1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0 3# 4# Prevent loading a kernel image via the kexec_load syscall when 5# signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.) 6 7TEST="$0" 8. ./kexec_common_lib.sh 9 10# kexec requires root privileges 11require_root_privileges 12 13# get the kernel config 14get_kconfig 15 16kconfig_enabled "CONFIG_KEXEC_JUMP=y" "kexec_jump is enabled" 17if [ $? -eq 0 ]; then 18 log_skip "kexec_jump is not enabled" 19fi 20 21kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" 22ima_appraise=$? 23 24kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ 25 "IMA architecture specific policy enabled" 26arch_policy=$? 27 28get_secureboot_mode 29secureboot=$? 30 31if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then 32 log_skip "Secure boot and CONFIG_IMA_ARCH_POLICY are enabled" 33fi 34 35./test_kexec_jump 36if [ $? -eq 0 ]; then 37 log_pass "kexec_jump succeeded" 38else 39 # The more likely failure mode if anything went wrong is that the 40 # kernel just crashes. But if we get back here, sure, whine anyway. 41 log_fail "kexec_jump failed" 42fi 43