cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

kexec_common_lib.sh (6189B)

      1#!/bin/sh
      2# SPDX-License-Identifier: GPL-2.0
      3#
      4# Kselftest framework defines: ksft_pass=0, ksft_fail=1, ksft_skip=4
      5
      6VERBOSE="${VERBOSE:-1}"
      7IKCONFIG="/tmp/config-`uname -r`"
      8KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
      9SECURITYFS=$(grep "securityfs" /proc/mounts | awk '{print $2}')
     10
     11log_info()
     12{
     13	[ $VERBOSE -ne 0 ] && echo "[INFO] $1"
     14}
     15
     16# The ksefltest framework requirement returns 0 for PASS.
     17log_pass()
     18{
     19	[ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
     20	exit 0
     21}
     22
     23# The ksefltest framework requirement returns 1 for FAIL.
     24log_fail()
     25{
     26	[ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
     27	exit 1
     28}
     29
     30# The ksefltest framework requirement returns 4 for SKIP.
     31log_skip()
     32{
     33	[ $VERBOSE -ne 0 ] && echo "$1"
     34	exit 4
     35}
     36
     37# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
     38# (Based on kdump-lib.sh)
     39get_efivarfs_secureboot_mode()
     40{
     41	local efivarfs="/sys/firmware/efi/efivars"
     42	local secure_boot_file=""
     43	local setup_mode_file=""
     44	local secureboot_mode=0
     45	local setup_mode=0
     46
     47	# Make sure that efivar_fs is mounted in the normal location
     48	if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
     49		log_info "efivars is not mounted on $efivarfs"
     50		return 0;
     51	fi
     52	secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
     53	setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
     54	if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
     55		secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
     56			"$secure_boot_file"|cut -d' ' -f 5)
     57		setup_mode=$(hexdump -v -e '/1 "%d\ "' \
     58			"$setup_mode_file"|cut -d' ' -f 5)
     59
     60		if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
     61			log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
     62			return 1;
     63		fi
     64	fi
     65	return 0;
     66}
     67
     68get_efi_var_secureboot_mode()
     69{
     70	local efi_vars
     71	local secure_boot_file
     72	local setup_mode_file
     73	local secureboot_mode
     74	local setup_mode
     75
     76	if [ ! -d "$efi_vars" ]; then
     77		log_skip "efi_vars is not enabled\n"
     78	fi
     79	secure_boot_file=$(find "$efi_vars" -name SecureBoot-* 2>/dev/null)
     80	setup_mode_file=$(find "$efi_vars" -name SetupMode-* 2>/dev/null)
     81	if [ -f "$secure_boot_file/data" ] && \
     82	   [ -f "$setup_mode_file/data" ]; then
     83		secureboot_mode=`od -An -t u1 "$secure_boot_file/data"`
     84		setup_mode=`od -An -t u1 "$setup_mode_file/data"`
     85
     86		if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
     87			log_info "secure boot mode enabled (CONFIG_EFI_VARS)"
     88			return 1;
     89		fi
     90	fi
     91	return 0;
     92}
     93
     94# On powerpc platform, check device-tree property
     95# /proc/device-tree/ibm,secureboot/os-secureboot-enforcing
     96# to detect secureboot state.
     97get_ppc64_secureboot_mode()
     98{
     99	local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing"
    100	# Check for secure boot file existence
    101	if [ -f $secure_boot_file ]; then
    102		log_info "Secureboot is enabled (Device tree)"
    103		return 1;
    104	fi
    105	log_info "Secureboot is not enabled (Device tree)"
    106	return 0;
    107}
    108
    109# Return the architecture of the system
    110get_arch()
    111{
    112	echo $(arch)
    113}
    114
    115# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
    116# The secure boot mode can be accessed either as the last integer
    117# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from
    118# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data".  The efi
    119# SetupMode can be similarly accessed.
    120# Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
    121get_secureboot_mode()
    122{
    123	local secureboot_mode=0
    124	local system_arch=$(get_arch)
    125
    126	if [ "$system_arch" == "ppc64le" ]; then
    127		get_ppc64_secureboot_mode
    128		secureboot_mode=$?
