1#!/bin/sh
2# SPDX-License-Identifier: GPL-2.0
3#
4# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
5
6VERBOSE="${VERBOSE:-1}"
7IKCONFIG="/tmp/config-`uname -r`"
8KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
9SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
10
11log_info()
12{
13	[ $VERBOSE -ne 0 ] && echo "[INFO] $1"
14}
15
16# The ksefltest framework requirement returns 0 for PASS.
17log_pass()
18{
19	[ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
20	exit 0
21}
22
23# The ksefltest framework requirement returns 1 for FAIL.
24log_fail()
25{
26	[ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
27	exit 1
28}
29
30# The ksefltest framework requirement returns 4 for SKIP.
31log_skip()
32{
33	[ $VERBOSE -ne 0 ] && echo "$1"
34	exit 4
35}
36
37# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
38# (Based on kdump-lib.sh)
39get_efivarfs_secureboot_mode()
40{
41	local efivarfs="/sys/firmware/efi/efivars"
42	local secure_boot_file=""
43	local setup_mode_file=""
44	local secureboot_mode=0
45	local setup_mode=0
46
47	# Make sure that efivar_fs is mounted in the normal location
48	if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
49		log_info "efivars is not mounted on $efivarfs"
50		return 0;
51	fi
52	secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
53	setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
54	if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
55		secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
56			"$secure_boot_file"|cut -d' ' -f 5)
57		setup_mode=$(hexdump -v -e '/1 "%d\ "' \
58			"$setup_mode_file"|cut -d' ' -f 5)
59
60		if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
61			log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
62			return 1;
63		fi
64	fi
65	return 0;
66}
67
68get_efi_var_secureboot_mode()
69{
70	local efi_vars
71	local secure_boot_file
72	local setup_mode_file
73	local secureboot_mode
74	local setup_mode
75
76	if [ ! -d "$efi_vars" ]; then
77		log_skip "efi_vars is not enabled\n"
78	fi
79	secure_boot_file=$(find "$efi_vars" -name SecureBoot-* 2>/dev/null)
80	setup_mode_file=$(find "$efi_vars" -name SetupMode-* 2>/dev/null)
81	if [ -f "$secure_boot_file/data" ] && \
82	   [ -f "$setup_mode_file/data" ]; then
83		secureboot_mode=`od -An -t u1 "$secure_boot_file/data"`
84		setup_mode=`od -An -t u1 "$setup_mode_file/data"`
85
86		if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
87			log_info "secure boot mode enabled (CONFIG_EFI_VARS)"
88			return 1;
89		fi
90	fi
91	return 0;
92}
93
94# On powerpc platform, check device-tree property
95# /proc/device-tree/ibm,secureboot/os-secureboot-enforcing
96# to detect secureboot state.
97get_ppc64_secureboot_mode()
98{
99	local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing"
100	# Check for secure boot file existence
101	if [ -f $secure_boot_file ]; then
102		log_info "Secureboot is enabled (Device tree)"
103		return 1;
104	fi
105	log_info "Secureboot is not enabled (Device tree)"
106	return 0;
107}
108
109# Return the architecture of the system
110get_arch()
111{
112	echo $(arch)
113}
114
115# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
116# The secure boot mode can be accessed either as the last integer
117# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from
118# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data".  The efi
119# SetupMode can be similarly accessed.
120# Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
121get_secureboot_mode()
122{
123	local secureboot_mode=0
124	local system_arch=$(get_arch)
125
126	if [ "$system_arch" == "ppc64le" ]; then
127		get_ppc64_secureboot_mode
128		secureboot_mode=$?
129	else
130		get_efivarfs_secureboot_mode
131		secureboot_mode=$?
132		# fallback to using the efi_var files
133		if [ $secureboot_mode -eq 0 ]; then
134			get_efi_var_secureboot_mode
135			secureboot_mode=$?
136		fi
137	fi
138
139	if [ $secureboot_mode -eq 0 ]; then
140		log_info "secure boot mode not enabled"
141	fi
142	return $secureboot_mode;
143}
144
145require_root_privileges()
146{
147	if [ $(id -ru) -ne 0 ]; then
148		log_skip "requires root privileges"
149	fi
150}
151
152# Look for config option in Kconfig file.
153# Return 1 for found and 0 for not found.
154kconfig_enabled()
155{
156	local config="$1"
157	local msg="$2"
158
159	grep -E -q $config $IKCONFIG
160	if [ $? -eq 0 ]; then
161		log_info "$msg"
162		return 1
163	fi
164	return 0
165}
166
167# Attempt to get the kernel config first by checking the modules directory
168# then via proc, and finally by extracting it from the kernel image or the
169# configs.ko using scripts/extract-ikconfig.
170# Return 1 for found.
171get_kconfig()
172{
173	local proc_config="/proc/config.gz"
174	local module_dir="/lib/modules/`uname -r`"
175	local configs_module="$module_dir/kernel/kernel/configs.ko*"
176
177	if [ -f $module_dir/config ]; then
178		IKCONFIG=$module_dir/config
179		return 1
180	fi
181
182	if [ ! -f $proc_config ]; then
183		modprobe configs > /dev/null 2>&1
184	fi
185	if [ -f $proc_config ]; then
186		cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
187		if [ $? -eq 0 ]; then
188			return 1
189		fi
190	fi
191
192	local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
193	if [ ! -f $extract_ikconfig ]; then
194		log_skip "extract-ikconfig not found"
195	fi
196
197	$extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
198	if [ $? -eq 1 ]; then
199		if [ ! -f $configs_module ]; then
200			log_skip "CONFIG_IKCONFIG not enabled"
201		fi
202		$extract_ikconfig $configs_module > $IKCONFIG
203		if [ $? -eq 1 ]; then
204			log_skip "CONFIG_IKCONFIG not enabled"
205		fi
206	fi
207	return 1
208}
209
210# Make sure that securityfs is mounted
211mount_securityfs()
212{
213	if [ -z $SECURITYFS ]; then
214		SECURITYFS=/sys/kernel/security
215		mount -t securityfs security $SECURITYFS
216	fi
217
218	if [ ! -d "$SECURITYFS" ]; then
219		log_fail "$SECURITYFS :securityfs is not mounted"
220	fi
221}
222
223# The policy rule format is an "action" followed by key-value pairs.  This
224# function supports up to two key-value pairs, in any order.
225# For example: action func=<keyword> [appraise_type=<type>]
226# Return 1 for found and 0 for not found.
227check_ima_policy()
228{
229	local action="$1"
230	local keypair1="$2"
231	local keypair2="$3"
232	local ret=0
233
234	mount_securityfs
235
236	local ima_policy=$SECURITYFS/ima/policy
237	if [ ! -e $ima_policy ]; then
238		log_fail "$ima_policy not found"
239	fi
240
241	if [ -n $keypair2 ]; then
242		grep -e "^$action.*$keypair1" "$ima_policy" | \
243			grep -q -e "$keypair2"
244	else
245		grep -q -e "^$action.*$keypair1" "$ima_policy"
246	fi
247
248	# invert "grep -q" result, returning 1 for found.
249	[ $? -eq 0 ] && ret=1
250	return $ret
251}
252