mirror of
https://github.com/torvalds/linux.git
synced 2024-12-13 06:32:50 +00:00
b433a52aa2
The get_secureboot_mode() function unnecessarily requires both CONFIG_EFIVAR_FS and CONFIG_EFI_VARS to be enabled to determine if the system is booted in secure boot mode. On some systems the old EFI variable support is not enabled or, possibly, even implemented. This patch first checks the efivars filesystem for the SecureBoot and SetupMode flags, but falls back to using the old EFI variable support. The "secure_boot_file" and "setup_mode_file" couldn't be quoted due to globbing. This patch also removes the globbing. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
221 lines
5.3 KiB
Bash
Executable File
221 lines
5.3 KiB
Bash
Executable File
#!/bin/sh
|
|
# SPDX-License-Identifier: GPL-2.0
|
|
#
|
|
# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
|
|
|
|
VERBOSE="${VERBOSE:-1}"
|
|
IKCONFIG="/tmp/config-`uname -r`"
|
|
KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
|
|
SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
|
|
|
|
log_info()
|
|
{
|
|
[ $VERBOSE -ne 0 ] && echo "[INFO] $1"
|
|
}
|
|
|
|
# The ksefltest framework requirement returns 0 for PASS.
|
|
log_pass()
|
|
{
|
|
[ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
|
|
exit 0
|
|
}
|
|
|
|
# The ksefltest framework requirement returns 1 for FAIL.
|
|
log_fail()
|
|
{
|
|
[ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
|
|
exit 1
|
|
}
|
|
|
|
# The ksefltest framework requirement returns 4 for SKIP.
|
|
log_skip()
|
|
{
|
|
[ $VERBOSE -ne 0 ] && echo "$1"
|
|
exit 4
|
|
}
|
|
|
|
# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
|
|
# (Based on kdump-lib.sh)
|
|
get_efivarfs_secureboot_mode()
|
|
{
|
|
local efivarfs="/sys/firmware/efi/efivars"
|
|
local secure_boot_file=""
|
|
local setup_mode_file=""
|
|
local secureboot_mode=0
|
|
local setup_mode=0
|
|
|
|
# Make sure that efivar_fs is mounted in the normal location
|
|
if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
|
|
log_info "efivars is not mounted on $efivarfs"
|
|
return 0;
|
|
fi
|
|
secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
|
|
setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
|
|
if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
|
|
secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
|
|
"$secure_boot_file"|cut -d' ' -f 5)
|
|
setup_mode=$(hexdump -v -e '/1 "%d\ "' \
|
|
"$setup_mode_file"|cut -d' ' -f 5)
|
|
|
|
if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
|
|
log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
|
|
return 1;
|
|
fi
|
|
fi
|
|
return 0;
|
|
}
|
|
|
|
get_efi_var_secureboot_mode()
|
|
{
|
|
local efi_vars
|
|
local secure_boot_file
|
|
local setup_mode_file
|
|
local secureboot_mode
|
|
local setup_mode
|
|
|
|
if [ ! -d "$efi_vars" ]; then
|
|
log_skip "efi_vars is not enabled\n"
|
|
fi
|
|
secure_boot_file=$(find "$efi_vars" -name SecureBoot-* 2>/dev/null)
|
|
setup_mode_file=$(find "$efi_vars" -name SetupMode-* 2>/dev/null)
|
|
if [ -f "$secure_boot_file/data" ] && \
|
|
[ -f "$setup_mode_file/data" ]; then
|
|
secureboot_mode=`od -An -t u1 "$secure_boot_file/data"`
|
|
setup_mode=`od -An -t u1 "$setup_mode_file/data"`
|
|
|
|
if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
|
|
log_info "secure boot mode enabled (CONFIG_EFI_VARS)"
|
|
return 1;
|
|
fi
|
|
fi
|
|
return 0;
|
|
}
|
|
|
|
# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
|
|
# The secure boot mode can be accessed either as the last integer
|
|
# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from
|
|
# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data". The efi
|
|
# SetupMode can be similarly accessed.
|
|
# Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
|
|
get_secureboot_mode()
|
|
{
|
|
local secureboot_mode=0
|
|
|
|
get_efivarfs_secureboot_mode
|
|
secureboot_mode=$?
