[v3,2/2] selftests/kexec: enable lockdown tests

Message ID 20221230065850.897967-2-coxu@redhat.com
State New
Headers
Series [v3,1/2] lockdown: kexec_file: prevent unsigned kernel image when KEXEC_SIG not enabled |

Commit Message

Coiby Xu Dec. 30, 2022, 6:58 a.m. UTC
  When lockdown is enabled, kexec_load syscall should always fail.

For kexec_file_load, when lockdown is enabled, it should
 - fail of missing PE signature when KEXEC_SIG is enabled
 - fail of missing IMA signature when KEXEC_SIG is disabled

Before this patch, test_kexec_load.sh fails (false positive) and
test_kexec_file_load.sh fails without a reason when lockdown enabled and
KEXEC_SIG disabled,

    # kexec_load failed [FAIL]
    not ok 1 selftests: kexec: test_kexec_load.sh # exit=1
    # kexec_file_load failed [PASS]
    ok 2 selftests: kexec: test_kexec_file_load.sh

After this patch, test_kexec_load.sh succeeds and
test_kexec_file_load.sh fails with the correct reason when lockdown
enabled and KEXEC_SIG disabled,

    # kexec_load failed [PASS]
    ok 1 selftests: kexec: test_kexec_load.sh
    # kexec_file_load failed (missing IMA sig) [PASS]
    ok 2 selftests: kexec: test_kexec_file_load.sh

Cc: kexec@lists.infradead.org
Cc: linux-integrity@vger.kernel.org
Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
 .../selftests/kexec/kexec_common_lib.sh       | 16 +++++++++++
 .../selftests/kexec/test_kexec_file_load.sh   | 27 +++++++++++++++++++
 .../selftests/kexec/test_kexec_load.sh        | 12 ++++++---
 3 files changed, 52 insertions(+), 3 deletions(-)
  

Comments

Mimi Zohar Jan. 3, 2023, 1:48 p.m. UTC | #1
Hi Coiby,

On Fri, 2022-12-30 at 14:58 +0800, Coiby Xu wrote:
> When lockdown is enabled, kexec_load syscall should always fail.
> 
> For kexec_file_load, when lockdown is enabled, it should
>  - fail of missing PE signature when KEXEC_SIG is enabled
>  - fail of missing IMA signature when KEXEC_SIG is disabled

Appended kernel image signatures are supported, but differently on
powerpc and s390.  For s390, KEXEC_SIG is enabled.  For completeness
the above statements should reflect appended signatures.

> 
> Before this patch, test_kexec_load.sh fails (false positive) and
> test_kexec_file_load.sh fails without a reason when lockdown enabled and
> KEXEC_SIG disabled,
> 
>     # kexec_load failed [FAIL]
>     not ok 1 selftests: kexec: test_kexec_load.sh # exit=1
>     # kexec_file_load failed [PASS]
>     ok 2 selftests: kexec: test_kexec_file_load.sh
> 
> After this patch, test_kexec_load.sh succeeds and
> test_kexec_file_load.sh fails with the correct reason when lockdown
> enabled and KEXEC_SIG disabled,
> 
>     # kexec_load failed [PASS]
>     ok 1 selftests: kexec: test_kexec_load.sh
>     # kexec_file_load failed (missing IMA sig) [PASS]
>     ok 2 selftests: kexec: test_kexec_file_load.sh
> 
> Cc: kexec@lists.infradead.org
> Cc: linux-integrity@vger.kernel.org
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
>  .../selftests/kexec/kexec_common_lib.sh       | 16 +++++++++++
>  .../selftests/kexec/test_kexec_file_load.sh   | 27 +++++++++++++++++++
>  .../selftests/kexec/test_kexec_load.sh        | 12 ++++++---
>  3 files changed, 52 insertions(+), 3 deletions(-)
> 
> diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh
> index 641ef05863b2..06c298b46788 100755
> --- a/tools/testing/selftests/kexec/kexec_common_lib.sh
> +++ b/tools/testing/selftests/kexec/kexec_common_lib.sh
> @@ -110,6 +110,22 @@ get_secureboot_mode()
>  	return $secureboot_mode;
>  }
>  
> +is_lockdown_enabled()
> +{
> +	local ret=0
> +
> +	if [ -f /sys/kernel/security/lockdown ] \
> +	     && ! grep -qs "\[none\]" /sys/kernel/security/lockdown; then
> +		ret=1
> +	fi
> +
> +	if [ $ret -eq 0 ]; then
> +		log_info "lockdown not enabled"
> +	fi
> +
> +	return $ret
> +}
> +
>  require_root_privileges()
>  {
>  	if [ $(id -ru) -ne 0 ]; then
> diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh
> index c9ccb3c93d72..790f96938083 100755
> --- a/tools/testing/selftests/kexec/test_kexec_file_load.sh
> +++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh
> @@ -139,6 +139,16 @@ kexec_file_load_test()
>  			log_fail "$succeed_msg (missing IMA sig)"
>  		fi
>  
> +		if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
> +		     && [ $pe_signed -eq 0 ]; then
> +			log_fail "$succeed_msg (missing PE sig)"
> +		fi

CONFIG_KEXEC_SIG being enabled does not require signature verification
to be enforced.  When the CONFIG_IMA_ARCH_POLICY is enabled, IMA
requires kexec signature verification.  Also on s390, CONFIG_KEXEC_SIG
verifies an appended signature, not a PE signature.  Instead of the
"missing PE sig" message, perhaps indicate lockdown requires kexec
signature verification. 

