Path: blob/master/tools/testing/selftests/kexec/kexec_common_lib.sh
26285 views
#!/bin/sh1# SPDX-License-Identifier: GPL-2.02#3# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=445VERBOSE="${VERBOSE:-1}"6IKCONFIG="/tmp/config-`uname -r`"7KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"8SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')910log_info()11{12[ $VERBOSE -ne 0 ] && echo "[INFO] $1"13}1415# The ksefltest framework requirement returns 0 for PASS.16log_pass()17{18[ $VERBOSE -ne 0 ] && echo "$1 [PASS]"19exit 020}2122# The ksefltest framework requirement returns 1 for FAIL.23log_fail()24{25[ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"26exit 127}2829# The ksefltest framework requirement returns 4 for SKIP.30log_skip()31{32[ $VERBOSE -ne 0 ] && echo "$1"33exit 434}3536# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).37# (Based on kdump-lib.sh)38get_efivarfs_secureboot_mode()39{40local efivarfs="/sys/firmware/efi/efivars"41local secure_boot_file=""42local setup_mode_file=""43local secureboot_mode=044local setup_mode=04546# Make sure that efivar_fs is mounted in the normal location47if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then48log_info "efivars is not mounted on $efivarfs"49return 0;50fi51secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)52setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)53if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then54secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \55"$secure_boot_file"|cut -d' ' -f 5)56setup_mode=$(hexdump -v -e '/1 "%d\ "' \57"$setup_mode_file"|cut -d' ' -f 5)5859if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then60log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"61return 1;62fi63fi64return 0;65}6667# On powerpc platform, check device-tree property68# /proc/device-tree/ibm,secureboot/os-secureboot-enforcing69# to detect secureboot state.70get_ppc64_secureboot_mode()71{72local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing"73# Check for secure boot file existence74if [ -f $secure_boot_file ]; then75log_info "Secureboot is enabled (Device tree)"76return 1;77fi78log_info "Secureboot is not enabled (Device tree)"79return 0;80}8182# Return the architecture of the system83get_arch()84{85echo $(arch)86}8788# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).89# The secure boot mode can be accessed as the last integer of90# "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*". The efi91# SetupMode can be similarly accessed.92# Return 1 for SecureBoot mode enabled and SetupMode mode disabled.93get_secureboot_mode()94{95local secureboot_mode=096local system_arch=$(get_arch)9798if [ "$system_arch" == "ppc64le" ]; then99get_ppc64_secureboot_mode100secureboot_mode=$?101else102get_efivarfs_secureboot_mode103secureboot_mode=$?104fi105106if [ $secureboot_mode -eq 0 ]; then107log_info "secure boot mode not enabled"108fi109return $secureboot_mode;110}111112require_root_privileges()113{114if [ $(id -ru) -ne 0 ]; then115log_skip "requires root privileges"116fi117}118119# Look for config option in Kconfig file.120# Return 1 for found and 0 for not found.121kconfig_enabled()122{123local config="$1"124local msg="$2"125126grep -E -q $config $IKCONFIG127if [ $? -eq 0 ]; then128log_info "$msg"129return 1130fi131return 0132}133134# Attempt to get the kernel config first by checking the modules directory135# then via proc, and finally by extracting it from the kernel image or the136# configs.ko using scripts/extract-ikconfig.137# Return 1 for found.138get_kconfig()139{140local proc_config="/proc/config.gz"141local module_dir="/lib/modules/`uname -r`"142local configs_module="$module_dir/kernel/kernel/configs.ko*"143144if [ -f $module_dir/config ]; then145IKCONFIG=$module_dir/config146return 1147fi148149if [ ! -f $proc_config ]; then150modprobe configs > /dev/null 2>&1151fi152if [ -f $proc_config ]; then153cat $proc_config | gunzip > $IKCONFIG 2>/dev/null154if [ $? -eq 0 ]; then155return 1156fi157fi158159local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"160if [ ! -f $extract_ikconfig ]; then161log_skip "extract-ikconfig not found"162fi163164$extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null165if [ $? -eq 1 ]; then166if [ ! -f $configs_module ]; then167log_skip "CONFIG_IKCONFIG not enabled"168fi169$extract_ikconfig $configs_module > $IKCONFIG170if [ $? -eq 1 ]; then171log_skip "CONFIG_IKCONFIG not enabled"172fi173fi174return 1175}176177# Make sure that securityfs is mounted178mount_securityfs()179{180if [ -z $SECURITYFS ]; then181SECURITYFS=/sys/kernel/security182mount -t securityfs security $SECURITYFS183fi184185if [ ! -d "$SECURITYFS" ]; then186log_fail "$SECURITYFS :securityfs is not mounted"187fi188}189190# The policy rule format is an "action" followed by key-value pairs. This191# function supports up to two key-value pairs, in any order.192# For example: action func=<keyword> [appraise_type=<type>]193# Return 1 for found and 0 for not found.194check_ima_policy()195{196local action="$1"197local keypair1="$2"198local keypair2="$3"199local ret=0200201mount_securityfs202203local ima_policy=$SECURITYFS/ima/policy204if [ ! -e $ima_policy ]; then205log_fail "$ima_policy not found"206fi207208if [ -n $keypair2 ]; then209grep -e "^$action.*$keypair1" "$ima_policy" | \210grep -q -e "$keypair2"211else212grep -q -e "^$action.*$keypair1" "$ima_policy"213fi214215# invert "grep -q" result, returning 1 for found.216[ $? -eq 0 ] && ret=1217return $ret218}219220221