tools/testing/selftests/kexec/kexec_common_lib.sh

   1 #!/bin/sh
   2 # SPDX-License-Identifier: GPL-2.0
   3 #
   4 # Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
   5
   6 VERBOSE="${VERBOSE:-1}"
   7 IKCONFIG="/tmp/config-`uname -r`"
   8 KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
   9 SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
  10
  11 log_info()
  12 {
  13         [ $VERBOSE -ne 0 ] && echo "[INFO] $1"
  14 }
  15
  16 # The ksefltest framework requirement returns 0 for PASS.
  17 log_pass()
  18 {
  19         [ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
  20         exit 0
  21 }
  22
  23 # The ksefltest framework requirement returns 1 for FAIL.
  24 log_fail()
  25 {
  26         [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
  27         exit 1
  28 }
  29
  30 # The ksefltest framework requirement returns 4 for SKIP.
  31 log_skip()
  32 {
  33         [ $VERBOSE -ne 0 ] && echo "$1"
  34         exit 4
  35 }
  36
  37 # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
  38 # (Based on kdump-lib.sh)
  39 get_efivarfs_secureboot_mode()
  40 {
  41         local efivarfs="/sys/firmware/efi/efivars"
  42         local secure_boot_file=""
  43         local setup_mode_file=""
  44         local secureboot_mode=0
  45         local setup_mode=0
  46
  47         # Make sure that efivar_fs is mounted in the normal location
  48         if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
  49                 log_info "efivars is not mounted on $efivarfs"
  50                 return 0;
  51         fi
  52         secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
  53         setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
  54         if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
  55                 secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
  56                         "$secure_boot_file"|cut -d' ' -f 5)
  57                 setup_mode=$(hexdump -v -e '/1 "%d\ "' \
  58                         "$setup_mode_file"|cut -d' ' -f 5)
  59
  60                 if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
  61                         log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
  62                         return 1;
  63                 fi
  64         fi
  65         return 0;
  66 }
  67
  68 # On powerpc platform, check device-tree property
  69 # /proc/device-tree/ibm,secureboot/os-secureboot-enforcing
  70 # to detect secureboot state.
  71 get_ppc64_secureboot_mode()
  72 {
  73         local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing"
  74         # Check for secure boot file existence
  75         if [ -f $secure_boot_file ]; then
  76                 log_info "Secureboot is enabled (Device tree)"
  77                 return 1;
  78         fi
  79         log_info "Secureboot is not enabled (Device tree)"
  80         return 0;
  81 }
  82
  83 # Return the architecture of the system
  84 get_arch()
  85 {
  86         echo $(arch)
  87 }
  88
  89 # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
  90 # The secure boot mode can be accessed as the last integer of
  91 # "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*".  The efi
  92 # SetupMode can be similarly accessed.
  93 # Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
  94 get_secureboot_mode()
  95 {
  96         local secureboot_mode=0
  97         local system_arch=$(get_arch)
  98
  99         if [ "$system_arch" == "ppc64le" ]; then
 100                 get_ppc64_secureboot_mode
 101                 secureboot_mode=$?
 102         else
 103                 get_efivarfs_secureboot_mode
 104                 secureboot_mode=$?
 105         fi
 106
 107         if [ $secureboot_mode -eq 0 ]; then
 108                 log_info "secure boot mode not enabled"
 109         fi
 110         return $secureboot_mode;
 111 }
 112
 113 require_root_privileges()
 114 {
 115         if [ $(id -ru) -ne 0 ]; then
 116                 log_skip "requires root privileges"
 117         fi
 118 }
 119
 120 # Look for config option in Kconfig file.
 121 # Return 1 for found and 0 for not found.
 122 kconfig_enabled()
 123 {
 124         local config="$1"
 125         local msg="$2"
 126
 127         grep -E -q $config $IKCONFIG
 128         if [ $? -eq 0 ]; then
 129                 log_info "$msg"
 130                 return 1
 131         fi
 132         return 0
 133 }
 134
 135 # Attempt to get the kernel config first by checking the modules directory
 136 # then via proc, and finally by extracting it from the kernel image or the
 137 # configs.ko using scripts/extract-ikconfig.
 138 # Return 1 for found.
 139 get_kconfig()
 140 {
 141         local proc_config="/proc/config.gz"
 142         local module_dir="/lib/modules/`uname -r`"
 143         local configs_module="$module_dir/kernel/kernel/configs.ko*"
 144
 145         if [ -f $module_dir/config ]; then
 146                 IKCONFIG=$module_dir/config
 147                 return 1
 148         fi
 149
 150         if [ ! -f $proc_config ]; then
 151                 modprobe configs > /dev/null 2>&1
 152         fi
 153         if [ -f $proc_config ]; then
 154                 cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
 155                 if [ $? -eq 0 ]; then
 156                         return 1
 157                 fi
 158         fi
 159
 160         local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
 161         if [ ! -f $extract_ikconfig ]; then
 162                 log_skip "extract-ikconfig not found"
 163         fi
 164
 165         $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
 166         if [ $? -eq 1 ]; then
 167                 if [ ! -f $configs_module ]; then
 168                         log_skip "CONFIG_IKCONFIG not enabled"
 169                 fi
 170                 $extract_ikconfig $configs_module > $IKCONFIG
 171                 if [ $? -eq 1 ]; then
 172                         log_skip "CONFIG_IKCONFIG not enabled"
 173                 fi
 174         fi
 175         return 1
 176 }
 177
 178 # Make sure that securityfs is mounted
 179 mount_securityfs()
 180 {
 181         if [ -z $SECURITYFS ]; then
 182                 SECURITYFS=/sys/kernel/security
 183                 mount -t securityfs security $SECURITYFS
 184         fi
 185
 186         if [ ! -d "$SECURITYFS" ]; then
 187                 log_fail "$SECURITYFS :securityfs is not mounted"
 188         fi
 189 }
 190
 191 # The policy rule format is an "action" followed by key-value pairs.  This
 192 # function supports up to two key-value pairs, in any order.
 193 # For example: action func=<keyword> [appraise_type=<type>]
 194 # Return 1 for found and 0 for not found.
 195 check_ima_policy()
 196 {
 197         local action="$1"
 198         local keypair1="$2"
 199         local keypair2="$3"
 200         local ret=0
 201
 202         mount_securityfs
 203
 204         local ima_policy=$SECURITYFS/ima/policy
 205         if [ ! -e $ima_policy ]; then
 206                 log_fail "$ima_policy not found"
 207         fi
 208
 209         if [ -n $keypair2 ]; then
 210                 grep -e "^$action.*$keypair1" "$ima_policy" | \
 211                         grep -q -e "$keypair2"
 212         else
 213                 grep -q -e "^$action.*$keypair1" "$ima_policy"
 214         fi
 215
 216         # invert "grep -q" result, returning 1 for found.
 217         [ $? -eq 0 ] && ret=1
 218         return $ret
 219 }