[PATCH v3 2/2] selftests/kexec: enable lockdown tests

From: Coiby Xu
Date: Fri Dec 30 2022 - 01:59:55 EST

Next message: Coiby Xu: "Re: [PATCH] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled"
Previous message: Coiby Xu: "[PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled"
In reply to: Coiby Xu: "[PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

When lockdown is enabled, kexec_load syscall should always fail.

For kexec_file_load, when lockdown is enabled, it should
- fail of missing PE signature when KEXEC_SIG is enabled
- fail of missing IMA signature when KEXEC_SIG is disabled

Before this patch, test_kexec_load.sh fails (false positive) and
test_kexec_file_load.sh fails without a reason when lockdown enabled and
KEXEC_SIG disabled,

# kexec_load failed [FAIL]
not ok 1 selftests: kexec: test_kexec_load.sh # exit=1
# kexec_file_load failed [PASS]
ok 2 selftests: kexec: test_kexec_file_load.sh

After this patch, test_kexec_load.sh succeeds and
test_kexec_file_load.sh fails with the correct reason when lockdown
enabled and KEXEC_SIG disabled,

# kexec_load failed [PASS]
ok 1 selftests: kexec: test_kexec_load.sh
# kexec_file_load failed (missing IMA sig) [PASS]
ok 2 selftests: kexec: test_kexec_file_load.sh

Cc: kexec@xxxxxxxxxxxxxxxxxxx
Cc: linux-integrity@xxxxxxxxxxxxxxx
Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Signed-off-by: Coiby Xu <coxu@xxxxxxxxxx>
---
.../selftests/kexec/kexec_common_lib.sh | 16 +++++++++++
.../selftests/kexec/test_kexec_file_load.sh | 27 +++++++++++++++++++
.../selftests/kexec/test_kexec_load.sh | 12 ++++++---
3 files changed, 52 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh
index 641ef05863b2..06c298b46788 100755
--- a/tools/testing/selftests/kexec/kexec_common_lib.sh
+++ b/tools/testing/selftests/kexec/kexec_common_lib.sh
@@ -110,6 +110,22 @@ get_secureboot_mode()
return $secureboot_mode;
}

+is_lockdown_enabled()
+{
+ local ret=0
+
+ if [ -f /sys/kernel/security/lockdown ] \
+ && ! grep -qs "\[none\]" /sys/kernel/security/lockdown; then
+ ret=1
+ fi
+
+ if [ $ret -eq 0 ]; then
+ log_info "lockdown not enabled"
+ fi
+
+ return $ret
+}
+
require_root_privileges()
{
if [ $(id -ru) -ne 0 ]; then
diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh
index c9ccb3c93d72..790f96938083 100755
--- a/tools/testing/selftests/kexec/test_kexec_file_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh
@@ -139,6 +139,16 @@ kexec_file_load_test()
log_fail "$succeed_msg (missing IMA sig)"
fi

+ if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
+ && [ $pe_signed -eq 0 ]; then
+ log_fail "$succeed_msg (missing PE sig)"
+ fi
+
+ if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] && [ $ima_signed -eq 0 ] \
+ && [ $ima_modsig -eq 0 ]; then
+ log_fail "$succeed_msg (missing IMA sig)"
+ fi
+
if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
&& [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
&& [ $ima_read_policy -eq 0 ]; then
@@ -181,6 +191,16 @@ kexec_file_load_test()
log_pass "$failed_msg (possibly missing IMA sig)"
fi

+ if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
+ && [ $pe_signed -eq 0 ]; then
+ log_pass "$failed_msg (missing PE sig)"
+ fi
+
+ if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] \
+ && [ $ima_signed -eq 0 ] && [ $ima_modsig -eq 0 ]; then
+ log_pass "$failed_msg (missing IMA sig)"
+ fi
+
log_pass "$failed_msg"
return 0
}
@@ -215,6 +235,10 @@ kconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \
"kexec signed kernel image required"
kexec_sig_required=$?

+kconfig_enabled "CONFIG_KEXEC_SIG=y" \
+ "KEXEC_SIG enabled"
+kexec_sig_enabled=$?
+
kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \
"PE signed kernel image required"
pe_sig_required=$?
@@ -225,6 +249,9 @@ ima_sig_required=$?
get_secureboot_mode
secureboot=$?

+is_lockdown_enabled
+lockdown=$?
+
# Are there pe and ima signatures
if [ "$(get_arch)" == 'ppc64le' ]; then
pe_signed=0
diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh
index 49c6aa929137..0542887866c0 100755
--- a/tools/testing/selftests/kexec/test_kexec_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_load.sh
@@ -28,18 +28,24 @@ arch_policy=$?
get_secureboot_mode
secureboot=$?

-# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
+is_lockdown_enabled
+lockdown=$?
+
+# kexec_load should fail in either
+# a) secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
+# or
+# b) lockdown enabled
kexec --load $KERNEL_IMAGE > /dev/null 2>&1
if [ $? -eq 0 ]; then
kexec --unload
- if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
+ if [ $secureboot -eq 1 -a $arch_policy -eq 1 ] || [ $lockdown -eq 1 ]; then
log_fail "kexec_load succeeded"
elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
log_info "Either IMA or the IMA arch policy is not enabled"
fi
log_pass "kexec_load succeeded"
else
- if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
+ if [ $secureboot -eq 1 -a $arch_policy -eq 1 ] || [ $lockdown -eq 1 ]; then
log_pass "kexec_load failed"
else
log_fail "kexec_load failed"
--
2.38.1

Next message: Coiby Xu: "Re: [PATCH] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled"
Previous message: Coiby Xu: "[PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled"
In reply to: Coiby Xu: "[PATCH v3 1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]