c07d2475f9
Commit b433a52aa2
("selftests/kexec: update get_secureboot_mode")
refactored the code that discovers the EFI secure boot mode so it only
depends on either the efivars pseudo filesystem or the efivars sysfs
interface, but never both.
However, the latter version was not implemented correctly, given the
fact that the local 'efi_vars' variable never assumes a value. This
means the fallback has been dead code ever since it was introduced.
So let's drop the fallback altogether. The sysfs interface has been
deprecated for ~10 years now, and is only enabled on x86 to begin with,
so it is time to get rid of it entirely.
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
220 lines
5.2 KiB
Bash
Executable File
220 lines
5.2 KiB
Bash
Executable File
#!/bin/sh
|
|
# SPDX-License-Identifier: GPL-2.0
|
|
#
|
|
# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
|
|
|
|
VERBOSE="${VERBOSE:-1}"
|
|
IKCONFIG="/tmp/config-`uname -r`"
|
|
KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
|
|
SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
|
|
|
|
log_info()
|
|
{
|
|
[ $VERBOSE -ne 0 ] && echo "[INFO] $1"
|
|
}
|
|
|
|
# The ksefltest framework requirement returns 0 for PASS.
|
|
log_pass()
|
|
{
|
|
[ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
|
|
exit 0
|
|
}
|
|
|
|
# The ksefltest framework requirement returns 1 for FAIL.
|
|
log_fail()
|
|
{
|
|
[ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
|
|
exit 1
|
|
}
|
|
|
|
# The ksefltest framework requirement returns 4 for SKIP.
|
|
log_skip()
|
|
{
|
|
[ $VERBOSE -ne 0 ] && echo "$1"
|
|
exit 4
|
|
}
|
|
|
|
# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
|
|
# (Based on kdump-lib.sh)
|
|
get_efivarfs_secureboot_mode()
|
|
{
|
|
local efivarfs="/sys/firmware/efi/efivars"
|
|
local secure_boot_file=""
|
|
local setup_mode_file=""
|
|
local secureboot_mode=0
|
|
local setup_mode=0
|
|
|
|
# Make sure that efivar_fs is mounted in the normal location
|
|
if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
|
|
log_info "efivars is not mounted on $efivarfs"
|
|
return 0;
|
|
fi
|
|
secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
|
|
setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
|
|
if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
|
|
secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
|
|
"$secure_boot_file"|cut -d' ' -f 5)
|
|
setup_mode=$(hexdump -v -e '/1 "%d\ "' \
|
|
"$setup_mode_file"|cut -d' ' -f 5)
|
|
|
|
if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
|
|
log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
|
|
return 1;
|
|
fi
|
|
fi
|
|
return 0;
|
|
}
|
|
|
|
# On powerpc platform, check device-tree property
|
|
# /proc/device-tree/ibm,secureboot/os-secureboot-enforcing
|
|
# to detect secureboot state.
|
|
get_ppc64_secureboot_mode()
|
|
{
|
|
local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing"
|
|
# Check for secure boot file existence
|
|
if [ -f $secure_boot_file ]; then
|
|
log_info "Secureboot is enabled (Device tree)"
|
|
return 1;
|
|
fi
|
|
log_info "Secureboot is not enabled (Device tree)"
|
|
return 0;
|
|
}
|
|
|
|
# Return the architecture of the system
|
|
get_arch()
|
|
{
|
|
echo $(arch)
|
|
}
|
|
|
|
# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
|
|
# The secure boot mode can be accessed as the last integer of
|
|
# "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*". The efi
|
|
# SetupMode can be similarly accessed.
|
|
# Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
|
|
get_secureboot_mode()
|
|
{
|
|
local secureboot_mode=0
|
|
local system_arch=$(get_arch)
|
|
|
|
if [ "$system_arch" == "ppc64le" ]; then
|
|
get_ppc64_secureboot_mode
|
|
secureboot_mode=$?
