1#!/bin/sh
  2# SPDX-License-Identifier: GPL-2.0
  3#
  4# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
  5
  6VERBOSE="${VERBOSE:-1}"
  7IKCONFIG="/tmp/config-`uname -r`"
  8KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
  9SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
 10
 11log_info()
 12{
 13	[ $VERBOSE -ne 0 ] && echo "[INFO] $1"
 14}
 15
 16# The ksefltest framework requirement returns 0 for PASS.
 17log_pass()
 18{
 19	[ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
 20	exit 0
 21}
 22
 23# The ksefltest framework requirement returns 1 for FAIL.
 24log_fail()
 25{
 26	[ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
 27	exit 1
 28}
 29
 30# The ksefltest framework requirement returns 4 for SKIP.
 31log_skip()
 32{
 33	[ $VERBOSE -ne 0 ] && echo "$1"
 34	exit 4
 35}
 36
 37# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
 38# (Based on kdump-lib.sh)
 39get_efivarfs_secureboot_mode()
 40{
 41	local efivarfs="/sys/firmware/efi/efivars"
 42	local secure_boot_file=""
 43	local setup_mode_file=""
 44	local secureboot_mode=0
 45	local setup_mode=0
 46
 47	# Make sure that efivar_fs is mounted in the normal location
 48	if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
 49		log_info "efivars is not mounted on $efivarfs"
 50		return 0;
 51	fi
 52	secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
 53	setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
 54	if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
 55		secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
 56			"$secure_boot_file"|cut -d' ' -f 5)
 57		setup_mode=$(hexdump -v -e '/1 "%d\ "' \
 58			"$setup_mode_file"|cut -d' ' -f 5)
 59
 60		if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
 61			log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
 62			return 1;
 63		fi
 64	fi
 65	return 0;
 66}
 67
 68# On powerpc platform, check device-tree property
 69# /proc/device-tree/ibm,secureboot/os-secureboot-enforcing
 70# to detect secureboot state.
 71get_ppc64_secureboot_mode()
 72{
 73	local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing"
 74	# Check for secure boot file existence
 75	if [ -f $secure_boot_file ]; then
 76		log_info "Secureboot is enabled (Device tree)"
 77		return 1;
 78	fi
 79	log_info "Secureboot is not enabled (Device tree)"
 80	return 0;
 81}
 82
 83# Return the architecture of the system
 84get_arch()
 85{
 86	echo $(arch)
 87}
 88
 89# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
 90# The secure boot mode can be accessed as the last integer of
 91# "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*".  The efi
 92# SetupMode can be similarly accessed.
 93# Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
 94get_secureboot_mode()
 95{
 96	local secureboot_mode=0
 97	local system_arch=$(get_arch)
 98
 99	if [ "$system_arch" == "ppc64le" ]; then
100		get_ppc64_secureboot_mode
101		secureboot_mode=$?
102	else
103		get_efivarfs_secureboot_mode
104		secureboot_mode=$?
105	fi
106
107	if [ $secureboot_mode -eq 0 ]; then
108		log_info "secure boot mode not enabled"
109	fi
110	return $secureboot_mode;
111}
112
113require_root_privileges()
114{
115	if [ $(id -ru) -ne 0 ]; then
116		log_skip "requires root privileges"
117	fi
118}
119
120# Look for config option in Kconfig file.
121# Return 1 for found and 0 for not found.
122kconfig_enabled()
123{
124	local config="$1"
125	local msg="$2"
126
127	grep -E -q $config $IKCONFIG
128	if [ $? -eq 0 ]; then
129		log_info "$msg"
130		return 1
131	fi
132	return 0
133}
134
135# Attempt to get the kernel config first by checking the modules directory
136# then via proc, and finally by extracting it from the kernel image or the
137# configs.ko using scripts/extract-ikconfig.
138# Return 1 for found.
139get_kconfig()
140{
141	local proc_config="/proc/config.gz"
142	local module_dir="/lib/modules/`uname -r`"
143	local configs_module="$module_dir/kernel/kernel/configs.ko*"
144
145	if [ -f $module_dir/config ]; then
146		IKCONFIG=$module_dir/config
147		return 1
148	fi
149
150	if [ ! -f $proc_config ]; then
151		modprobe configs > /dev/null 2>&1
152	fi
153	if [ -f $proc_config ]; then
154		cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
155		if [ $? -eq 0 ]; then
156			return 1
157		fi
158	fi
159
160	local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
161	if [ ! -f $extract_ikconfig ]; then
162		log_skip "extract-ikconfig not found"
163	fi
164
165	$extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
166	if [ $? -eq 1 ]; then
167		if [ ! -f $configs_module ]; then
168			log_skip "CONFIG_IKCONFIG not enabled"
169		fi
170		$extract_ikconfig $configs_module > $IKCONFIG
171		if [ $? -eq 1 ]; then
172			log_skip "CONFIG_IKCONFIG not enabled"
173		fi
174	fi
175	return 1
176}
177
178# Make sure that securityfs is mounted
179mount_securityfs()
180{
181	if [ -z $SECURITYFS ]; then
182		SECURITYFS=/sys/kernel/security
183		mount -t securityfs security $SECURITYFS
184	fi
185
186	if [ ! -d "$SECURITYFS" ]; then
187		log_fail "$SECURITYFS :securityfs is not mounted"
188	fi
189}
190
191# The policy rule format is an "action" followed by key-value pairs.  This
192# function supports up to two key-value pairs, in any order.
193# For example: action func=<keyword> [appraise_type=<type>]
194# Return 1 for found and 0 for not found.
195check_ima_policy()
196{
197	local action="$1"
198	local keypair1="$2"
199	local keypair2="$3"
200	local ret=0
201
202	mount_securityfs
203
204	local ima_policy=$SECURITYFS/ima/policy
205	if [ ! -e $ima_policy ]; then
206		log_fail "$ima_policy not found"
207	fi
208
209	if [ -n $keypair2 ]; then
210		grep -e "^$action.*$keypair1" "$ima_policy" | \
211			grep -q -e "$keypair2"
212	else
213		grep -q -e "^$action.*$keypair1" "$ima_policy"
214	fi
215
216	# invert "grep -q" result, returning 1 for found.
217	[ $? -eq 0 ] && ret=1
218	return $ret
219}