Loading...
1#!/bin/sh
2# SPDX-License-Identifier: GPL-2.0
3#
4# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
5
6VERBOSE="${VERBOSE:-1}"
7IKCONFIG="/tmp/config-`uname -r`"
8KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
9SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
10
11log_info()
12{
13 [ $VERBOSE -ne 0 ] && echo "[INFO] $1"
14}
15
16# The ksefltest framework requirement returns 0 for PASS.
17log_pass()
18{
19 [ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
20 exit 0
21}
22
23# The ksefltest framework requirement returns 1 for FAIL.
24log_fail()
25{
26 [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
27 exit 1
28}
29
30# The ksefltest framework requirement returns 4 for SKIP.
31log_skip()
32{
33 [ $VERBOSE -ne 0 ] && echo "$1"
34 exit 4
35}
36
37# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
38# (Based on kdump-lib.sh)
39get_efivarfs_secureboot_mode()
40{
41 local efivarfs="/sys/firmware/efi/efivars"
42 local secure_boot_file=""
43 local setup_mode_file=""
44 local secureboot_mode=0
45 local setup_mode=0
46
47 # Make sure that efivar_fs is mounted in the normal location
48 if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
49 log_info "efivars is not mounted on $efivarfs"
50 return 0;
51 fi
52 secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
53 setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
54 if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
55 secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
56 "$secure_boot_file"|cut -d' ' -f 5)
57 setup_mode=$(hexdump -v -e '/1 "%d\ "' \
58 "$setup_mode_file"|cut -d' ' -f 5)
59
60 if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
61 log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
62 return 1;
63 fi
64 fi
65 return 0;
66}
67
68# On powerpc platform, check device-tree property
69# /proc/device-tree/ibm,secureboot/os-secureboot-enforcing
70# to detect secureboot state.
71get_ppc64_secureboot_mode()
72{
73 local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing"
74 # Check for secure boot file existence
75 if [ -f $secure_boot_file ]; then
76 log_info "Secureboot is enabled (Device tree)"
77 return 1;
78 fi
79 log_info "Secureboot is not enabled (Device tree)"
80 return 0;
81}
82
83# Return the architecture of the system
84get_arch()
85{
86 echo $(arch)
87}
88
89# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
90# The secure boot mode can be accessed as the last integer of
91# "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*". The efi
92# SetupMode can be similarly accessed.
93# Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
94get_secureboot_mode()
95{
96 local secureboot_mode=0
97 local system_arch=$(get_arch)
98
99 if [ "$system_arch" == "ppc64le" ]; then
100 get_ppc64_secureboot_mode
101 secureboot_mode=$?
102 else
103 get_efivarfs_secureboot_mode
104 secureboot_mode=$?
105 fi
106
107 if [ $secureboot_mode -eq 0 ]; then
108 log_info "secure boot mode not enabled"
109 fi
110 return $secureboot_mode;
111}
112
113require_root_privileges()
114{
115 if [ $(id -ru) -ne 0 ]; then
116 log_skip "requires root privileges"
117 fi
118}
119
120# Look for config option in Kconfig file.
121# Return 1 for found and 0 for not found.
122kconfig_enabled()
123{
124 local config="$1"
125 local msg="$2"
126
127 grep -E -q $config $IKCONFIG
128 if [ $? -eq 0 ]; then
129 log_info "$msg"
130 return 1
131 fi
132 return 0
133}
134
135# Attempt to get the kernel config first by checking the modules directory
136# then via proc, and finally by extracting it from the kernel image or the
137# configs.ko using scripts/extract-ikconfig.
138# Return 1 for found.
