Commit cbc0425d authored by Mimi Zohar's avatar Mimi Zohar

sefltest/ima: support appended signatures (modsig)

In addition to the PE/COFF and IMA xattr signatures, the kexec kernel
image can be signed with an appended signature, using the same
scripts/sign-file tool that is used to sign kernel modules.

This patch adds support for detecting a kernel image signed with an
appended signature and updates the existing test messages
appropriately.
Reviewed-by: default avatarPetr Vorel <pvorel@suse.cz>
Acked-by: default avatarShuah Khan <skhan@linuxfoundation.org>
Reviewed-by: default avatarThiago Jung Bauermann <bauerman@linux.ibm.com>
Reviewed-by: Jordan Hand <jorhand@linux.microsoft.com> (x86_64 QEMU)
Tested-by: Jordan Hand <jorhand@linux.microsoft.com> (x86_64 QEMU)
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 556d971b
...@@ -37,12 +37,21 @@ is_ima_sig_required() ...@@ -37,12 +37,21 @@ is_ima_sig_required()
# sequentially. As a result, a policy rule may be defined, but # sequentially. As a result, a policy rule may be defined, but
# might not necessarily be used. This test assumes if a policy # might not necessarily be used. This test assumes if a policy
# rule is specified, that is the intent. # rule is specified, that is the intent.
# First check for appended signature (modsig), then xattr
if [ $ima_read_policy -eq 1 ]; then if [ $ima_read_policy -eq 1 ]; then
check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
"appraise_type=imasig|modsig"
ret=$?
if [ $ret -eq 1 ]; then
log_info "IMA or appended(modsig) signature required"
else
check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \ check_ima_policy "appraise" "func=KEXEC_KERNEL_CHECK" \
"appraise_type=imasig" "appraise_type=imasig"
ret=$? ret=$?
[ $ret -eq 1 ] && log_info "IMA signature required"; [ $ret -eq 1 ] && log_info "IMA signature required";
fi fi
fi
return $ret return $ret
} }
...@@ -84,6 +93,22 @@ check_for_imasig() ...@@ -84,6 +93,22 @@ check_for_imasig()
return $ret return $ret
} }
# Return 1 for appended signature (modsig) found and 0 for not found.
check_for_modsig()
{
local module_sig_string="~Module signature appended~"
local sig="$(tail --bytes $((${#module_sig_string} + 1)) $KERNEL_IMAGE)"
local ret=0
if [ "$sig" == "$module_sig_string" ]; then
ret=1
log_info "kexec kernel image modsig signed"
else
log_info "kexec kernel image not modsig signed"
fi
return $ret
}
kexec_file_load_test() kexec_file_load_test()
{ {
local succeed_msg="kexec_file_load succeeded" local succeed_msg="kexec_file_load succeeded"
...@@ -98,7 +123,8 @@ kexec_file_load_test() ...@@ -98,7 +123,8 @@ kexec_file_load_test()
# In secureboot mode with an architecture specific # In secureboot mode with an architecture specific
# policy, make sure either an IMA or PE signature exists. # policy, make sure either an IMA or PE signature exists.
if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \ if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] && \
[ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ]; then [ $ima_signed -eq 0 ] && [ $pe_signed -eq 0 ] \
&& [ $ima_modsig -eq 0 ]; then
log_fail "$succeed_msg (missing sig)" log_fail "$succeed_msg (missing sig)"
fi fi
...@@ -107,7 +133,8 @@ kexec_file_load_test() ...@@ -107,7 +133,8 @@ kexec_file_load_test()
log_fail "$succeed_msg (missing PE sig)" log_fail "$succeed_msg (missing PE sig)"
fi fi
if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ]; then if [ $ima_sig_required -eq 1 ] && [ $ima_signed -eq 0 ] \
&& [ $ima_modsig -eq 0 ]; then
log_fail "$succeed_msg (missing IMA sig)" log_fail "$succeed_msg (missing IMA sig)"
fi fi
...@@ -204,5 +231,8 @@ pe_signed=$? ...@@ -204,5 +231,8 @@ pe_signed=$?
check_for_imasig check_for_imasig
ima_signed=$? ima_signed=$?
check_for_modsig
ima_modsig=$?
# Test loading the kernel image via kexec_file_load syscall # Test loading the kernel image via kexec_file_load syscall
kexec_file_load_test kexec_file_load_test
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment