Loading...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 | #!/bin/sh # SPDX-License-Identifier: GPL-2.0 # # Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4 VERBOSE="${VERBOSE:-1}" IKCONFIG="/tmp/config-`uname -r`" KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}') log_info() { [ $VERBOSE -ne 0 ] && echo "[INFO] $1" } # The ksefltest framework requirement returns 0 for PASS. log_pass() { [ $VERBOSE -ne 0 ] && echo "$1 [PASS]" exit 0 } # The ksefltest framework requirement returns 1 for FAIL. log_fail() { [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]" exit 1 } # The ksefltest framework requirement returns 4 for SKIP. log_skip() { [ $VERBOSE -ne 0 ] && echo "$1" exit 4 } # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). # (Based on kdump-lib.sh) get_efivarfs_secureboot_mode() { local efivarfs="/sys/firmware/efi/efivars" local secure_boot_file="" local setup_mode_file="" local secureboot_mode=0 local setup_mode=0 # Make sure that efivar_fs is mounted in the normal location if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then log_info "efivars is not mounted on $efivarfs" return 0; fi secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null) setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null) if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \ "$secure_boot_file"|cut -d' ' -f 5) setup_mode=$(hexdump -v -e '/1 "%d\ "' \ "$setup_mode_file"|cut -d' ' -f 5) if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)" return 1; fi fi return 0; } get_efi_var_secureboot_mode() { local efi_vars local secure_boot_file local setup_mode_file local secureboot_mode local setup_mode if [ ! -d "$efi_vars" ]; then log_skip "efi_vars is not enabled\n" fi secure_boot_file=$(find "$efi_vars" -name SecureBoot-* 2>/dev/null) setup_mode_file=$(find "$efi_vars" -name SetupMode-* 2>/dev/null) if [ -f "$secure_boot_file/data" ] && \ [ -f "$setup_mode_file/data" ]; then secureboot_mode=`od -An -t u1 "$secure_boot_file/data"` setup_mode=`od -An -t u1 "$setup_mode_file/data"` if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then log_info "secure boot mode enabled (CONFIG_EFI_VARS)" return 1; fi fi return 0; } # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). # The secure boot mode can be accessed either as the last integer # of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from # "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data". The efi # SetupMode can be similarly accessed. # Return 1 for SecureBoot mode enabled and SetupMode mode disabled. get_secureboot_mode() { local secureboot_mode=0 get_efivarfs_secureboot_mode secureboot_mode=$? # fallback to using the efi_var files if [ $secureboot_mode -eq 0 ]; then get_efi_var_secureboot_mode secureboot_mode=$? fi if [ $secureboot_mode -eq 0 ]; then log_info "secure boot mode not enabled" fi return $secureboot_mode; } require_root_privileges() { if [ $(id -ru) -ne 0 ]; then log_skip "requires root privileges" fi } # Look for config option in Kconfig file. # Return 1 for found and 0 for not found. kconfig_enabled() { local config="$1" local msg="$2" grep -E -q $config $IKCONFIG if [ $? -eq 0 ]; then log_info "$msg" return 1 fi return 0 } # Attempt to get the kernel config first via proc, and then by # extracting it from the kernel image or the configs.ko using # scripts/extract-ikconfig. # Return 1 for found. get_kconfig() { local proc_config="/proc/config.gz" local module_dir="/lib/modules/`uname -r`" local configs_module="$module_dir/kernel/kernel/configs.ko" if [ ! -f $proc_config ]; then modprobe configs > /dev/null 2>&1 fi if [ -f $proc_config ]; then cat $proc_config | gunzip > $IKCONFIG 2>/dev/null if [ $? -eq 0 ]; then return 1 fi fi local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig" if [ ! -f $extract_ikconfig ]; then log_skip "extract-ikconfig not found" fi $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null if [ $? -eq 1 ]; then if [ ! -f $configs_module ]; then log_skip "CONFIG_IKCONFIG not enabled" fi $extract_ikconfig $configs_module > $IKCONFIG if [ $? -eq 1 ]; then log_skip "CONFIG_IKCONFIG not enabled" fi fi return 1 } # Make sure that securityfs is mounted mount_securityfs() { if [ -z $SECURITYFS ]; then SECURITYFS=/sys/kernel/security mount -t securityfs security $SECURITYFS fi if [ ! -d "$SECURITYFS" ]; then log_fail "$SECURITYFS :securityfs is not mounted" fi } # The policy rule format is an "action" followed by key-value pairs. This # function supports up to two key-value pairs, in any order. # For example: action func=<keyword> [appraise_type=<type>] # Return 1 for found and 0 for not found. check_ima_policy() { local action="$1" local keypair1="$2" local keypair2="$3" local ret=0 mount_securityfs local ima_policy=$SECURITYFS/ima/policy if [ ! -e $ima_policy ]; then log_fail "$ima_policy not found" fi if [ -n $keypair2 ]; then grep -e "^$action.*$keypair1" "$ima_policy" | \ grep -q -e "$keypair2" else grep -q -e "^$action.*$keypair1" "$ima_policy" fi # invert "grep -q" result, returning 1 for found. [ $? -eq 0 ] && ret=1 return $ret } |