| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Mar 2019 07:41:08 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: linux-integrity@...r.kernel.org
Cc: linux-kselftest@...r.kernel.org, kexec@...ts.infradead.org,
linux-kernel@...r.kernel.org, Petr Vorel <pvorel@...e.cz>,
Dave Young <dyoung@...hat.com>,
Matthew Garrett <mjg59@...gle.com>,
Mimi Zohar <zohar@...ux.ibm.com>
Subject: [PATCH v3 2/7] selftests/ima: define a set of common functions
Define, update and move get_secureboot_mode() to a common file for use
by other tests.
Updated to check both the efivar SecureBoot-$(UUID) and
SetupMode-$(UUID), based on Dave Young's review.
Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@...e.cz>
Cc: Dave Young <dyoung@...hat.com>
---
tools/testing/selftests/ima/Makefile | 1 +
tools/testing/selftests/ima/ima_common_lib.sh | 36 ++++++++++++++++++++++++++
tools/testing/selftests/ima/test_kexec_load.sh | 17 +++---------
3 files changed, 40 insertions(+), 14 deletions(-)
create mode 100755 tools/testing/selftests/ima/ima_common_lib.sh
diff --git a/tools/testing/selftests/ima/Makefile b/tools/testing/selftests/ima/Makefile
index 0b3adf5444b6..04501516831b 100644
--- a/tools/testing/selftests/ima/Makefile
+++ b/tools/testing/selftests/ima/Makefile
@@ -5,6 +5,7 @@ ARCH ?= $(shell echo $(uname_M) | sed -e s/i.86/x86/ -e s/x86_64/x86/)
ifeq ($(ARCH),x86)
TEST_PROGS := test_kexec_load.sh
+TEST_FILES := ima_common_lib.sh
include ../lib.mk
diff --git a/tools/testing/selftests/ima/ima_common_lib.sh b/tools/testing/selftests/ima/ima_common_lib.sh
new file mode 100755
index 000000000000..403666247b10
--- /dev/null
+++ b/tools/testing/selftests/ima/ima_common_lib.sh
@@ -0,0 +1,36 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+
+# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
+# The secure boot mode can be accessed either as the last integer
+# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from
+# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data". The efi
+# SetupMode can be similarly accessed.
+# Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
+get_secureboot_mode()
+{
+ local efivarfs="/sys/firmware/efi/efivars"
+ local secure_boot_file=$efivarfs/../vars/SecureBoot-*/data
+ local setup_mode_file=$efivarfs/../vars/SetupMode-*/data
+ local secureboot_mode=0
+ local setup_mode=0
+
+ # Make sure that efivars is mounted in the normal location
+ if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
+ log_skip "efivars is not mounted on $efivarfs"
+ fi
+
+ if [ ! -e $secure_boot_file ] || [ ! -e $setup_mode_file ]; then
+ log_skip "unknown secureboot/setup mode"
+ fi
+
+ secureboot_mode=`od -An -t u1 $secure_boot_file`
+ setup_mode=`od -An -t u1 $setup_mode_file`
+
+ if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
+ log_info "ima: secure boot mode enabled"
+ return 1;
+ fi
+ log_info "secure boot mode not enabled"
+ return 0;
+}
diff --git a/tools/testing/selftests/ima/test_kexec_load.sh b/tools/testing/selftests/ima/test_kexec_load.sh
index 36f3089ac225..e84139c1506b 100755
--- a/tools/testing/selftests/ima/test_kexec_load.sh
+++ b/tools/testing/selftests/ima/test_kexec_load.sh
@@ -5,7 +5,7 @@
# is booted in secureboot mode.
TEST="$0"
-EFIVARFS="/sys/firmware/efi/efivars"
+. ./ima_common_lib.sh
rc=0
# Kselftest framework requirement - SKIP code is 4.
@@ -17,19 +17,8 @@ if [ $(id -ru) -ne 0 ]; then
exit $ksft_skip
fi
-# Make sure that efivars is mounted in the normal location
-if ! grep -q "^\S\+ $EFIVARFS efivarfs" /proc/mounts; then
- echo "$TEST: efivars is not mounted on $EFIVARFS" >&2
- exit $ksft_skip
-fi
-
-# Get secureboot mode
-file="$EFIVARFS/SecureBoot-*"
-if [ ! -e $file ]; then
- echo "$TEST: unknown secureboot mode" >&2
- exit $ksft_skip
-fi
-secureboot=`hexdump $file | awk '{print substr($4,length($4),1)}'`
+get_secureboot_mode
+secureboot=$?
# kexec_load should fail in secure boot mode
KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
--
2.7.5
Powered by blists - more mailing lists