diff options
| author | Mimi Zohar <zohar@linux.ibm.com> | 2019-03-25 14:13:27 -0400 |
|---|---|---|
| committer | Shuah Khan <skhan@linuxfoundation.org> | 2019-04-17 17:32:40 -0400 |
| commit | 726ff75f294672d9accc57b2d5cc7e98e337d2c6 (patch) | |
| tree | 49c6e431f04d4366b97cff7d58853c9ebd7a464c /tools | |
| parent | 7cea0b9227dcfd632fea1ee6a89f279da64fdd9d (diff) | |
selftests/kexec: make kexec_load test independent of IMA being enabled
Verify IMA is enabled before failing tests or emitting irrelevant
messages.
Suggested-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Dave Young <dyoung@redhat.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Diffstat (limited to 'tools')
| -rwxr-xr-x | tools/testing/selftests/kexec/test_kexec_load.sh | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh index 2a66c8897f55..49c6aa929137 100755 --- a/tools/testing/selftests/kexec/test_kexec_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_load.sh | |||
| @@ -1,8 +1,8 @@ | |||
| 1 | #!/bin/sh | 1 | #!/bin/sh |
| 2 | # SPDX-License-Identifier: GPL-2.0 | 2 | # SPDX-License-Identifier: GPL-2.0 |
| 3 | # Loading a kernel image via the kexec_load syscall should fail | 3 | # |
| 4 | # when the kernel is CONFIG_KEXEC_VERIFY_SIG enabled and the system | 4 | # Prevent loading a kernel image via the kexec_load syscall when |
| 5 | # is booted in secureboot mode. | 5 | # signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.) |
| 6 | 6 | ||
| 7 | TEST="$0" | 7 | TEST="$0" |
| 8 | . ./kexec_common_lib.sh | 8 | . ./kexec_common_lib.sh |
| @@ -18,20 +18,28 @@ if [ $? -eq 0 ]; then | |||
| 18 | log_skip "kexec_load is not enabled" | 18 | log_skip "kexec_load is not enabled" |
| 19 | fi | 19 | fi |
| 20 | 20 | ||
| 21 | kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" | ||
| 22 | ima_appraise=$? | ||
| 23 | |||
| 24 | kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ | ||
| 25 | "IMA architecture specific policy enabled" | ||
| 26 | arch_policy=$? | ||
| 27 | |||
| 21 | get_secureboot_mode | 28 | get_secureboot_mode |
| 22 | secureboot=$? | 29 | secureboot=$? |
| 23 | 30 | ||
| 24 | # kexec_load should fail in secure boot mode | 31 | # kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled |
| 25 | kexec --load $KERNEL_IMAGE > /dev/null 2>&1 | 32 | kexec --load $KERNEL_IMAGE > /dev/null 2>&1 |
| 26 | if [ $? -eq 0 ]; then | 33 | if [ $? -eq 0 ]; then |
| 27 | kexec --unload | 34 | kexec --unload |
| 28 | if [ $secureboot -eq 1 ]; then | 35 | if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then |
| 29 | log_fail "kexec_load succeeded" | 36 | log_fail "kexec_load succeeded" |
| 30 | else | 37 | elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then |
| 31 | log_pass "kexec_load succeeded" | 38 | log_info "Either IMA or the IMA arch policy is not enabled" |
| 32 | fi | 39 | fi |
| 40 | log_pass "kexec_load succeeded" | ||
| 33 | else | 41 | else |
| 34 | if [ $secureboot -eq 1 ]; then | 42 | if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then |
| 35 | log_pass "kexec_load failed" | 43 | log_pass "kexec_load failed" |
| 36 | else | 44 | else |
| 37 | log_fail "kexec_load failed" | 45 | log_fail "kexec_load failed" |