lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 22 Mar 2019 15:35:51 -0400 From: Mimi Zohar <zohar@...ux.ibm.com> To: linux-integrity@...r.kernel.org Cc: linux-kselftest@...r.kernel.org, kexec@...ts.infradead.org, linux-kernel@...r.kernel.org, Petr Vorel <pvorel@...e.cz>, Dave Young <dyoung@...hat.com>, Matthew Garrett <mjg59@...gle.com>, Mimi Zohar <zohar@...ux.ibm.com> Subject: [PATCH v4a 2/2] selftests/kexec: testing CONFIG_KEXEC_BZIMAGE_VERIFY_SIG is not enough Add support for CONFIG_KEXEC_VERIFY_SIG being enabled, but not CONFIG_KEXEC_BZIMAGE_VERIFY_SIG. Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com> --- tools/testing/selftests/kexec/test_kexec_file_load.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh index 57b636792086..fa7c24e8eefb 100755 --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh @@ -102,7 +102,8 @@ kexec_file_load_test() log_fail "$succeed_msg (missing sig)" fi - if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then + if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \ + && [ $pe_signed -eq 0 ]; then log_fail "$succeed_msg (missing PE sig)" fi @@ -137,7 +138,8 @@ kexec_file_load_test() fi fi - if [ $pe_sig_required -eq 1 ] && [ $pe_signed -eq 0 ]; then + if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \ + && [ $pe_signed -eq 0 ]; then log_pass "$failed_msg (missing PE sig)" fi @@ -181,6 +183,10 @@ platform_keyring=$? kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted" ima_read_policy=$? +kconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \ + "kexec signed kernel image required" +kexec_sig_required=$? + kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \ "PE signed kernel image required" pe_sig_required=$? -- 2.7.5
Powered by blists - more mailing lists