c6SMimi Zohar if [ $? -eq 0 ]; then 88973b71c6SMimi Zohar ret=1 89973b71c6SMimi Zohar log_info "kexec kernel image IMA signed" 90973b71c6SMimi Zohar else 91973b71c6SMimi Zohar log_info "kexec kernel image not IMA signed" 92973b71c6SMimi Zohar fi 93973b71c6SMimi Zohar return $ret 94973b71c6SMimi Zohar} 95973b71c6SMimi Zohar 96cbc0425dSMimi Zohar# Return 1 for appended signature (modsig) found and 0 for not found. 97cbc0425dSMimi Zoharcheck_for_modsig() 98cbc0425dSMimi Zohar{ 99cbc0425dSMimi Zohar local module_sig_string="~Module signature appended~" 100cbc0425dSMimi Zohar local sig="$(tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE)" 101cbc0425dSMimi Zohar local ret=0 102cbc0425dSMimi Zohar 103cbc0425dSMimi Zohar if [ "$sig" == "$module_sig_string" ]; then 104cbc0425dSMimi Zohar ret=1 105cbc0425dSMimi Zohar log_info "kexec kernel image modsig signed" 106cbc0425dSMimi Zohar else 107cbc0425dSMimi Zohar log_info "kexec kernel image not modsig signed" 108cbc0425dSMimi Zohar fi 109cbc0425dSMimi Zohar return $ret 110cbc0425dSMimi Zohar} 111cbc0425dSMimi Zohar 112973b71c6SMimi Zoharkexec_file_load_test() 113973b71c6SMimi Zohar{ 114973b71c6SMimi Zohar local succeed_msg="kexec_file_load succeeded" 115973b71c6SMimi Zohar local failed_msg="kexec_file_load failed" 116973b71c6SMimi Zohar local key_msg="try enabling the CONFIG_INTEGRITY_PLATFORM_KEYRING" 117973b71c6SMimi Zohar 118973b71c6SMimi Zohar line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1) 119973b71c6SMimi Zohar 120973b71c6SMimi Zohar if [ $? -eq 0 ]; then 121973b71c6SMimi Zohar kexec --unload --kexec-file-syscall 122973b71c6SMimi Zohar 123973b71c6SMimi Zohar # In secureboot mode with an architecture specific 124973b71c6SMimi Zohar # policy, make sure either an IMA or PE signature exists. 125973b71c6SMimi Zohar if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \ 126cbc0425dSMimi Zohar [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ] \ 127cbc0425dSMimi Zohar && [ $ima_modsig -eq 0 ]; then 128973b71c6SMimi Zohar log_fail "$succeed_msg (missing sig)" 129973b71c6SMimi Zohar fi 130973b71c6SMimi Zohar 131973b71c6SMimi Zohar if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \ 132973b71c6SMimi Zohar && [ $pe_signed -eq 0 ]; then 133973b71c6SMimi Zohar log_fail "$succeed_msg (missing PE sig)" 134973b71c6SMimi Zohar fi 135973b71c6SMimi Zohar 136cbc0425dSMimi Zohar if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ] \ 137cbc0425dSMimi Zohar && [ $ima_modsig -eq 0 ]; then 138973b71c6SMimi Zohar log_fail "$succeed_msg (missing IMA sig)" 139973b71c6SMimi Zohar fi 140973b71c6SMimi Zohar 141973b71c6SMimi Zohar if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ 142973b71c6SMimi Zohar && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \ 143973b71c6SMimi Zohar && [ $ima_read_policy -eq 0 ]; then 144973b71c6SMimi Zohar log_fail "$succeed_msg (possibly missing IMA sig)" 145973b71c6SMimi Zohar fi 146973b71c6SMimi Zohar 147973b71c6SMimi Zohar if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 0 ]; then 148973b71c6SMimi Zohar log_info "No signature verification required" 149973b71c6SMimi Zohar elif [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ 150973b71c6SMimi Zohar && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \ 151973b71c6SMimi Zohar && [ $ima_read_policy -eq 1 ]; then 152973b71c6SMimi Zohar log_info "No signature verification required" 153973b71c6SMimi Zohar fi 154973b71c6SMimi Zohar 155973b71c6SMimi Zohar log_pass "$succeed_msg" 156973b71c6SMimi Zohar fi 157973b71c6SMimi Zohar 158973b71c6SMimi Zohar # Check the reason for the kexec_file_load failure 159973b71c6SMimi