tools/testing/selftests/kexec/test_kexec_file_load.sh

Source file repositories/reference/linux-study-clean/tools/testing/selftests/kexec/test_kexec_file_load.sh

File Facts

System
Linux kernel
Corpus path
tools/testing/selftests/kexec/test_kexec_file_load.sh
Extension
.sh
Size
6817 bytes
Lines
244
Domain
Support Tooling And Documentation
Bucket
tools
Inferred role
Support Tooling And Documentation: tools
Status
atlas-only

Why This File Exists

Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.

Dependency Surface

Detected Declarations

Annotated Snippet

#!/bin/sh
# SPDX-License-Identifier: GPL-2.0
#
# Loading a kernel image via the kexec_file_load syscall can verify either
# the IMA signature stored in the security.ima xattr or the PE signature,
# both signatures depending on the IMA policy, or none.
#
# To determine whether the kernel image is signed, this test depends
# on pesign and getfattr.  This test also requires the kernel to be
# built with CONFIG_IKCONFIG enabled and either CONFIG_IKCONFIG_PROC
# enabled or access to the extract-ikconfig script.

TEST="KEXEC_FILE_LOAD"
. ./kexec_common_lib.sh

trap "{ rm -f $IKCONFIG ; }" EXIT

# Some of the IMA builtin policies may require the kexec kernel image to
# be signed, but these policy rules may be replaced with a custom
# policy.  Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after
# loading a custom policy.  Check if it is enabled, before reading the
# IMA runtime sysfs policy file.
# Return 1 for IMA signature required and 0 for not required.
is_ima_sig_required()
{
	local ret=0

	kconfig_enabled "CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS=y" \
		"IMA kernel image signature required"
	if [ $? -eq 1 ]; then
		log_info "IMA signature required"
		return 1
	fi

	# The architecture specific or a custom policy may require the
	# kexec kernel image be signed.  Policy rules are walked
	# sequentially.  As a result, a policy rule may be defined, but
	# might not necessarily be used.  This test assumes if a policy
	# rule is specified, that is the intent.

	# First check for appended signature (modsig), then xattr
	if [ $ima_read_policy -eq 1 ]; then
		check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
			"appraise_type=imasig|modsig"
		ret=$?
		if [ $ret -eq 1 ]; then
			log_info "IMA or appended(modsig) signature required"
		else
			check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
				"appraise_type=imasig"
			ret=$?
			[ $ret -eq 1 ] && log_info "IMA signature required";
		fi
	fi
	return $ret
}

# The kexec_file_load_test() is complicated enough, require pesign.
# Return 1 for PE signature found and 0 for not found.
check_for_pesig()
{
	which pesign > /dev/null 2>&1 || log_skip "pesign not found"

	pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures"
	local ret=$?
	if [ $ret -eq 1 ]; then
		log_info "kexec kernel image PE signed"
	else
		log_info "kexec kernel image not PE signed"
	fi

Annotation

Implementation Notes