139get_kconfig()
140{
141 local proc_config="/proc/config.gz"
142 local module_dir="/lib/modules/`uname -r`"
143 local configs_module="$module_dir/kernel/kernel/configs.ko*"
144
145 if [ -f $module_dir/config ]; then
146 IKCONFIG=$module_dir/config
147 return 1
148 fi
149
150 if [ ! -f $proc_config ]; then
151 modprobe configs > /dev/null 2>&1
152 fi
153 if [ -f $proc_config ]; then
154 cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
155 if [ $? -eq 0 ]; then
156 return 1
157 fi
158 fi
159
160 local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
161 if [ ! -f $extract_ikconfig ]; then
162 log_skip "extract-ikconfig not found"
163 fi
164
165 $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
166 if [ $? -eq 1 ]; then
167 if [ ! -f $configs_module ]; then
168 log_skip "CONFIG_IKCONFIG not enabled"
169 fi
170 $extract_ikconfig $configs_module > $IKCONFIG
171 if [ $? -eq 1 ]; then
172 log_skip "CONFIG_IKCONFIG not enabled"
173 fi
174 fi
175 return 1
176}
177
178# Make sure that securityfs is mounted
179mount_securityfs()
180{
181 if [ -z $SECURITYFS ]; then
182 SECURITYFS=/sys/kernel/security
183 mount -t securityfs security $SECURITYFS
184 fi
185
186 if [ ! -d "$SECURITYFS" ]; then
187 log_fail "$SECURITYFS :securityfs is not mounted"
188 fi
189}
190
191# The policy rule format is an "action" followed by key-value pairs. This
192# function supports up to two key-value pairs, in any order.
193# For example: action func=<keyword> [appraise_type=<type>]
194# Return 1 for found and 0 for not found.
195check_ima_policy()
196{
197 local action="$1"
198 local keypair1="$2"
199 local keypair2="$3"
200 local ret=0
201
202 mount_securityfs
203
204 local ima_policy=$SECURITYFS/ima/policy
205 if [ ! -e $ima_policy ]; then
206 log_fail "$ima_policy not found"
207 fi
208
209 if [ -n $keypair2 ]; then
210 grep -e "^$action.*$keypair1" "$ima_policy" | \
211 grep -q -e "$keypair2"
212 else
213 grep -q -e "^$action.*$keypair1" "$ima_policy"
214 fi
215
216 # invert "grep -q" result, returning 1 for found.
217 [ $? -eq 0 ] && ret=1
218 return $ret
219}
1#!/bin/sh
2# SPDX-License-Identifier: GPL-2.0
3#
4# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
5
6VERBOSE="${VERBOSE:-1}"
7IKCONFIG="/tmp/config-`uname -r`"
8KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
9SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
10
11log_info()
12{
13 [ $VERBOSE -ne 0 ] && echo "[INFO] $1"
14}
15
16# The ksefltest framework requirement returns 0 for PASS.
17log_pass()
18{
19 [ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
20 exit 0
21}
22
23# The ksefltest framework requirement returns 1 for FAIL.
24log_fail()
25{
26 [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
27 exit 1
28}
29
30# The ksefltest framework requirement returns 4 for SKIP.
31log_skip()
32{
33 [ $VERBOSE -ne 0 ] && echo "$1"
34 exit 4
35}
36
37# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
38# (Based on kdump-lib.sh)
39get_efivarfs_secureboot_mode()
40{
41 local efivarfs="/sys/firmware/efi/efivars"
42 local secure_boot_file=""
43 local setup_mode_file=""
44 local secureboot_mode=0
45 local setup_mode=0
46
47 # Make sure that efivar_fs is mounted in the normal location
48 if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
49 log_info "efivars is not mounted on $efivarfs"
50 return 0;
51 fi
52 secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
53 setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
54 if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
55 secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
56 "$secure_boot_file"|cut -d' ' -f 5)
57 setup_mode=$(hexdump -v -e '/1 "%d\ "' \
58 "$setup_mode_file"|cut -d' ' -f 5)
59
60 if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
61 log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
62 return 1;
63 fi
64 fi
65 return 0;
66}
67
68get_efi_var_secureboot_mode()
69{
70 local efi_vars
71 local secure_boot_file
72 local setup_mode_file
73 local secureboot_mode
74 local setup_mode
75
76 if [ ! -d "$efi_vars" ]; then
77 log_skip "efi_vars is not enabled\n"
78 fi
79 secure_boot_file=$(find "$efi_vars" -name SecureBoot-* 2>/dev/null)
80 setup_mode_file=$(find "$efi_vars" -name SetupMode-* 2>/dev/null)
81 if [ -f "$secure_boot_file/data" ] && \
82 [ -f "$setup_mode_file/data" ]; then
83 secureboot_mode=`od -An -t u1 "$secure_boot_file/data"`
84 setup_mode=`od -An -t u1 "$setup_mode_file/data"`
85
86 if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
87 log_info "secure boot mode enabled (CONFIG_EFI_VARS)"
88 return 1;
89 fi
90 fi
91 return 0;
92}
93
94# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
95# The secure boot mode can be accessed either as the last integer
96# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from
97# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data". The efi
98# SetupMode can be similarly accessed.
99# Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
100get_secureboot_mode()
101{
102 local secureboot_mode=0
103
104 get_efivarfs_secureboot_mode
105 secureboot_mode=$?
106
107 # fallback to using the efi_var files
108 if [ $secureboot_mode -eq 0 ]; then
109 get_efi_var_secureboot_mode
110 secureboot_mode=$?
111 fi
112
113 if [ $secureboot_mode -eq 0 ]; then
114 log_info "secure boot mode not enabled"
115 fi
116 return $secureboot_mode;
117}
118
119require_root_privileges()
120{
121 if [ $(id -ru) -ne 0 ]; then
122 log_skip "requires root privileges"
123 fi
124}
125
126# Look for config option in Kconfig file.
127# Return 1 for found and 0 for not found.
128kconfig_enabled()
129{
130 local config="$1"
131 local msg="$2"
132
133 grep -E -q $config $IKCONFIG
134 if [ $? -eq 0 ]; then
135 log_info "$msg"
136 return 1
137 fi
138 return 0
139}
140
141# Attempt to get the kernel config first via proc, and then by
142# extracting it from the kernel image or the configs.ko using
143# scripts/extract-ikconfig.
144# Return 1 for found.
145get_kconfig()
146{
147 local proc_config="/proc/config.gz"
148 local module_dir="/lib/modules/`uname -r`"
149 local configs_module="$module_dir/kernel/kernel/configs.ko"
150
151 if [ ! -f $proc_config ]; then
152 modprobe configs > /dev/null 2>&1
153 fi
154 if [ -f $proc_config ]; then
155 cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
156 if [ $? -eq 0 ]; then
157 return 1
158 fi
159 fi
160
161 local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
162 if [ ! -f $extract_ikconfig ]; then
163 log_skip "extract-ikconfig not found"
164 fi
165
166 $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
167 if [ $? -eq 1 ]; then
168 if [ ! -f $configs_module ]; then
169 log_skip "CONFIG_IKCONFIG not enabled"
170 fi
171 $extract_ikconfig $configs_module > $IKCONFIG
172 if [ $? -eq 1 ]; then
173 log_skip "CONFIG_IKCONFIG not enabled"
174 fi
175 fi
176 return 1
177}
178
179# Make sure that securityfs is mounted
180mount_securityfs()
181{
182 if [ -z $SECURITYFS ]; then
183 SECURITYFS=/sys/kernel/security
184 mount -t securityfs security $SECURITYFS
185 fi
186
187 if [ ! -d "$SECURITYFS" ]; then
188 log_fail "$SECURITYFS :securityfs is not mounted"
189 fi
190}
191
192# The policy rule format is an "action" followed by key-value pairs. This
193# function supports up to two key-value pairs, in any order.
194# For example: action func=<keyword> [appraise_type=<type>]
195# Return 1 for found and 0 for not found.
196check_ima_policy()
197{
198 local action="$1"
199 local keypair1="$2"
200 local keypair2="$3"
201 local ret=0
202
203 mount_securityfs
204
205 local ima_policy=$SECURITYFS/ima/policy
206 if [ ! -e $ima_policy ]; then
207 log_fail "$ima_policy not found"
208 fi
209
210 if [ -n $keypair2 ]; then
211 grep -e "^$action.*$keypair1" "$ima_policy" | \
212 grep -q -e "$keypair2"
213 else
214 grep -q -e "^$action.*$keypair1" "$ima_policy"
215 fi
216
217 # invert "grep -q" result, returning 1 for found.
218 [ $? -eq 0 ] && ret=1
219 return $ret
220}