diff mbox series

[v2,4/5] {delete, finit, init}_module0[1-3]: Skip on SecureBoot

Message ID 20230721091515.1353371-5-pvorel@suse.cz
State Accepted
Headers show
Series Add .skip_in_secureboot flag | expand

Commit Message

Petr Vorel July 21, 2023, 9:15 a.m. UTC 
Enabled SecureBoot requires signed modules (regardless lockdown state).

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 testcases/kernel/syscalls/delete_module/delete_module01.c | 3 ++-
 testcases/kernel/syscalls/delete_module/delete_module03.c | 3 ++-
 testcases/kernel/syscalls/finit_module/finit_module01.c   | 3 ++-
 testcases/kernel/syscalls/finit_module/finit_module02.c   | 8 +++++---
 testcases/kernel/syscalls/init_module/init_module01.c     | 3 ++-
 testcases/kernel/syscalls/init_module/init_module02.c     | 7 ++++---
 6 files changed, 17 insertions(+), 10 deletions(-)

Comments

Martin Doucha July 25, 2023, 11:10 a.m. UTC | #1 
Hi,
Reviewed-by: Martin Doucha <mdoucha@suse.cz>

On 21. 07. 23 11:15, Petr Vorel wrote:
> Enabled SecureBoot requires signed modules (regardless lockdown state).
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>   testcases/kernel/syscalls/delete_module/delete_module01.c | 3 ++-
>   testcases/kernel/syscalls/delete_module/delete_module03.c | 3 ++-
>   testcases/kernel/syscalls/finit_module/finit_module01.c   | 3 ++-
>   testcases/kernel/syscalls/finit_module/finit_module02.c   | 8 +++++---
>   testcases/kernel/syscalls/init_module/init_module01.c     | 3 ++-
>   testcases/kernel/syscalls/init_module/init_module02.c     | 7 ++++---
>   6 files changed, 17 insertions(+), 10 deletions(-)
> 
> diff --git a/testcases/kernel/syscalls/delete_module/delete_module01.c b/testcases/kernel/syscalls/delete_module/delete_module01.c
> index 6ecd2cad1..90d8b5289 100644
> --- a/testcases/kernel/syscalls/delete_module/delete_module01.c
> +++ b/testcases/kernel/syscalls/delete_module/delete_module01.c
> @@ -50,8 +50,9 @@ static void cleanup(void)
>   
>   static struct tst_test test = {
>   	.needs_root = 1,
> -	/* lockdown requires signed modules */
> +	/* lockdown and SecureBoot requires signed modules */
>   	.skip_in_lockdown = 1,
> +	.skip_in_secureboot = 1,
>   	.cleanup = cleanup,
>   	.test_all = do_delete_module,
>   };
> diff --git a/testcases/kernel/syscalls/delete_module/delete_module03.c b/testcases/kernel/syscalls/delete_module/delete_module03.c
> index 863d36188..7e92fc2af 100644
> --- a/testcases/kernel/syscalls/delete_module/delete_module03.c
> +++ b/testcases/kernel/syscalls/delete_module/delete_module03.c
> @@ -72,8 +72,9 @@ static void cleanup(void)
>   
>   static struct tst_test test = {
>   	.needs_root = 1,
> -	/* lockdown requires signed modules */
> +	/* lockdown and SecureBoot requires signed modules */
>   	.skip_in_lockdown = 1,
> +	.skip_in_secureboot = 1,
>   	.setup = setup,
>   	.cleanup = cleanup,
>   	.test_all = do_delete_module,
> diff --git a/testcases/kernel/syscalls/finit_module/finit_module01.c b/testcases/kernel/syscalls/finit_module/finit_module01.c
> index f960b2e40..1929c30fa 100644
> --- a/testcases/kernel/syscalls/finit_module/finit_module01.c
> +++ b/testcases/kernel/syscalls/finit_module/finit_module01.c
> @@ -49,6 +49,7 @@ static struct tst_test test = {
>   	.setup = setup,
>   	.cleanup = cleanup,
>   	.needs_root = 1,
> -	/* lockdown requires signed modules */
> +	/* lockdown and SecureBoot requires signed modules */
>   	.skip_in_lockdown = 1,
> +	.skip_in_secureboot = 1,
>   };
> diff --git a/testcases/kernel/syscalls/finit_module/finit_module02.c b/testcases/kernel/syscalls/finit_module/finit_module02.c
> index a7434de7d..af4feb76b 100644
> --- a/testcases/kernel/syscalls/finit_module/finit_module02.c
> +++ b/testcases/kernel/syscalls/finit_module/finit_module02.c
> @@ -25,7 +25,7 @@
>   static char *mod_path;
>   
>   static int fd, fd_zero, fd_invalid = -1, fd_dir;
> -static int kernel_lockdown;
> +static int kernel_lockdown, secure_boot;
>   
>   static struct tst_cap cap_req = TST_CAP(TST_CAP_REQ, CAP_SYS_MODULE);
>   static struct tst_cap cap_drop = TST_CAP(TST_CAP_DROP, CAP_SYS_MODULE);
> @@ -84,6 +84,8 @@ static void setup(void)
>   	tst_module_exists(MODULE_NAME, &mod_path);
>   
>   	kernel_lockdown = tst_lockdown_enabled();
> +	secure_boot = tst_secureboot_enabled();
> +
>   	SAFE_MKDIR(TEST_DIR, 0700);
>   	fd_dir = SAFE_OPEN(TEST_DIR, O_DIRECTORY);
>   
> @@ -102,8 +104,8 @@ static void run(unsigned int n)
>   {
>   	struct tcase *tc = &tcases[n];
>   
> -	if (tc->skip_in_lockdown && kernel_lockdown) {
> -		tst_res(TCONF, "Kernel is locked down, skipping %s", tc->name);
> +	if (tc->skip_in_lockdown && (kernel_lockdown || secure_boot)) {
> +		tst_res(TCONF, "Cannot load unsigned modules, skipping %s", tc->name);
>   		return;
>   	}
>   
> diff --git a/testcases/kernel/syscalls/init_module/init_module01.c b/testcases/kernel/syscalls/init_module/init_module01.c
> index 79e567cd6..26ff0b93b 100644
> --- a/testcases/kernel/syscalls/init_module/init_module01.c
> +++ b/testcases/kernel/syscalls/init_module/init_module01.c
> @@ -53,6 +53,7 @@ static struct tst_test test = {
>   	.setup = setup,
>   	.cleanup = cleanup,
>   	.needs_root = 1,
> -	/* lockdown requires signed modules */
> +	/* lockdown and SecureBoot requires signed modules */
>   	.skip_in_lockdown = 1,
> +	.skip_in_secureboot = 1,
>   };
> diff --git a/testcases/kernel/syscalls/init_module/init_module02.c b/testcases/kernel/syscalls/init_module/init_module02.c
> index ad6569a06..15a482664 100644
> --- a/testcases/kernel/syscalls/init_module/init_module02.c
> +++ b/testcases/kernel/syscalls/init_module/init_module02.c
> @@ -22,7 +22,7 @@
>   #define MODULE_NAME	"init_module.ko"
>   
>   static unsigned long size, zero_size;
> -static int kernel_lockdown;
> +static int kernel_lockdown, secure_boot;
>   static void *buf, *faulty_buf, *null_buf;
>   
>   static struct tst_cap cap_req = TST_CAP(TST_CAP_REQ, CAP_SYS_MODULE);
> @@ -54,6 +54,7 @@ static void setup(void)
>   	tst_module_exists(MODULE_NAME, NULL);
>   
>   	kernel_lockdown = tst_lockdown_enabled();
> +	secure_boot = tst_secureboot_enabled();
>   	fd = SAFE_OPEN(MODULE_NAME, O_RDONLY|O_CLOEXEC);
>   	SAFE_FSTAT(fd, &sb);
>   	size = sb.st_size;
> @@ -67,8 +68,8 @@ static void run(unsigned int n)
>   {
>   	struct tcase *tc = &tcases[n];
>   
> -	if (tc->skip_in_lockdown && kernel_lockdown) {
> -		tst_res(TCONF, "Kernel is locked down, skipping %s", tc->name);
> +	if (tc->skip_in_lockdown && (kernel_lockdown || secure_boot)) {
> +		tst_res(TCONF, "Cannot load unsigned modules, skipping %s", tc->name);
>   		return;
>   	}
>
diff mbox series

