Commit cbc0425d authored by Mimi Zohar's avatar Mimi Zohar
Browse files

sefltest/ima: support appended signatures (modsig) 



In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
image can be signed with an appended signature, using the same
scripts/sign-file tool that is used to sign kernel modules.

This patch adds support for detecting a kernel image signed with an
appended signature and updates the existing test messages
appropriately.

Reviewed-by: default avatarPetr Vorel <pvorel@suse.cz>
Acked-by: default avatarShuah Khan <skhan@linuxfoundation.org>
Reviewed-by: default avatarThiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: Jordan Hand <jorhand@linux.microsoft.com> (x86_64 QEMU)
Tested-by: Jordan Hand <jorhand@linux.microsoft.com> (x86_64 QEMU)
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 556d971b

tools/testing/selftests/kexec/test_kexec_file_load.sh

+34 −4
Original line number Diff line number Diff line
@@ -37,12 +37,21 @@ is_ima_sig_required() 
	# sequentially.  As a result, a policy rule may be defined, but

	# might not necessarily be used.  This test assumes if a policy

	# rule is specified, that is the intent.



	# First check for appended signature (modsig), then xattr

	if [ $ima_read_policy -eq 1 ]; then

		check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \

			"appraise_type=imasig|modsig"

		ret=$?

		if [ $ret -eq 1 ]; then

			log_info "IMA or appended(modsig) signature required"

		else

			check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \

				"appraise_type=imasig"

			ret=$?

			[ $ret -eq 1 ] && log_info "IMA signature required";

		fi

	fi

	return $ret

}
@@ -84,6 +93,22 @@ check_for_imasig() 
	return $ret

}



# Return 1 for appended signature (modsig) found and 0 for not found.

check_for_modsig()

{

	local module_sig_string="~Module signature appended~"

	local sig="$(tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE)"

	local ret=0



	if [ "$sig" == "$module_sig_string" ]; then

		ret=1

		log_info "kexec kernel image modsig signed"

	else

		log_info "kexec kernel image not modsig signed"

	fi

	return $ret

}



kexec_file_load_test()

{

	local succeed_msg="kexec_file_load succeeded"
@@ -98,7 +123,8 @@ kexec_file_load_test() 
		# In secureboot mode with an architecture  specific

		# policy, make sure either an IMA or PE signature exists.

		if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \

			[ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then

			[ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ] \

			  && [ $ima_modsig -eq 0 ]; then

			log_fail "$succeed_msg (missing sig)"

		fi
@@ -107,7 +133,8 @@ kexec_file_load_test() 
			log_fail "$succeed_msg (missing PE sig)"

		fi



		if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then

		if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ] \

		     && [ $ima_modsig -eq 0 ]; then

			log_fail "$succeed_msg (missing IMA sig)"

		fi
@@ -204,5 +231,8 @@ pe_signed=$? 
check_for_imasig

ima_signed=$?



check_for_modsig

ima_modsig=$?



# Test loading the kernel image via kexec_file_load syscall

kexec_file_load_test

CRA Git | Maintained and supported by SUSTech CRA and CCSE