kexec: enable lockdown tests

Mimi Zohar Tue, 03 Jan 2023 08:51:11 -0800

Hi Coiby,

On Fri, 2022-12-30 at 14:58 +0800, Coiby Xu wrote:
> When lockdown is enabled, kexec_load syscall should always fail.
> 
> For kexec_file_load, when lockdown is enabled, it should
>  - fail of missing PE signature when KEXEC_SIG is enabled
>  - fail of missing IMA signature when KEXEC_SIG is disabled


Appended kernel image signatures are supported, but differently on
powerpc and s390.  For s390, KEXEC_SIG is enabled.  For completeness
the above statements should reflect appended signatures.

> 
> Before this patch, test_kexec_load.sh fails (false positive) and
> test_kexec_file_load.sh fails without a reason when lockdown enabled and
> KEXEC_SIG disabled,
> 
>     # kexec_load failed [FAIL]
>     not ok 1 selftests: kexec: test_kexec_load.sh # exit=1
>     # kexec_file_load failed [PASS]
>     ok 2 selftests: kexec: test_kexec_file_load.sh
> 
> After this patch, test_kexec_load.sh succeeds and
> test_kexec_file_load.sh fails with the correct reason when lockdown
> enabled and KEXEC_SIG disabled,
> 
>     # kexec_load failed [PASS]
>     ok 1 selftests: kexec: test_kexec_load.sh
>     # kexec_file_load failed (missing IMA sig) [PASS]
>     ok 2 selftests: kexec: test_kexec_file_load.sh
> 
> Cc: [email protected]
> Cc: [email protected]
> Suggested-by: Mimi Zohar <[email protected]>
> Signed-off-by: Coiby Xu <[email protected]>
> ---
>  .../selftests/kexec/kexec_common_lib.sh       | 16 +++++++++++
>  .../selftests/kexec/test_kexec_file_load.sh   | 27 +++++++++++++++++++
>  .../selftests/kexec/test_kexec_load.sh        | 12 ++++++---
>  3 files changed, 52 insertions(+), 3 deletions(-)
> 
> diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh 
> b/tools/testing/selftests/kexec/kexec_common_lib.sh
> index 641ef05863b2..06c298b46788 100755
> --- a/tools/testing/selftests/kexec/kexec_common_lib.sh
> +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh
> @@ -110,6 +110,22 @@ get_secureboot_mode()
>       return $secureboot_mode;
>  }
>  
> +is_lockdown_enabled()
> +{
> +     local ret=0
> +
> +     if [ -f /sys/kernel/security/lockdown ] \
> +          && ! grep -qs "\[none\]" /sys/kernel/security/lockdown; then
> +             ret=1
> +     fi
> +
> +     if [ $ret -eq 0 ]; then
> +             log_info "lockdown not enabled"
> +     fi
> +
> +     return $ret
> +}
> +
>  require_root_privileges()
>  {
>       if [ $(id -ru) -ne 0 ]; then
> diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh 
> b/tools/testing/selftests/kexec/test_kexec_file_load.sh
> index c9ccb3c93d72..790f96938083 100755
> --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh
> +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh
> @@ -139,6 +139,16 @@ kexec_file_load_test()
>                       log_fail "$succeed_msg (missing IMA sig)"
>               fi
>  
> +             if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
> +                  && [ $pe_signed -eq 0 ]; then
> +                     log_fail "$succeed_msg (missing PE sig)"
> +             fi

CONFIG_KEXEC_SIG being enabled does not require signature verification
to be enforced.  When the CONFIG_IMA_ARCH_POLICY is enabled, IMA
requires kexec signature verification.  Also on s390, CONFIG_KEXEC_SIG
verifies an appended signature, not a PE signature.  Instead of the
"missing PE sig" message, perhaps indicate lockdown requires kexec
signature verification. 

> +
> +             if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] && [ 
> $ima_signed -eq 0 ] \
> +                  && [ $ima_modsig -eq 0 ]; then
> +                     log_fail "$succeed_msg (missing IMA sig)"
> +             fi
> +

Similarly, only if IMA is enabled and requires the kexec signature
verficiation should this message be emitted.  Perhaps a single generic
lockdown message would be sufficient for both.

>               if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
>                   && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
>                   && [ $ima_read_policy -eq 0 ]; then
> @@ -181,6 +191,16 @@ kexec_file_load_test()
>               log_pass "$failed_msg (possibly missing IMA sig)"
>       fi
>  
> +     if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
> +         && [ $pe_signed -eq 0 ]; then
> +             log_pass "$failed_msg (missing PE sig)"
> +     fi
> +
> +     if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] \
> +         && [ $ima_signed -eq 0 ] && [ $ima_modsig -eq 0 ]; then
> +             log_pass "$failed_msg (missing IMA sig)"
> +     fi
> +

Similar comments as above.

-- 
thanks,

Mimi


_______________________________________________
kexec mailing list
[email protected]
http://lists.infradead.org/mailman/listinfo/kexec

Re: [PATCH v3 2/2] selftests/kexec: enable lockdown tests

Reply via email to