sefltest/ima: support appended signatures (modsig)

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
image can be signed with an appended signature, using the same
scripts/sign-file tool that is used to sign kernel modules.

This patch adds support for detecting a kernel image signed with an
appended signature and updates the existing test messages
appropriately.

Reviewed-by: Petr Vorel <pvorel@suse.cz>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: Jordan Hand <jorhand@linux.microsoft.com> (x86_64 QEMU)
Tested-by: Jordan Hand <jorhand@linux.microsoft.com> (x86_64 QEMU)
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Mimi Zohar 6 years ago cbc0425d 556d971b

+34 -4

1 changed file

expand all

tools

testing

selftests

kexec

test_kexec_file_load.sh

+34 -4

tools/testing/selftests/kexec/test_kexec_file_load.sh

··· 37 37 # sequentially. As a result, a policy rule may be defined, but 38 38 # might not necessarily be used. This test assumes if a policy 39 39 # rule is specified, that is the intent. 40 + 41 + # First check for appended signature (modsig), then xattr 40 42 if [ $ima_read_policy -eq 1 ]; then 41 43 check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ 42 - "appraise_type=imasig" 44 + "appraise_type=imasig|modsig" 43 45 ret=$? 44 - [ $ret -eq 1 ] && log_info "IMA signature required"; 46 + if [ $ret -eq 1 ]; then 47 + log_info "IMA or appended(modsig) signature required" 48 + else 49 + check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ 50 + "appraise_type=imasig" 51 + ret=$? 52 + [ $ret -eq 1 ] && log_info "IMA signature required"; 53 + fi 45 54 fi 46 55 return $ret 47 56 } ··· 93 84 return $ret 94 85 } 95 86 87 + # Return 1 for appended signature (modsig) found and 0 for not found. 88 + check_for_modsig() 89 + { 90 + local module_sig_string="~Module signature appended~" 91 + local sig="$(tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE)" 92 + local ret=0 93 + 94 + if [ "$sig" == "$module_sig_string" ]; then 95 + ret=1 96 + log_info "kexec kernel image modsig signed" 97 + else 98 + log_info "kexec kernel image not modsig signed" 99 + fi 100 + return $ret 101 + } 102 + 96 103 kexec_file_load_test() 97 104 { 98 105 local succeed_msg="kexec_file_load succeeded" ··· 123 98 # In secureboot mode with an architecture specific 124 99 # policy, make sure either an IMA or PE signature exists. 125 100 if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \ 126 - [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then 101 + [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ] \ 102 + && [ $ima_modsig -eq 0 ]; then 127 103 log_fail "$succeed_msg (missing sig)" 128 104 fi 129 105 ··· 133 107 log_fail "$succeed_msg (missing PE sig)" 134 108 fi 135 109 136 - if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then 110 + if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ] \ 111 + && [ $ima_modsig -eq 0 ]; then 137 112 log_fail "$succeed_msg (missing IMA sig)" 138 113 fi 139 114 ··· 230 203 231 204 check_for_imasig 232 205 ima_signed=$? 206 + 207 + check_for_modsig 208 + ima_modsig=$? 233 209 234 210 # Test loading the kernel image via kexec_file_load syscall 235 211 kexec_file_load_test