1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0+ 3# Loading a kernel image via the kexec_load syscall should fail 4# when the kerne is CONFIG_KEXEC_VERIFY_SIG enabled and the system 5# is booted in secureboot mode. 6 7TEST="$0" 8EFIVARFS="/sys/firmware/efi/efivars" 9rc=0 10 11# Kselftest framework requirement - SKIP code is 4. 12ksft_skip=4 13 14# kexec requires root privileges 15if [ $UID != 0 ]; then 16 echo "$TEST: must be run as root" >&2 17 exit $ksft_skip 18fi 19 20# Make sure that efivars is mounted in the normal location 21if ! grep -q "^\S\+ $EFIVARFS efivarfs" /proc/mounts; then 22 echo "$TEST: efivars is not mounted on $EFIVARFS" >&2 23 exit $ksft_skip 24fi 25 26# Get secureboot mode 27file="$EFIVARFS/SecureBoot-*" 28if [ ! -e $file ]; then 29 echo "$TEST: unknown secureboot mode" >&2 30 exit $ksft_skip 31fi 32secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'` 33 34# kexec_load should fail in secure boot mode 35KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" 36kexec -l $KERNEL_IMAGE &>> /dev/null 37if [ $? == 0 ]; then 38 kexec -u 39 if [ "$secureboot" == "1" ]; then 40 echo "$TEST: kexec_load succeeded [FAIL]" 41 rc=1 42 else 43 echo "$TEST: kexec_load succeeded [PASS]" 44 fi 45else 46 if [ "$secureboot" == "1" ]; then 47 echo "$TEST: kexec_load failed [PASS]" 48 else 49 echo "$TEST: kexec_load failed [FAIL]" 50 rc=1 51 fi 52fi 53 54exit $rc 55