1#!/bin/sh
2# SPDX-License-Identifier: GPL-2.0
3#
4# Prevent loading a kernel image via the kexec_load syscall when
5# signatures are required.  (Dependent on CONFIG_IMA_ARCH_POLICY.)
6
7TEST="$0"
8. ./kexec_common_lib.sh
9
10# kexec requires root privileges
11require_root_privileges
12
13# get the kernel config
14get_kconfig
15
16kconfig_enabled "CONFIG_KEXEC=y" "kexec_load is enabled"
17if [ $? -eq 0 ]; then
18	log_skip "kexec_load is not enabled"
19fi
20
21kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled"
22ima_appraise=$?
23
24kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \
25	"IMA architecture specific policy enabled"
26arch_policy=$?
27
28get_secureboot_mode
29secureboot=$?
30
31# kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled
32kexec --load $KERNEL_IMAGE > /dev/null 2>&1
33if [ $? -eq 0 ]; then
34	kexec --unload
35	if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then
36		log_fail "kexec_load succeeded"
37	elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then
38		log_info "Either IMA or the IMA arch policy is not enabled"
39	fi
40	log_pass "kexec_load succeeded"
41else
42	if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then
43		log_pass "kexec_load failed"
44	else
45		log_fail "kexec_load failed"
46	fi
47fi
48