tools/testing/selftests/kexec/kexec_common_lib.sh

   1 #!/bin/sh
   2 # SPDX-License-Identifier: GPL-2.0
   3 #
   4 # Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
   5
   6 VERBOSE="${VERBOSE:-1}"
   7 IKCONFIG="/tmp/config-`uname -r`"
   8 KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
   9 SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
  10
  11 log_info()
  12 {
  13         [ $VERBOSE -ne 0 ] && echo "[INFO] $1"
  14 }
  15
  16 # The ksefltest framework requirement returns 0 for PASS.
  17 log_pass()
  18 {
  19         [ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
  20         exit 0
  21 }
  22
  23 # The ksefltest framework requirement returns 1 for FAIL.
  24 log_fail()
  25 {
  26         [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
  27         exit 1
  28 }
  29
  30 # The ksefltest framework requirement returns 4 for SKIP.
  31 log_skip()
  32 {
  33         [ $VERBOSE -ne 0 ] && echo "$1"
  34         exit 4
  35 }
  36
  37 # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
  38 # (Based on kdump-lib.sh)
  39 get_efivarfs_secureboot_mode()
  40 {
  41         local efivarfs="/sys/firmware/efi/efivars"
  42         local secure_boot_file=""
  43         local setup_mode_file=""
  44         local secureboot_mode=0
  45         local setup_mode=0
  46
  47         # Make sure that efivar_fs is mounted in the normal location
  48         if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
  49                 log_info "efivars is not mounted on $efivarfs"
  50                 return 0;
  51         fi
  52         secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
  53         setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
  54         if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
  55                 secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
  56                         "$secure_boot_file"|cut -d' ' -f 5)
  57                 setup_mode=$(hexdump -v -e '/1 "%d\ "' \
  58                         "$setup_mode_file"|cut -d' ' -f 5)
  59
  60                 if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
  61                         log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
  62                         return 1;
  63                 fi
  64         fi
  65         return 0;
  66 }
  67
  68 get_efi_var_secureboot_mode()
  69 {
  70         local efi_vars
  71         local secure_boot_file
  72         local setup_mode_file
  73         local secureboot_mode
  74         local setup_mode
  75
  76         if [ ! -d "$efi_vars" ]; then
  77                 log_skip "efi_vars is not enabled\n"
  78         fi
  79         secure_boot_file=$(find "$efi_vars" -name SecureBoot-* 2>/dev/null)
  80         setup_mode_file=$(find "$efi_vars" -name SetupMode-* 2>/dev/null)
  81         if [ -f "$secure_boot_file/data" ] && \
  82            [ -f "$setup_mode_file/data" ]; then
  83                 secureboot_mode=`od -An -t u1 "$secure_boot_file/data"`
  84                 setup_mode=`od -An -t u1 "$setup_mode_file/data"`
  85
  86                 if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
  87                         log_info "secure boot mode enabled (CONFIG_EFI_VARS)"
  88                         return 1;
  89                 fi
  90         fi
  91         return 0;
  92 }
  93
  94 # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
  95 # The secure boot mode can be accessed either as the last integer
  96 # of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from
  97 # "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data".  The efi
  98 # SetupMode can be similarly accessed.
  99 # Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
 100 get_secureboot_mode()
 101 {
 102         local secureboot_mode=0
 103
 104         get_efivarfs_secureboot_mode
 105         secureboot_mode=$?
 106
 107         # fallback to using the efi_var files
 108         if [ $secureboot_mode -eq 0 ]; then
 109                 get_efi_var_secureboot_mode
 110                 secureboot_mode=$?
 111         fi
 112
 113         if [ $secureboot_mode -eq 0 ]; then
 114                 log_info "secure boot mode not enabled"
 115         fi
 116         return $secureboot_mode;
 117 }
 118
 119 require_root_privileges()
 120 {
 121         if [ $(id -ru) -ne 0 ]; then
 122                 log_skip "requires root privileges"
 123         fi
 124 }
 125
 126 # Look for config option in Kconfig file.
 127 # Return 1 for found and 0 for not found.
 128 kconfig_enabled()
 129 {
 130         local config="$1"
 131         local msg="$2"
 132
 133         grep -E -q $config $IKCONFIG
 134         if [ $? -eq 0 ]; then
 135                 log_info "$msg"
 136                 return 1
 137         fi
 138         return 0
 139 }
 140
 141 # Attempt to get the kernel config first via proc, and then by
 142 # extracting it from the kernel image or the configs.ko using
 143 # scripts/extract-ikconfig.
 144 # Return 1 for found.
 145 get_kconfig()
 146 {
 147         local proc_config="/proc/config.gz"
 148         local module_dir="/lib/modules/`uname -r`"
 149         local configs_module="$module_dir/kernel/kernel/configs.ko"
 150
 151         if [ ! -f $proc_config ]; then
 152                 modprobe configs > /dev/null 2>&1
 153         fi
 154         if [ -f $proc_config ]; then
 155                 cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
 156                 if [ $? -eq 0 ]; then
 157                         return 1
 158                 fi
 159         fi
 160
 161         local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
 162         if [ ! -f $extract_ikconfig ]; then
 163                 log_skip "extract-ikconfig not found"
 164         fi
 165
 166         $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
 167         if [ $? -eq 1 ]; then
 168                 if [ ! -f $configs_module ]; then
 169                         log_skip "CONFIG_IKCONFIG not enabled"
 170                 fi
 171                 $extract_ikconfig $configs_module > $IKCONFIG
 172                 if [ $? -eq 1 ]; then
 173                         log_skip "CONFIG_IKCONFIG not enabled"
 174                 fi
 175         fi
 176         return 1
 177 }
 178
 179 # Make sure that securityfs is mounted
 180 mount_securityfs()
 181 {
 182         if [ -z $SECURITYFS ]; then
 183                 SECURITYFS=/sys/kernel/security
 184                 mount -t securityfs security $SECURITYFS
 185         fi
 186
 187         if [ ! -d "$SECURITYFS" ]; then
 188                 log_fail "$SECURITYFS :securityfs is not mounted"
 189         fi
 190 }
 191
 192 # The policy rule format is an "action" followed by key-value pairs.  This
 193 # function supports up to two key-value pairs, in any order.
 194 # For example: action func=<keyword> [appraise_type=<type>]
 195 # Return 1 for found and 0 for not found.
 196 check_ima_policy()
 197 {
 198         local action="$1"
 199         local keypair1="$2"
 200         local keypair2="$3"
 201         local ret=0
 202
 203         mount_securityfs
 204
 205         local ima_policy=$SECURITYFS/ima/policy
 206         if [ ! -e $ima_policy ]; then
 207                 log_fail "$ima_policy not found"
 208         fi
 209
 210         if [ -n $keypair2 ]; then
 211                 grep -e "^$action.*$keypair1" "$ima_policy" | \
 212                         grep -q -e "$keypair2"
 213         else
 214                 grep -q -e "^$action.*$keypair1" "$ima_policy"
 215         fi
 216
 217         # invert "grep -q" result, returning 1 for found.
 218         [ $? -eq 0 ] && ret=1
 219         return $ret
 220 }