sefltest/ima: support appended signatures (modsig)
In addition to the PE/COFF and IMA xattr signatures, the kexec kernel image can be signed with an appended signature, using the same scripts/sign-file tool that is used to sign kernel modules. This patch adds support for detecting a kernel image signed with an appended signature and updates the existing test messages appropriately. Reviewed-by: Petr Vorel <pvorel@suse.cz> Acked-by: Shuah Khan <skhan@linuxfoundation.org> Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com> Reviewed-by: Jordan Hand <jorhand@linux.microsoft.com> (x86_64 QEMU) Tested-by: Jordan Hand <jorhand@linux.microsoft.com> (x86_64 QEMU) Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
This commit is contained in:
parent
556d971bda
commit
cbc0425d3d
@ -37,11 +37,20 @@ is_ima_sig_required()
|
||||
# sequentially. As a result, a policy rule may be defined, but
|
||||
# might not necessarily be used. This test assumes if a policy
|
||||
# rule is specified, that is the intent.
|
||||
|
||||
# First check for appended signature (modsig), then xattr
|
||||
if [ $ima_read_policy -eq 1 ]; then
|
||||
check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
|
||||
"appraise_type=imasig"
|
||||
"appraise_type=imasig|modsig"
|
||||
ret=$?
|
||||
[ $ret -eq 1 ] && log_info "IMA signature required";
|
||||
if [ $ret -eq 1 ]; then
|
||||
log_info "IMA or appended(modsig) signature required"
|
||||
else
|
||||
check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
|
||||
"appraise_type=imasig"
|
||||
ret=$?
|
||||
[ $ret -eq 1 ] && log_info "IMA signature required";
|
||||
fi
|
||||
fi
|
||||
return $ret
|
||||
}
|
||||
@ -84,6 +93,22 @@ check_for_imasig()
|
||||
return $ret
|
||||
}
|
||||
|
||||
# Return 1 for appended signature (modsig) found and 0 for not found.
|
||||
check_for_modsig()
|
||||
{
|
||||
local module_sig_string="~Module signature appended~"
|
||||
local sig="$(tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE)"
|
||||
local ret=0
|
||||
|
||||
if [ "$sig" == "$module_sig_string" ]; then
|
||||
ret=1
|
||||
log_info "kexec kernel image modsig signed"
|
||||
else
|
||||
log_info "kexec kernel image not modsig signed"
|
||||
fi
|
||||
return $ret
|
||||
}
|
||||
|
||||
kexec_file_load_test()
|
||||
{
|
||||
local succeed_msg="kexec_file_load succeeded"
|
||||
@ -98,7 +123,8 @@ kexec_file_load_test()
|
||||
# In secureboot mode with an architecture specific
|
||||
# policy, make sure either an IMA or PE signature exists.
|
||||
if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \
|
||||
[ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then
|
||||
[ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ] \
|
||||
&& [ $ima_modsig -eq 0 ]; then
|
||||
log_fail "$succeed_msg (missing sig)"
|
||||
fi
|
||||
|
||||
@ -107,7 +133,8 @@ kexec_file_load_test()
|
||||
log_fail "$succeed_msg (missing PE sig)"
|
||||
fi
|
||||
|
||||
if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then
|
||||
if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ] \
|
||||
&& [ $ima_modsig -eq 0 ]; then
|
||||
log_fail "$succeed_msg (missing IMA sig)"
|
||||
fi
|
||||
|
||||
@ -204,5 +231,8 @@ pe_signed=$?
|
||||
check_for_imasig
|
||||
ima_signed=$?
|
||||
|
||||
check_for_modsig
|
||||
ima_modsig=$?
|
||||
|
||||
# Test loading the kernel image via kexec_file_load syscall
|
||||
kexec_file_load_test
|
||||
|
Loading…
Reference in New Issue
Block a user