tools/testing/selftests/kexec/test_kexec_load.sh

   1 #!/bin/sh
   2 # SPDX-License-Identifier: GPL-2.0
   3 #
   4 # Prevent loading a kernel image via the kexec_load syscall when
   5 # signatures are required.  (Dependent on CONFIG_IMA_ARCH_POLICY.)
   6
   7 TEST="$0"
   8 . ./kexec_common_lib.sh
   9
  10 # kexec requires root privileges
  11 require_root_privileges
  12
  13 # get the kernel config
  14 get_kconfig
  15
  16 kconfig_enabled "CONFIG_KEXEC=y" "kexec_load is enabled"
  17 if [ $? -eq 0 ]; then
  18         log_skip "kexec_load is not enabled"
  19 fi
  20
  21 kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
  22 ima_appraise=$?
  23
  24 kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
  25         "IMA architecture specific policy enabled"
  26 arch_policy=$?
  27
  28 get_secureboot_mode
  29 secureboot=$?
  30
  31 # kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
  32 kexec --load $KERNEL_IMAGE > /dev/null 2>&1
  33 if [ $? -eq 0 ]; then
  34         kexec --unload
  35         if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
  36                 log_fail "kexec_load succeeded"
  37         elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
  38                 log_info "Either IMA or the IMA arch policy is not enabled"
  39         fi
  40         log_pass "kexec_load succeeded"
  41 else
  42         if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
  43                 log_pass "kexec_load failed"
  44         else
  45                 log_fail "kexec_load failed"
  46         fi
  47 fi