|
|
|
|
# fallback to using the efi_var files
|
|
if [ $secureboot_mode -eq 0 ]; then
|
|
get_efi_var_secureboot_mode
|
|
secureboot_mode=$?
|
|
fi
|
|
|
|
if [ $secureboot_mode -eq 0 ]; then
|
|
log_info "secure boot mode not enabled"
|
|
fi
|
|
return $secureboot_mode;
|
|
}
|
|
|
|
require_root_privileges()
|
|
{
|
|
if [ $(id -ru) -ne 0 ]; then
|
|
log_skip "requires root privileges"
|
|
fi
|
|
}
|
|
|
|
# Look for config option in Kconfig file.
|
|
# Return 1 for found and 0 for not found.
|
|
kconfig_enabled()
|
|
{
|
|
local config="$1"
|
|
local msg="$2"
|
|
|
|
grep -E -q $config $IKCONFIG
|
|
if [ $? -eq 0 ]; then
|
|
log_info "$msg"
|
|
return 1
|
|
fi
|
|
return 0
|
|
}
|
|
|
|
# Attempt to get the kernel config first via proc, and then by
|
|
# extracting it from the kernel image or the configs.ko using
|
|
# scripts/extract-ikconfig.
|
|
# Return 1 for found.
|
|
get_kconfig()
|
|
{
|
|
local proc_config="/proc/config.gz"
|
|
local module_dir="/lib/modules/`uname -r`"
|
|
local configs_module="$module_dir/kernel/kernel/configs.ko"
|
|
|
|
if [ ! -f $proc_config ]; then
|
|
modprobe configs > /dev/null 2>&1
|
|
fi
|
|
if [ -f $proc_config ]; then
|
|
cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
|
|
if [ $? -eq 0 ]; then
|
|
return 1
|
|
fi
|
|
fi
|
|
|
|
local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
|
|
if [ ! -f $extract_ikconfig ]; then
|
|
log_skip "extract-ikconfig not found"
|
|
fi
|
|
|
|
$extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
|
|
if [ $? -eq 1 ]; then
|
|
if [ ! -f $configs_module ]; then
|
|
log_skip "CONFIG_IKCONFIG not enabled"
|
|
fi
|
|
$extract_ikconfig $configs_module > $IKCONFIG
|
|
if [ $? -eq 1 ]; then
|
|
log_skip "CONFIG_IKCONFIG not enabled"
|
|
fi
|
|
fi
|
|
return 1
|
|
}
|
|
|
|
# Make sure that securityfs is mounted
|
|
mount_securityfs()
|
|
{
|
|
if [ -z $SECURITYFS ]; then
|
|
SECURITYFS=/sys/kernel/security
|
|
mount -t securityfs security $SECURITYFS
|
|
fi
|
|
|
|
if [ ! -d "$SECURITYFS" ]; then
|
|
log_fail "$SECURITYFS :securityfs is not mounted"
|
|
fi
|
|
}
|
|
|
|
# The policy rule format is an "action" followed by key-value pairs. This
|
|
# function supports up to two key-value pairs, in any order.
|
|
# For example: action func=<keyword> [appraise_type=<type>]
|
|
# Return 1 for found and 0 for not found.
|
|
check_ima_policy()
|
|
{
|
|
local action="$1"
|
|
local keypair1="$2"
|
|
local keypair2="$3"
|
|
local ret=0
|
|
|
|
mount_securityfs
|
|
|
|
local ima_policy=$SECURITYFS/ima/policy
|
|
if [ ! -e $ima_policy ]; then
|
|
log_fail "$ima_policy not found"
|
|
fi
|
|
|
|
if [ -n $keypair2 ]; then
|
|
grep -e "^$action.*$keypair1" "$ima_policy" | \
|
|
grep -q -e "$keypair2"
|
|
else
|
|
grep -q -e "^$action.*$keypair1" "$ima_policy"
|
|
fi
|
|
|
|
# invert "grep -q" result, returning 1 for found.
|
|
[ $? -eq 0 ] && ret=1
|
|
return $ret
|
|
}
|