sefltest/ima: support appended signatures (modsig)

In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
image can be signed with an appended signature, using the same
scripts/sign-file tool that is used to sign kernel modules.

This patch adds support for detecting a kernel image signed with an
appended signature and updates the existing test messages
appropriately.

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: Jordan Hand <jorhand@linux.microsoft.com> (x86_64 QEMU)
Tested-by: Jordan Hand <jorhand@linux.microsoft.com> (x86_64 QEMU)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

1 files changed, 34 insertions, 4 deletions

diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh
index fa7c24e8eefb..2ff600388c30 100755
--- a/tools/testing/selftests/kexec/test_kexec_file_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh
@@ -37,11 +37,20 @@ is_ima_sig_required()
         # sequentially.  As a result, a policy rule may be defined, but
         # might not necessarily be used.  This test assumes if a policy
         # rule is specified, that is the intent.
+
+        # First check for appended signature (modsig), then xattr
         if [ $ima_read_policy -eq 1 ]; then
                 check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
-                        "appraise_type=imasig"
+                        "appraise_type=imasig|modsig"
                 ret=$?
-                [ $ret -eq 1 ] && log_info "IMA signature required";
+                if [ $ret -eq 1 ]; then
+                        log_info "IMA or appended(modsig) signature required"
+                else
+                        check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
+                                "appraise_type=imasig"
+                        ret=$?
+                        [ $ret -eq 1 ] && log_info "IMA signature required";
+                fi
         fi
         return $ret
 }
@@ -84,6 +93,22 @@ check_for_imasig()
         return $ret
 }
 
+# Return 1 for appended signature (modsig) found and 0 for not found.
+check_for_modsig()
+{
+        local module_sig_string="~Module signature appended~"
+        local sig="$(tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE)"
+        local ret=0
+
+        if [ "$sig" == "$module_sig_string" ]; then
+                ret=1
+                log_info "kexec kernel image modsig signed"
+        else
+                log_info "kexec kernel image not modsig signed"
+        fi
+        return $ret
+}
+
 kexec_file_load_test()
 {
         local succeed_msg="kexec_file_load succeeded"
@@ -98,7 +123,8 @@ kexec_file_load_test()
                 # In secureboot mode with an architecture  specific
                 # policy, make sure either an IMA or PE signature exists.
                 if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \
-                        [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then
+                        [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ] \
+                          && [ $ima_modsig -eq 0 ]; then
                         log_fail "$succeed_msg (missing sig)"
                 fi
 
@@ -107,7 +133,8 @@ kexec_file_load_test()
                         log_fail "$succeed_msg (missing PE sig)"
                 fi
 
-                if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then
+                if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ] \
+                     && [ $ima_modsig -eq 0 ]; then
                         log_fail "$succeed_msg (missing IMA sig)"
                 fi
 
@@ -204,5 +231,8 @@ pe_signed=$?
 check_for_imasig
 ima_signed=$?
 
+check_for_modsig
+ima_modsig=$?
+
 # Test loading the kernel image via kexec_file_load syscall
 kexec_file_load_test