18c2ecf20Sopenharmony_ci#!/bin/sh 28c2ecf20Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0 38c2ecf20Sopenharmony_ci# 48c2ecf20Sopenharmony_ci# Prevent loading a kernel image via the kexec_load syscall when 58c2ecf20Sopenharmony_ci# signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.) 68c2ecf20Sopenharmony_ci 78c2ecf20Sopenharmony_ciTEST="$0" 88c2ecf20Sopenharmony_ci. ./kexec_common_lib.sh 98c2ecf20Sopenharmony_ci 108c2ecf20Sopenharmony_ci# kexec requires root privileges 118c2ecf20Sopenharmony_cirequire_root_privileges 128c2ecf20Sopenharmony_ci 138c2ecf20Sopenharmony_ci# get the kernel config 148c2ecf20Sopenharmony_ciget_kconfig 158c2ecf20Sopenharmony_ci 168c2ecf20Sopenharmony_cikconfig_enabled "CONFIG_KEXEC=y" "kexec_load is enabled" 178c2ecf20Sopenharmony_ciif [ $? -eq 0 ]; then 188c2ecf20Sopenharmony_ci log_skip "kexec_load is not enabled" 198c2ecf20Sopenharmony_cifi 208c2ecf20Sopenharmony_ci 218c2ecf20Sopenharmony_cikconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" 228c2ecf20Sopenharmony_ciima_appraise=$? 238c2ecf20Sopenharmony_ci 248c2ecf20Sopenharmony_cikconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ 258c2ecf20Sopenharmony_ci "IMA architecture specific policy enabled" 268c2ecf20Sopenharmony_ciarch_policy=$? 278c2ecf20Sopenharmony_ci 288c2ecf20Sopenharmony_ciget_secureboot_mode 298c2ecf20Sopenharmony_cisecureboot=$? 308c2ecf20Sopenharmony_ci 318c2ecf20Sopenharmony_ci# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled 328c2ecf20Sopenharmony_cikexec --load $KERNEL_IMAGE > /dev/null 2>&1 338c2ecf20Sopenharmony_ciif [ $? -eq 0 ]; then 348c2ecf20Sopenharmony_ci kexec --unload 358c2ecf20Sopenharmony_ci if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then 368c2ecf20Sopenharmony_ci log_fail "kexec_load succeeded" 378c2ecf20Sopenharmony_ci elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then 388c2ecf20Sopenharmony_ci log_info "Either IMA or the IMA arch policy is not enabled" 398c2ecf20Sopenharmony_ci fi 408c2ecf20Sopenharmony_ci log_pass "kexec_load succeeded" 418c2ecf20Sopenharmony_cielse 428c2ecf20Sopenharmony_ci if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then 438c2ecf20Sopenharmony_ci log_pass "kexec_load failed" 448c2ecf20Sopenharmony_ci else 458c2ecf20Sopenharmony_ci log_fail "kexec_load failed" 468c2ecf20Sopenharmony_ci fi 478c2ecf20Sopenharmony_cifi 48