linux/tools/testing/selftests/lkdtm/stack-entropy.sh

#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
#
# Measure kernel stack entropy by sampling via LKDTM's REPORT_STACK test.
set -e
samples="${1:-1000}"
TRIGGER=/sys/kernel/debug/provoke-crash/DIRECT
KSELFTEST_SKIP_TEST=4

# Verify we have LKDTM available in the kernel.
if [ ! -r $TRIGGER ] ; then
	/sbin/modprobe -q lkdtm || true
	if [ ! -r $TRIGGER ] ; then
		echo "Cannot find $TRIGGER (missing CONFIG_LKDTM?)"
	else
		echo "Cannot write $TRIGGER (need to run as root?)"
	fi
	# Skip this test
	exit $KSELFTEST_SKIP_TEST
fi

# Capture dmesg continuously since it may fill up depending on sample size.
log=$(mktemp -t stack-entropy-XXXXXX)
dmesg --follow >"$log" & pid=$!
report=-1
for i in $(seq 1 $samples); do
        echo "REPORT_STACK" > $TRIGGER
	if [ -t 1 ]; then
		percent=$(( 100 * $i / $samples ))
		if [ "$percent" -ne "$report" ]; then
			/bin/echo -en "$percent%\r"
			report="$percent"
		fi
	fi
done
kill "$pid"

# Count unique offsets since last run.
seen=$(tac "$log" | grep -m1 -B"$samples"0 'Starting stack offset' | \
	grep 'Stack offset' | awk '{print $NF}' | sort | uniq -c | wc -l)
bits=$(echo "obase=2; $seen" | bc | wc -L)
echo "Bits of stack entropy: $bits"
rm -f "$log"

# We would expect any functional stack randomization to be at least 5 bits.
if [ "$bits" -lt 5 ]; then
	echo "Stack entropy is low! Booted without 'randomize_kstack_offset=y'?"
	exit 1
else
	exit 0
fi
lkdtm: Add REPORT_STACK for checking stack offsets For validating the stack offset behavior, report the offset from a given process's first seen stack address. Add s script to calculate the results to the LKDTM kselftests. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Link: https://lore.kernel.org/r/20210401232347.2791257-7-keescook@chromium.org 2021-04-01 16:23:47 -07:00			`#!/bin/sh`
			`# SPDX-License-Identifier: GPL-2.0`
			`#`
			`# Measure kernel stack entropy by sampling via LKDTM's REPORT_STACK test.`
			`set -e`
			`samples="${1:-1000}"`
selftest/lkdtm: Skip stack-entropy test if lkdtm is not available Exit with return code 4 if lkdtm is not available like other tests in order to properly skip the test. Signed-off-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210805101236.1140381-1-misono.tomohiro@jp.fujitsu.com 2021-08-05 19:12:36 +09:00			`TRIGGER=/sys/kernel/debug/provoke-crash/DIRECT`
			`KSELFTEST_SKIP_TEST=4`

			`# Verify we have LKDTM available in the kernel.`
			`if [ ! -r $TRIGGER ] ; then`
			`/sbin/modprobe -q lkdtm \|\| true`
			`if [ ! -r $TRIGGER ] ; then`
			`echo "Cannot find $TRIGGER (missing CONFIG_LKDTM?)"`
			`else`
			`echo "Cannot write $TRIGGER (need to run as root?)"`
			`fi`
			`# Skip this test`
			`exit $KSELFTEST_SKIP_TEST`
			`fi`
lkdtm: Add REPORT_STACK for checking stack offsets For validating the stack offset behavior, report the offset from a given process's first seen stack address. Add s script to calculate the results to the LKDTM kselftests. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Link: https://lore.kernel.org/r/20210401232347.2791257-7-keescook@chromium.org 2021-04-01 16:23:47 -07:00
			`# Capture dmesg continuously since it may fill up depending on sample size.`
			`log=$(mktemp -t stack-entropy-XXXXXX)`
			`dmesg --follow >"$log" & pid=$!`
			`report=-1`
			`for i in $(seq 1 $samples); do`
selftest/lkdtm: Skip stack-entropy test if lkdtm is not available Exit with return code 4 if lkdtm is not available like other tests in order to properly skip the test. Signed-off-by: Misono Tomohiro <misono.tomohiro@jp.fujitsu.com> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210805101236.1140381-1-misono.tomohiro@jp.fujitsu.com 2021-08-05 19:12:36 +09:00			`echo "REPORT_STACK" > $TRIGGER`
lkdtm: Add REPORT_STACK for checking stack offsets For validating the stack offset behavior, report the offset from a given process's first seen stack address. Add s script to calculate the results to the LKDTM kselftests. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Link: https://lore.kernel.org/r/20210401232347.2791257-7-keescook@chromium.org 2021-04-01 16:23:47 -07:00			`if [ -t 1 ]; then`
			`percent=$(( 100 * $i / $samples ))`
			`if [ "$percent" -ne "$report" ]; then`
			`/bin/echo -en "$percent%\r"`
			`report="$percent"`
			`fi`
			`fi`
			`done`
			`kill "$pid"`

			`# Count unique offsets since last run.`
			`seen=$(tac "$log" \| grep -m1 -B"$samples"0 'Starting stack offset' \| \`
			`grep 'Stack offset' \| awk '{print $NF}' \| sort \| uniq -c \| wc -l)`
			`bits=$(echo "obase=2; $seen" \| bc \| wc -L)`
			`echo "Bits of stack entropy: $bits"`
			`rm -f "$log"`

			`# We would expect any functional stack randomization to be at least 5 bits.`
			`if [ "$bits" -lt 5 ]; then`
lkdtm: Add CONFIG hints in errors where possible For various failure conditions, try to include some details about where to look for reasons about the failure. Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210623203936.3151093-8-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-06-23 13:39:34 -07:00			`echo "Stack entropy is low! Booted without 'randomize_kstack_offset=y'?"`
lkdtm: Add REPORT_STACK for checking stack offsets For validating the stack offset behavior, report the offset from a given process's first seen stack address. Add s script to calculate the results to the LKDTM kselftests. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Link: https://lore.kernel.org/r/20210401232347.2791257-7-keescook@chromium.org 2021-04-01 16:23:47 -07:00			`exit 1`
			`else`
			`exit 0`
			`fi`