tools/testing/selftests/kexec/test_kexec_file_load.sh
Source file repositories/reference/linux-study-clean/tools/testing/selftests/kexec/test_kexec_file_load.sh
File Facts
- System
- Linux kernel
- Corpus path
tools/testing/selftests/kexec/test_kexec_file_load.sh- Extension
.sh- Size
- 6817 bytes
- Lines
- 244
- Domain
- Support Tooling And Documentation
- Bucket
- tools
- Inferred role
- Support Tooling And Documentation: tools
- Status
- atlas-only
Why This File Exists
Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
- Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
Dependency Surface
- No C-style include directives detected by the generator.
Detected Declarations
- No top-level syscall, struct, function, initcall, or export declaration detected by the generator.
Annotated Snippet
#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
#
# Loading a kernel image via the kexec_file_load syscall can verify either
# the IMA signature stored in the security.ima xattr or the PE signature,
# both signatures depending on the IMA policy, or none.
#
# To determine whether the kernel image is signed, this test depends
# on pesign and getfattr. This test also requires the kernel to be
# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC
# enabled or access to the extract-ikconfig script.
TEST="KEXEC_FILE_LOAD"
. ./kexec_common_lib.sh
trap "{ rm -f $IKCONFIG ; }" EXIT
# Some of the IMA builtin policies may require the kexec kernel image to
# be signed, but these policy rules may be replaced with a custom
# policy. Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after
# loading a custom policy. Check if it is enabled, before reading the
# IMA runtime sysfs policy file.
# Return 1 for IMA signature required and 0 for not required.
is_ima_sig_required()
{
local ret=0
kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \
"IMA kernel image signature required"
if [ $? -eq 1 ]; then
log_info "IMA signature required"
return 1
fi
# The architecture specific or a custom policy may require the
# kexec kernel image be signed. Policy rules are walked
# sequentially. As a result, a policy rule may be defined, but
# might not necessarily be used. This test assumes if a policy
# rule is specified, that is the intent.
# First check for appended signature (modsig), then xattr
if [ $ima_read_policy -eq 1 ]; then
check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
"appraise_type=imasig|modsig"
ret=$?
if [ $ret -eq 1 ]; then
log_info "IMA or appended(modsig) signature required"
else
check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
"appraise_type=imasig"
ret=$?
[ $ret -eq 1 ] && log_info "IMA signature required";
fi
fi
return $ret
}
# The kexec_file_load_test() is complicated enough, require pesign.
# Return 1 for PE signature found and 0 for not found.
check_for_pesig()
{
which pesign > /dev/null 2>&1 || log_skip "pesign not found"
pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures"
local ret=$?
if [ $ret -eq 1 ]; then
log_info "kexec kernel image PE signed"
else
log_info "kexec kernel image not PE signed"
fi
Annotation
- Atlas domain: Support Tooling And Documentation / tools.
- Implementation status: atlas-only.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.