1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0 3# 4# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4 5 6VERBOSE="${VERBOSE:-1}" 7IKCONFIG="/tmp/config-`uname -r`" 8KERNEL_IMAGE="/boot/vmlinuz-`uname -r`" 9SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}') 10 11log_info() 12{ 13 [ $VERBOSE -ne 0 ] && echo "[INFO] $1" 14} 15 16# The ksefltest framework requirement returns 0 for PASS. 17log_pass() 18{ 19 [ $VERBOSE -ne 0 ] && echo "$1 [PASS]" 20 exit 0 21} 22 23# The ksefltest framework requirement returns 1 for FAIL. 24log_fail() 25{ 26 [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]" 27 exit 1 28} 29 30# The ksefltest framework requirement returns 4 for SKIP. 31log_skip() 32{ 33 [ $VERBOSE -ne 0 ] && echo "$1" 34 exit 4 35} 36 37# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). 38# (Based on kdump-lib.sh) 39get_efivarfs_secureboot_mode() 40{ 41 local efivarfs="/sys/firmware/efi/efivars" 42 local secure_boot_file="" 43 local setup_mode_file="" 44 local secureboot_mode=0 45 local setup_mode=0 46 47 # Make sure that efivar_fs is mounted in the normal location 48 if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then 49 log_info "efivars is not mounted on $efivarfs" 50 return 0; 51 fi 52 secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null) 53 setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null) 54 if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then 55 secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \ 56 "$secure_boot_file"|cut -d' ' -f 5) 57 setup_mode=$(hexdump -v -e '/1 "%d\ "' \ 58 "$setup_mode_file"|cut -d' ' -f 5) 59 60 if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then 61 log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)" 62 return 1; 63 fi 64 fi 65 return 0; 66} 67 68# On powerpc platform, check device-tree property 69# /proc/device-tree/ibm,secureboot/os-secureboot-enforcing 70# to detect secureboot state. 71get_ppc64_secureboot_mode() 72{ 73 local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing" 74 # Check for secure boot file existence 75 if [ -f $secure_boot_file ]; then 76 log_info "Secureboot is enabled (Device tree)" 77 return 1; 78 fi 79 log_info "Secureboot is not enabled (Device tree)" 80 return 0; 81} 82 83# Return the architecture of the system 84get_arch() 85{ 86 echo $(arch) 87} 88 89# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). 90# The secure boot mode can be accessed as the last integer of 91# "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*". The efi 92# SetupMode can be similarly accessed. 93# Return 1 for SecureBoot mode enabled and SetupMode mode disabled. 94get_secureboot_mode() 95{ 96 local secureboot_mode=0 97 local system_arch=$(get_arch) 98 99 if [ "$system_arch" == "ppc64le" ]; then 100 get_ppc64_secureboot_mode 101 secureboot_mode=$? 102 else 103 get_efivarfs_secureboot_mode 104 secureboot_mode=$? 105 fi 106 107 if [ $secureboot_mode -eq 0 ]; then 108 log_info "secure boot mode not enabled" 109 fi 110 return $secureboot_mode; 111} 112 113require_root_privileges() 114{ 115 if [ $(id -ru) -ne 0 ]; then 116 log_skip "requires root privileges" 117 fi 118} 119 120# Look for config option in Kconfig file. 121# Return 1 for found and 0 for not found. 122kconfig_enabled() 123{ 124 local config="$1" 125 local msg="$2" 126 127 grep -E -q $config $IKCONFIG 128 if [ $? -eq 0 ]; then 129 log_info "$msg" 130 return 1 131 fi 132 return 0 133} 134 135# Attempt to get the kernel config first by checking the modules directory 136# then via proc, and finally by extracting it from the kernel image or the 137# configs.ko using scripts/extract-ikconfig. 138# Return 1 for found. 139get_kconfig() 140{ 141 local proc_config="/proc/config.gz" 142 local module_dir="/lib/modules/`uname -r`" 143 local configs_module="$module_dir/kernel/kernel/configs.ko*" 144 145 if [ -f $module_dir/config ]; then 146 IKCONFIG=$module_dir/config 147 return 1 148 fi 149 150 if [ ! -f $proc_config ]; then 151 modprobe configs > /dev/null 2>&1 152 fi 153 if [ -f $proc_config ]; then 154 cat $proc_config | gunzip > $IKCONFIG 2>/dev/null 155 if [ $? -eq 0 ]; then 156 return 1 157 fi 158 fi 159 160 local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig" 161 if [ ! -f $extract_ikconfig ]; then 162 log_skip "extract-ikconfig not found" 163 fi 164 165 $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null 166 if [ $? -eq 1 ]; then 167 if [ ! -f $configs_module ]; then 168 log_skip "CONFIG_IKCONFIG not enabled" 169 fi 170 $extract_ikconfig $configs_module > $IKCONFIG 171 if [ $? -eq 1 ]; then 172 log_skip "CONFIG_IKCONFIG not enabled" 173 fi 174 fi 175 return 1 176} 177 178# Make sure that securityfs is mounted 179mount_securityfs() 180{ 181 if [ -z $SECURITYFS ]; then 182 SECURITYFS=/sys/kernel/security 183 mount -t securityfs security $SECURITYFS 184 fi 185 186 if [ ! -d "$SECURITYFS" ]; then 187 log_fail "$SECURITYFS :securityfs is not mounted" 188 fi 189} 190 191# The policy rule format is an "action" followed by key-value pairs. This 192# function supports up to two key-value pairs, in any order. 193# For example: action func=<keyword> [appraise_type=<type>] 194# Return 1 for found and 0 for not found. 195check_ima_policy() 196{ 197 local action="$1" 198 local keypair1="$2" 199 local keypair2="$3" 200 local ret=0 201 202 mount_securityfs 203 204 local ima_policy=$SECURITYFS/ima/policy 205 if [ ! -e $ima_policy ]; then 206 log_fail "$ima_policy not found" 207 fi 208 209 if [ -n $keypair2 ]; then 210 grep -e "^$action.*$keypair1" "$ima_policy" | \ 211 grep -q -e "$keypair2" 212 else 213 grep -q -e "^$action.*$keypair1" "$ima_policy" 214 fi 215 216 # invert "grep -q" result, returning 1 for found. 217 [ $? -eq 0 ] && ret=1 218 return $ret 219} 220