|
|
else
|
|
get_efivarfs_secureboot_mode
|
|
secureboot_mode=$?
|
|
fi
|
|
|
|
if [ $secureboot_mode -eq 0 ]; then
|
|
log_info "secure boot mode not enabled"
|
|
fi
|
|
return $secureboot_mode;
|
|
}
|
|
|
|
require_root_privileges()
|
|
{
|
|
if [ $(id -ru) -ne 0 ]; then
|
|
log_skip "requires root privileges"
|
|
fi
|
|
}
|
|
|
|
# Look for config option in Kconfig file.
|
|
# Return 1 for found and 0 for not found.
|
|
kconfig_enabled()
|
|
{
|
|
local config="$1"
|
|
local msg="$2"
|
|
|
|
grep -E -q $config $IKCONFIG
|
|
if [ $? -eq 0 ]; then
|
|
log_info "$msg"
|
|
return 1
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
# Attempt to get the kernel config first by checking the modules directory
|
|
# then via proc, and finally by extracting it from the kernel image or the
|
|
# configs.ko using scripts/extract-ikconfig.
|
|
# Return 1 for found.
|
|
get_kconfig()
|
|
{
|
|
local proc_config="/proc/config.gz"
|
|
local module_dir="/lib/modules/`uname -r`"
|
|
local configs_module="$module_dir/kernel/kernel/configs.ko*"
|
|
|
|
if [ -f $module_dir/config ]; then
|
|
IKCONFIG=$module_dir/config
|
|
return 1
|
|
fi
|
|
|
|
if [ ! -f $proc_config ]; then
|
|
modprobe configs > /dev/null 2>&1
|
|
fi
|
|
if [ -f $proc_config ]; then
|
|
cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
|
|
if [ $? -eq 0 ]; then
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
|
|
if [ ! -f $extract_ikconfig ]; then
|
|
log_skip "extract-ikconfig not found"
|
|
fi
|
|
|
|
$extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
|
|
if [ $? -eq 1 ]; then
|
|
if [ ! -f $configs_module ]; then
|
|
log_skip "CONFIG_IKCONFIG not enabled"
|
|
fi
|
|
$extract_ikconfig $configs_module > $IKCONFIG
|
|
if [ $? -eq 1 ]; then
|
|
log_skip "CONFIG_IKCONFIG not enabled"
|
|
fi
|
|
fi
|
|
return 1
|
|
}
|
|
|
|
# Make sure that securityfs is mounted
|
|
mount_securityfs()
|
|
{
|
|
if [ -z $SECURITYFS ]; then
|
|
SECURITYFS=/sys/kernel/security
|
|
mount -t securityfs security $SECURITYFS
|
|
fi
|
|
|
|
if [ ! -d "$SECURITYFS" ]; then
|
|
log_fail "$SECURITYFS :securityfs is not mounted"
|
|
fi
|
|
}
|
|
|
|
# The policy rule format is an "action" followed by key-value pairs. This
|
|
# function supports up to two key-value pairs, in any order.
|
|
# For example: action func=<keyword> [appraise_type=<type>]
|
|
# Return 1 for found and 0 for not found.
|
|
check_ima_policy()
|
|
{
|
|
local action="$1"
|
|
local keypair1="$2"
|
|
local keypair2="$3"
|
|
local ret=0
|
|
|
|
mount_securityfs
|
|
|
|
local ima_policy=$SECURITYFS/ima/policy
|
|
if [ ! -e $ima_policy ]; then
|
|
log_fail "$ima_policy not found"
|
|
fi
|
|
|
|
if [ -n $keypair2 ]; then
|
|
grep -e "^$action.*$keypair1" "$ima_policy" | \
|
|
grep -q -e "$keypair2"
|
|
else
|
|
grep -q -e "^$action.*$keypair1" "$ima_policy"
|
|
fi
|
|
|
|
# invert "grep -q" result, returning 1 for found.
|
|
[ $? -eq 0 ] && ret=1
|
|
return $ret
|
|
}
|