> +
> +		if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] && [ $ima_signed -eq 0 ] \
> +		     && [ $ima_modsig -eq 0 ]; then
> +			log_fail "$succeed_msg (missing IMA sig)"
> +		fi
> +

Similarly, only if IMA is enabled and requires the kexec signature
verficiation should this message be emitted.  Perhaps a single generic
lockdown message would be sufficient for both.

>  		if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
>  		    && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
>  	            && [ $ima_read_policy -eq 0 ]; then
> @@ -181,6 +191,16 @@ kexec_file_load_test()
>  		log_pass "$failed_msg (possibly missing IMA sig)"
>  	fi
>  
> +	if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
> +	    && [ $pe_signed -eq 0 ]; then
> +		log_pass "$failed_msg (missing PE sig)"
> +	fi
> +
> +	if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] \
> +	    && [ $ima_signed -eq 0 ] && [ $ima_modsig -eq 0 ]; then
> +		log_pass "$failed_msg (missing IMA sig)"
> +	fi
> +

Similar comments as above.
  

Patch

diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh
index 641ef05863b2..06c298b46788 100755
--- a/tools/testing/selftests/kexec/kexec_common_lib.sh
+++ b/tools/testing/selftests/kexec/kexec_common_lib.sh
@@ -110,6 +110,22 @@  get_secureboot_mode()
 	return $secureboot_mode;
 }
 
+is_lockdown_enabled()
+{
+	local ret=0
+
+	if [ -f /sys/kernel/security/lockdown ] \
+	     && ! grep -qs "\[none\]" /sys/kernel/security/lockdown; then
+		ret=1
+	fi
+
+	if [ $ret -eq 0 ]; then
+		log_info "lockdown not enabled"
+	fi
+
+	return $ret
+}
+
 require_root_privileges()
 {
 	if [ $(id -ru) -ne 0 ]; then
diff --git a/tools/testing/selftests/kexec/test_kexec_file_load.sh b/tools/testing/selftests/kexec/test_kexec_file_load.sh
index c9ccb3c93d72..790f96938083 100755
--- a/tools/testing/selftests/kexec/test_kexec_file_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_file_load.sh
@@ -139,6 +139,16 @@  kexec_file_load_test()
 			log_fail "$succeed_msg (missing IMA sig)"
 		fi
 
+		if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
+		     && [ $pe_signed -eq 0 ]; then
+			log_fail "$succeed_msg (missing PE sig)"
+		fi
+
+		if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] && [ $ima_signed -eq 0 ] \
+		     && [ $ima_modsig -eq 0 ]; then
+			log_fail "$succeed_msg (missing IMA sig)"
+		fi
+
 		if [ $pe_sig_required -eq 0 ] && [ $ima_appraise -eq 1 ] \
 		    && [ $ima_sig_required -eq 0 ] && [ $ima_signed -eq 0 ] \
 	            && [ $ima_read_policy -eq 0 ]; then
@@ -181,6 +191,16 @@  kexec_file_load_test()
 		log_pass "$failed_msg (possibly missing IMA sig)"
 	fi
 
+	if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 1 ] \
+	    && [ $pe_signed -eq 0 ]; then
+		log_pass "$failed_msg (missing PE sig)"
+	fi
+
+	if [ $lockdown -eq 1 ] && [ $kexec_sig_enabled -eq 0 ] \
+	    && [ $ima_signed -eq 0 ] && [ $ima_modsig -eq 0 ]; then
+		log_pass "$failed_msg (missing IMA sig)"
+	fi
+
 	log_pass "$failed_msg"
 	return 0
 }
@@ -215,6 +235,10 @@  kconfig_enabled "CONFIG_KEXEC_SIG_FORCE=y" \
 	"kexec signed kernel image required"
 kexec_sig_required=$?
 
+kconfig_enabled "CONFIG_KEXEC_SIG=y" \
+	"KEXEC_SIG enabled"
+kexec_sig_enabled=$?
+
 kconfig_enabled "CONFIG_KEXEC_BZIMAGE_VERIFY_SIG=y" \
 	"PE signed kernel image required"
 pe_sig_required=$?
@@ -225,6 +249,9 @@  ima_sig_required=$?
 get_secureboot_mode
 secureboot=$?
 
+is_lockdown_enabled
+lockdown=$?
+
 # Are there pe and ima signatures
 if [ "$(get_arch)" == 'ppc64le' ]; then
 	pe_signed=0
diff --git a/tools/testing/selftests/kexec/test_kexec_load.sh b/tools/testing/selftests/kexec/test_kexec_load.sh
index 49c6aa929137..0542887866c0 100755
--- a/tools/testing/selftests/kexec/test_kexec_load.sh
+++ b/tools/testing/selftests/kexec/test_kexec_load.sh
@@ -28,18 +28,24 @@  arch_policy=$?
 get_secureboot_mode
 secureboot=$?
 
-# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
+is_lockdown_enabled
+lockdown=$?
+
+# kexec_load should fail in either
+#   a) secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
+# or
+#   b) lockdown enabled
 kexec --load $KERNEL_IMAGE > /dev/null 2>&1
 if [ $? -eq 0 ]; then
 	kexec --unload
-	if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
+	if [ $secureboot -eq 1 -a $arch_policy -eq 1 ] || [ $lockdown -eq 1 ]; then
 		log_fail "kexec_load succeeded"
 	elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
 		log_info "Either IMA or the IMA arch policy is not enabled"
 	fi
 	log_pass "kexec_load succeeded"
 else
-	if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
+	if [ $secureboot -eq 1 -a $arch_policy -eq 1 ] || [ $lockdown -eq 1 ]; then
 		log_pass "kexec_load failed"
 	else
 		log_fail "kexec_load failed"