selftests/kexec/test_kexec_file_load.sh

2 # SPDX-License-Identifier: GPL-2.0
8 # To determine whether the kernel image is signed, this test depends
9 # on pesign and getfattr.  This test also requires the kernel to be
11 # enabled or access to the extract-ikconfig script.
13 TEST="KEXEC_FILE_LOAD"
16 trap "{ rm -f $IKCONFIG ; }" EXIT
19 # be signed, but these policy rules may be replaced with a custom
30 	if [ $? -eq 1 ]; then
36 	# kexec kernel image be signed.  Policy rules are walked
38 	# might not necessarily be used.  This test assumes if a policy
42 	if [ $ima_read_policy -eq 1 ]; then
46 		if [ $ret -eq 1 ]; then
52 			[ $ret -eq 1 ] && log_info "IMA signature required";
64 	pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures"
66 	if [ $ret -eq 1 ]; then
81 	if [ $?	-eq 1 ]; then
85 	line=$(getfattr -n security.ima -e hex --absolute-names $KERNEL_IMAGE 2>&1)
86 	echo $line | grep -q "security.ima=0x03"
87 	if [ $? -eq 0 ]; then
102 	tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE | \
103 		grep -q "$module_sig_string"
104 	if [ $? -eq 0 ]; then
119 	line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1)
121 	if [ $? -eq 0 ]; then
122 		kexec --unload --kexec-file-syscall
126 		if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \
127 			[ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ] \
128 			  && [ $ima_modsig -eq 0 ]; then
132 		if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
133 		     && [ $pe_signed -eq 0 ]; then
137 		if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ] \
138 		     && [ $ima_modsig -eq 0 ]; then
142 		if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
143 		    && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
144 	            && [ $ima_read_policy -eq 0 ]; then
148 		if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 0 ]; then
150 		elif [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
151 		    && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
152 	            && [ $ima_read_policy -eq 1 ]; then
160 	echo $line | grep -q "Required key not available"
161 	if [ $? -eq 0 ]; then
162 		if [ $platform_keyring -eq 0 ]; then
163 			log_pass "$failed_msg (-ENOKEY), $key_msg"
165 			log_pass "$failed_msg (-ENOKEY)"
169 	if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
170 	     && [ $pe_signed -eq 0 ]; then
174 	if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then
178 	if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
179 	    && [ $ima_sig_required -eq 0 ] && [ $ima_read_policy -eq 0 ] \
180 	    && [ $ima_signed -eq 0 ]; then
195 if [ $? -eq 0 ]; then
242 # Test loading the kernel image via kexec_file_load syscall