Lines Matching +full:kernel +full:- +full:policy
2 # SPDX-License-Identifier: GPL-2.0
4 # Loading a kernel image via the kexec_file_load syscall can verify either
6 # both signatures depending on the IMA policy, or none.
8 # To determine whether the kernel image is signed, this test depends
9 # on pesign and getfattr. This test also requires the kernel to be
11 # enabled or access to the extract-ikconfig script.
16 trap "{ rm -f $IKCONFIG ; }" EXIT
18 # Some of the IMA builtin policies may require the kexec kernel image to
19 # be signed, but these policy rules may be replaced with a custom
20 # policy. Only CONFIG_IMA_APPRAISE_REQUIRE_KEXEC_SIGS persists after
21 # loading a custom policy. Check if it is enabled, before reading the
22 # IMA runtime sysfs policy file.
29 "IMA kernel image signature required"
30 if [ $? -eq 1 ]; then
35 # The architecture specific or a custom policy may require the
36 # kexec kernel image be signed. Policy rules are walked
37 # sequentially. As a result, a policy rule may be defined, but
38 # might not necessarily be used. This test assumes if a policy
42 if [ $ima_read_policy -eq 1 ]; then
46 if [ $ret -eq 1 ]; then
52 [ $ret -eq 1 ] && log_info "IMA signature required";
64 pesign -i $KERNEL_IMAGE --show-signature | grep -q "No signatures"
66 if [ $ret -eq 1 ]; then
67 log_info "kexec kernel image PE signed"
69 log_info "kexec kernel image not PE signed"
81 if [ $? -eq 1 ]; then
85 line=$(getfattr -n security.ima -e hex --absolute-names $KERNEL_IMAGE 2>&1)
86 echo $line | grep -q "security.ima=0x03"
87 if [ $? -eq 0 ]; then
89 log_info "kexec kernel image IMA signed"
91 log_info "kexec kernel image not IMA signed"
102 tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE | \
103 grep -q "$module_sig_string"
104 if [ $? -eq 0 ]; then
106 log_info "kexec kernel image modsig signed"
108 log_info "kexec kernel image not modsig signed"
119 line=$(kexec --load --kexec-file-syscall $KERNEL_IMAGE 2>&1)
121 if [ $? -eq 0 ]; then
122 kexec --unload --kexec-file-syscall
125 # policy, make sure either an IMA or PE signature exists.
126 if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \
127 [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ] \
128 && [ $ima_modsig -eq 0 ]; then
132 if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
133 && [ $pe_signed -eq 0 ]; then
137 if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ] \
138 && [ $ima_modsig -eq 0 ]; then
142 if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
143 && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
144 && [ $ima_read_policy -eq 0 ]; then
148 if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 0 ]; then
150 elif [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
151 && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
152 && [ $ima_read_policy -eq 1 ]; then
160 echo $line | grep -q "Required key not available"
161 if [ $? -eq 0 ]; then
162 if [ $platform_keyring -eq 0 ]; then
163 log_pass "$failed_msg (-ENOKEY), $key_msg"
165 log_pass "$failed_msg (-ENOKEY)"
169 if [ $kexec_sig_required -eq 1 -o $pe_sig_required -eq 1 ] \
170 && [ $pe_signed -eq 0 ]; then
174 if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then
178 if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
179 && [ $ima_sig_required -eq 0 ] && [ $ima_read_policy -eq 0 ] \
180 && [ $ima_signed -eq 0 ]; then
191 # get the kernel config
195 if [ $? -eq 0 ]; then
199 # Determine which kernel config options are enabled
204 "architecture specific policy enabled"
211 kconfig_enabled "CONFIG_IMA_READ_POLICY=y" "reading IMA policy permitted"
215 "kexec signed kernel image required"
219 "PE signed kernel image required"
242 # Test loading the kernel image via kexec_file_load syscall