1#!/bin/sh 2# SPDX-License-Identifier: GPL-2.0 3# 4# Prevent loading a kernel image via the kexec_load syscall when 5# signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.) 6 7TEST="$0" 8. ./kexec_common_lib.sh 9 10# kexec requires root privileges 11require_root_privileges 12 13# get the kernel config 14get_kconfig 15 16kconfig_enabled "CONFIG_KEXEC=y" "kexec_load is enabled" 17if [ $? -eq 0 ]; then 18 log_skip "kexec_load is not enabled" 19fi 20 21kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" 22ima_appraise=$? 23 24kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ 25 "IMA architecture specific policy enabled" 26arch_policy=$? 27 28get_secureboot_mode 29secureboot=$? 30 31# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled 32kexec --load $KERNEL_IMAGE > /dev/null 2>&1 33if [ $? -eq 0 ]; then 34 kexec --unload 35 if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then 36 log_fail "kexec_load succeeded" 37 elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then 38 log_info "Either IMA or the IMA arch policy is not enabled" 39 fi 40 log_pass "kexec_load succeeded" 41else 42 if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then 43 log_pass "kexec_load failed" 44 else 45 log_fail "kexec_load failed" 46 fi 47fi 48