Zohar echo $line | grep -q "Required key not available" 160973b71c6SMimi Zohar if [ $? -eq 0 ]; then 161973b71c6SMimi Zohar if [ $platform_keyring -eq 0 ]; then 162973b71c6SMimi Zohar log_pass "$failed_msg (-ENOKEY), $key_msg" 163973b71c6SMimi Zohar else 164973b71c6SMimi Zohar log_pass "$failed_msg (-ENOKEY)" 165973b71c6SMimi Zohar fi 166973b71c6SMimi Zohar fi 167973b71c6SMimi Zohar 168973b71c6SMimi Zohar if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \ 169973b71c6SMimi Zohar && [ $pe_signed -eq 0 ]; then 170973b71c6SMimi Zohar log_pass "$failed_msg (missing PE sig)" 171973b71c6SMimi Zohar fi 172973b71c6SMimi Zohar 173973b71c6SMimi Zohar if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then 174973b71c6SMimi Zohar log_pass "$failed_msg (missing IMA sig)" 175973b71c6SMimi Zohar fi 176973b71c6SMimi Zohar 177973b71c6SMimi Zohar if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \ 178973b71c6SMimi Zohar && [ $ima_sig_required -eq 0 ] && [ $ima_read_policy -eq 0 ] \ 179973b71c6SMimi Zohar && [ $ima_signed -eq 0 ]; then 180973b71c6SMimi Zohar log_pass "$failed_msg (possibly missing IMA sig)" 181973b71c6SMimi Zohar fi 182973b71c6SMimi Zohar 183973b71c6SMimi Zohar log_pass "$failed_msg" 184973b71c6SMimi Zohar return 0 185973b71c6SMimi Zohar} 186973b71c6SMimi Zohar 187973b71c6SMimi Zohar# kexec requires root privileges 188973b71c6SMimi Zoharrequire_root_privileges 189973b71c6SMimi Zohar 190973b71c6SMimi Zohar# get the kernel config 191973b71c6SMimi Zoharget_kconfig 192973b71c6SMimi Zohar 1937cea0b92SMimi Zoharkconfig_enabled "CONFIG_KEXEC_FILE=y" "kexec_file_load is enabled" 1947cea0b92SMimi Zoharif [ $? -eq 0 ]; then 1957cea0b92SMimi Zohar log_skip "kexec_file_load is not enabled" 1967cea0b92SMimi Zoharfi 1977cea0b92SMimi Zohar 198973b71c6SMimi Zohar# Determine which kernel config options are enabled 199973b71c6SMimi Zoharkconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" 200973b71c6SMimi Zoharima_appraise=$? 201973b71c6SMimi Zohar 202973b71c6SMimi Zoharkconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ 203973b71c6SMimi Zohar "architecture specific policy enabled" 204973b71c6SMimi Zohararch_policy=$? 205973b71c6SMimi Zohar 206973b71c6SMimi Zoharkconfig_enabled "CONFIG_INTEGRITY_PLATFORM_KEYRING=y" \ 207973b71c6SMimi Zohar "platform keyring enabled" 208973b71c6SMimi Zoharplatform_keyring=$? 209973b71c6SMimi Zohar 210973b71c6SMimi Zoharkconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted" 211973b71c6SMimi Zoharima_read_policy=$? 212973b71c6SMimi Zohar 213973b71c6SMimi Zoharkconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \ 214973b71c6SMimi Zohar "kexec signed kernel image required" 215973b71c6SMimi Zoharkexec_sig_required=$? 216973b71c6SMimi Zohar 217973b71c6SMimi Zoharkconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \ 218973b71c6SMimi Zohar "PE signed kernel image required" 219973b71c6SMimi Zoharpe_sig_required=$? 220973b71c6SMimi Zohar 221973b71c6SMimi Zoharis_ima_sig_required 222973b71c6SMimi Zoharima_sig_required=$? 223973b71c6SMimi Zohar 224973b71c6SMimi Zoharget_secureboot_mode 225973b71c6SMimi Zoharsecureboot=$? 226973b71c6SMimi Zohar 227973b71c6SMimi Zohar# Are there pe and ima signatures 228973b71c6SMimi Zoharcheck_for_pesig 229973b71c6SMimi Zoharpe_signed=$? 230973b71c6SMimi Zohar 231973b71c6SMimi Zoharcheck_for_imasig 232973b71c6SMimi Zoharima_signed=$? 233973b71c6SMimi Zohar 234cbc0425dSMimi Zoharcheck_for_modsig 235cbc0425dSMimi Zoharima_modsig=$? 236cbc0425dSMimi Zohar 237973b71c6SMimi Zohar# Test loading the kernel image via kexec_file_load syscall 238973b71c6SMimi Zoharkexec_file_load_test 239