Re: [PATCH v2 4/5] selftests/ima: kexec_file_load syscall test

From: Petr Vorel
Date: Thu Feb 28 2019 - 17:20:54 EST

Next message: Jon Flatley: "Re: [PATCH v2] wusb: use correct format characters"
Previous message: Mimi Zohar: "Re: [PULL REQUEST] Lock down patches"
In reply to: Petr Vorel: "Re: [PATCH v2 4/5] selftests/ima: kexec_file_load syscall test"
Next in thread: Mimi Zohar: "[PATCH v2 5/5] selftests/ima: loading kernel modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Mimi,

> The kernel can be configured to verify PE signed kernel images, IMA
> kernel image signatures, both types of signatures, or none. This test
> verifies only properly signed kernel images are loaded into memory,
> based on the kernel configuration and runtime policies.

> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>

> --- a/tools/testing/selftests/ima/common_lib.sh
...
> +# Look for config option in Kconfig file.
> +# Return 1 for found and 0 for not found.
I'd revert the return value (for shell is 0 as ok),
but matter of preference.
> +kconfig_enabled()
> +{
> + local config="$1"
> + local msg="$2"
> +
> + grep -E -q $config $IKCONFIG
> + if [ $? -eq 0 ]; then
> + log_info "$msg"
> + return 1
> + fi
> + return 0
> +}
> +
> +# Attempt to get the kernel config first via proc, and then by
> +# extracting it from the kernel image or the configs.ko using
> +# scripts/extract-ikconfig.
> +# Return 1 for found and 0 for not found.
"and 0 for not found": This is not true as it uses log_skip which exits.
And you don't read this value anywhere.
> +get_kconfig()
> +{
> + local proc_config="/proc/config.gz"
> + local module_dir="/lib/modules/`uname -r`"
> + local configs_module="$module_dir/kernel/kernel/configs.ko"
> +
> + if [ ! -f $proc_config ]; then
> + modprobe configs > /dev/null 2>&1
> + fi
> + if [ -f $proc_config ]; then
> + cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
> + if [ $? -eq 0 ]; then
> + return 1
> + fi
> + fi
> +
> + local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
> + if [ ! -f $extract_ikconfig ]; then
> + log_skip "extract-ikconfig not found"
> + fi
> +
> + $extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
> + if [ $? -eq 1 ]; then
> + if [ ! -f $configs_module ]; then
> + log_skip "CONFIG_IKCONFIG not enabled"
> + fi
> + $extract_ikconfig $configs_module > $IKCONFIG
> + if [ $? -eq 1 ]; then
> + log_skip "CONFIG_IKCONFIG not enabled"
> + fi
> + fi
> + return 1
> +}

Kind regards,
Petr

Next message: Jon Flatley: "Re: [PATCH v2] wusb: use correct format characters"
Previous message: Mimi Zohar: "Re: [PULL REQUEST] Lock down patches"
In reply to: Petr Vorel: "Re: [PATCH v2 4/5] selftests/ima: kexec_file_load syscall test"
Next in thread: Mimi Zohar: "[PATCH v2 5/5] selftests/ima: loading kernel modules"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]