1 #!/bin/sh 1 #!/bin/sh 2 # SPDX-License-Identifier: GPL-2.0 2 # SPDX-License-Identifier: GPL-2.0 3 # 3 # 4 # Prevent loading a kernel image via the kexec 4 # Prevent loading a kernel image via the kexec_load syscall when 5 # signatures are required. (Dependent on CONF 5 # signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.) 6 6 7 TEST="$0" 7 TEST="$0" 8 . ./kexec_common_lib.sh 8 . ./kexec_common_lib.sh 9 9 10 # kexec requires root privileges 10 # kexec requires root privileges 11 require_root_privileges 11 require_root_privileges 12 12 13 # get the kernel config 13 # get the kernel config 14 get_kconfig 14 get_kconfig 15 15 16 kconfig_enabled "CONFIG_KEXEC=y" "kexec_load i 16 kconfig_enabled "CONFIG_KEXEC=y" "kexec_load is enabled" 17 if [ $? -eq 0 ]; then 17 if [ $? -eq 0 ]; then 18 log_skip "kexec_load is not enabled" 18 log_skip "kexec_load is not enabled" 19 fi 19 fi 20 20 21 kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA e 21 kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" 22 ima_appraise=$? 22 ima_appraise=$? 23 23 24 kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ 24 kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ 25 "IMA architecture specific policy enab 25 "IMA architecture specific policy enabled" 26 arch_policy=$? 26 arch_policy=$? 27 27 28 get_secureboot_mode 28 get_secureboot_mode 29 secureboot=$? 29 secureboot=$? 30 30 31 # kexec_load should fail in secure boot mode a 31 # kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled 32 kexec --load $KERNEL_IMAGE > /dev/null 2>&1 32 kexec --load $KERNEL_IMAGE > /dev/null 2>&1 33 if [ $? -eq 0 ]; then 33 if [ $? -eq 0 ]; then 34 kexec --unload 34 kexec --unload 35 if [ $secureboot -eq 1 ] && [ $arch_po 35 if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then 36 log_fail "kexec_load succeeded 36 log_fail "kexec_load succeeded" 37 elif [ $ima_appraise -eq 0 -o $arch_po 37 elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then 38 log_info "Either IMA or the IM 38 log_info "Either IMA or the IMA arch policy is not enabled" 39 fi 39 fi 40 log_pass "kexec_load succeeded" 40 log_pass "kexec_load succeeded" 41 else 41 else 42 if [ $secureboot -eq 1 ] && [ $arch_po 42 if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then 43 log_pass "kexec_load failed" 43 log_pass "kexec_load failed" 44 else 44 else 45 log_fail "kexec_load failed" 45 log_fail "kexec_load failed" 46 fi 46 fi 47 fi 47 fi
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.