    129	else
    130		get_efivarfs_secureboot_mode
    131		secureboot_mode=$?
    132		# fallback to using the efi_var files
    133		if [ $secureboot_mode -eq 0 ]; then
    134			get_efi_var_secureboot_mode
    135			secureboot_mode=$?
    136		fi
    137	fi
    138
    139	if [ $secureboot_mode -eq 0 ]; then
    140		log_info "secure boot mode not enabled"
    141	fi
    142	return $secureboot_mode;
    143}
    144
    145require_root_privileges()
    146{
    147	if [ $(id -ru) -ne 0 ]; then
    148		log_skip "requires root privileges"
    149	fi
    150}
    151
    152# Look for config option in Kconfig file.
    153# Return 1 for found and 0 for not found.
    154kconfig_enabled()
    155{
    156	local config="$1"
    157	local msg="$2"
    158
    159	grep -E -q $config $IKCONFIG
    160	if [ $? -eq 0 ]; then
    161		log_info "$msg"
    162		return 1
    163	fi
    164	return 0
    165}
    166
    167# Attempt to get the kernel config first by checking the modules directory
    168# then via proc, and finally by extracting it from the kernel image or the
    169# configs.ko using scripts/extract-ikconfig.
    170# Return 1 for found.
    171get_kconfig()
    172{
    173	local proc_config="/proc/config.gz"
    174	local module_dir="/lib/modules/`uname -r`"
    175	local configs_module="$module_dir/kernel/kernel/configs.ko*"
    176
    177	if [ -f $module_dir/config ]; then
    178		IKCONFIG=$module_dir/config
    179		return 1
    180	fi
    181
    182	if [ ! -f $proc_config ]; then
    183		modprobe configs > /dev/null 2>&1
    184	fi
    185	if [ -f $proc_config ]; then
    186		cat $proc_config | gunzip > $IKCONFIG 2>/dev/null
    187		if [ $? -eq 0 ]; then
    188			return 1
    189		fi
    190	fi
    191
    192	local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
    193	if [ ! -f $extract_ikconfig ]; then
    194		log_skip "extract-ikconfig not found"
    195	fi
    196
    197	$extract_ikconfig $KERNEL_IMAGE > $IKCONFIG 2>/dev/null
    198	if [ $? -eq 1 ]; then
    199		if [ ! -f $configs_module ]; then
    200			log_skip "CONFIG_IKCONFIG not enabled"
    201		fi
    202		$extract_ikconfig $configs_module > $IKCONFIG
    203		if [ $? -eq 1 ]; then
    204			log_skip "CONFIG_IKCONFIG not enabled"
    205		fi
    206	fi
    207	return 1
    208}
    209
    210# Make sure that securityfs is mounted
    211mount_securityfs()
    212{
    213	if [ -z $SECURITYFS ]; then
    214		SECURITYFS=/sys/kernel/security
    215		mount -t securityfs security $SECURITYFS
    216	fi
    217
    218	if [ ! -d "$SECURITYFS" ]; then
    219		log_fail "$SECURITYFS :securityfs is not mounted"
    220	fi
    221}
    222
    223# The policy rule format is an "action" followed by key-value pairs.  This
    224# function supports up to two key-value pairs, in any order.
    225# For example: action func=<keyword> [appraise_type=<type>]
    226# Return 1 for found and 0 for not found.
    227check_ima_policy()
    228{
    229	local action="$1"
    230	local keypair1="$2"
    231	local keypair2="$3"
    232	local ret=0
    233
    234	mount_securityfs
    235
    236	local ima_policy=$SECURITYFS/ima/policy
    237	if [ ! -e $ima_policy ]; then
    238		log_fail "$ima_policy not found"
    239	fi
    240
    241	if [ -n $keypair2 ]; then
    242		grep -e "^$action.*$keypair1" "$ima_policy" | \
    243			grep -q -e "$keypair2"
    244	else
    245		grep -q -e "^$action.*$keypair1" "$ima_policy"
    246	fi
    247
    248	# invert "grep -q" result, returning 1 for found.
    249	[ $? -eq 0 ] && ret=1
    250	return $ret
    251}