162306a36Sopenharmony_ci#!/bin/sh
262306a36Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0
362306a36Sopenharmony_ci#
462306a36Sopenharmony_ci# Prevent loading a kernel image via the kexec_load syscall when
562306a36Sopenharmony_ci# signatures are required.  (Dependent on CONFIG_IMA_ARCH_POLICY.)
662306a36Sopenharmony_ci
762306a36Sopenharmony_ciTEST="$0"
862306a36Sopenharmony_ci. ./kexec_common_lib.sh
962306a36Sopenharmony_ci
1062306a36Sopenharmony_ci# kexec requires root privileges
1162306a36Sopenharmony_cirequire_root_privileges
1262306a36Sopenharmony_ci
1362306a36Sopenharmony_ci# get the kernel config
1462306a36Sopenharmony_ciget_kconfig
1562306a36Sopenharmony_ci
1662306a36Sopenharmony_cikconfig_enabled "CONFIG_KEXEC=y" "kexec_load is enabled"
1762306a36Sopenharmony_ciif [ $? -eq 0 ]; then
1862306a36Sopenharmony_ci	log_skip "kexec_load is not enabled"
1962306a36Sopenharmony_cifi
2062306a36Sopenharmony_ci
2162306a36Sopenharmony_cikconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
2262306a36Sopenharmony_ciima_appraise=$?
2362306a36Sopenharmony_ci
2462306a36Sopenharmony_cikconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
2562306a36Sopenharmony_ci	"IMA architecture specific policy enabled"
2662306a36Sopenharmony_ciarch_policy=$?
2762306a36Sopenharmony_ci
2862306a36Sopenharmony_ciget_secureboot_mode
2962306a36Sopenharmony_cisecureboot=$?
3062306a36Sopenharmony_ci
3162306a36Sopenharmony_ci# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
3262306a36Sopenharmony_cikexec --load $KERNEL_IMAGE > /dev/null 2>&1
3362306a36Sopenharmony_ciif [ $? -eq 0 ]; then
3462306a36Sopenharmony_ci	kexec --unload
3562306a36Sopenharmony_ci	if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
3662306a36Sopenharmony_ci		log_fail "kexec_load succeeded"
3762306a36Sopenharmony_ci	elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
3862306a36Sopenharmony_ci		log_info "Either IMA or the IMA arch policy is not enabled"
3962306a36Sopenharmony_ci	fi
4062306a36Sopenharmony_ci	log_pass "kexec_load succeeded"
4162306a36Sopenharmony_cielse
4262306a36Sopenharmony_ci	if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
4362306a36Sopenharmony_ci		log_pass "kexec_load failed"
4462306a36Sopenharmony_ci	else
4562306a36Sopenharmony_ci		log_fail "kexec_load failed"
4662306a36Sopenharmony_ci	fi
4762306a36Sopenharmony_cifi
48