Patch

diff --git a/testcases/kernel/syscalls/delete_module/delete_module01.c b/testcases/kernel/syscalls/delete_module/delete_module01.c
index 6ecd2cad1..90d8b5289 100644
--- a/testcases/kernel/syscalls/delete_module/delete_module01.c
+++ b/testcases/kernel/syscalls/delete_module/delete_module01.c
@@ -50,8 +50,9 @@  static void cleanup(void)
 
 static struct tst_test test = {
 	.needs_root = 1,
-	/* lockdown requires signed modules */
+	/* lockdown and SecureBoot requires signed modules */
 	.skip_in_lockdown = 1,
+	.skip_in_secureboot = 1,
 	.cleanup = cleanup,
 	.test_all = do_delete_module,
 };
diff --git a/testcases/kernel/syscalls/delete_module/delete_module03.c b/testcases/kernel/syscalls/delete_module/delete_module03.c
index 863d36188..7e92fc2af 100644
--- a/testcases/kernel/syscalls/delete_module/delete_module03.c
+++ b/testcases/kernel/syscalls/delete_module/delete_module03.c
@@ -72,8 +72,9 @@  static void cleanup(void)
 
 static struct tst_test test = {
 	.needs_root = 1,
-	/* lockdown requires signed modules */
+	/* lockdown and SecureBoot requires signed modules */
 	.skip_in_lockdown = 1,
+	.skip_in_secureboot = 1,
 	.setup = setup,
 	.cleanup = cleanup,
 	.test_all = do_delete_module,
diff --git a/testcases/kernel/syscalls/finit_module/finit_module01.c b/testcases/kernel/syscalls/finit_module/finit_module01.c
index f960b2e40..1929c30fa 100644
--- a/testcases/kernel/syscalls/finit_module/finit_module01.c
+++ b/testcases/kernel/syscalls/finit_module/finit_module01.c
@@ -49,6 +49,7 @@  static struct tst_test test = {
 	.setup = setup,
 	.cleanup = cleanup,
 	.needs_root = 1,
-	/* lockdown requires signed modules */
+	/* lockdown and SecureBoot requires signed modules */
 	.skip_in_lockdown = 1,
+	.skip_in_secureboot = 1,
 };
diff --git a/testcases/kernel/syscalls/finit_module/finit_module02.c b/testcases/kernel/syscalls/finit_module/finit_module02.c
index a7434de7d..af4feb76b 100644
--- a/testcases/kernel/syscalls/finit_module/finit_module02.c
+++ b/testcases/kernel/syscalls/finit_module/finit_module02.c
@@ -25,7 +25,7 @@ 
 static char *mod_path;
 
 static int fd, fd_zero, fd_invalid = -1, fd_dir;
-static int kernel_lockdown;
+static int kernel_lockdown, secure_boot;
 
 static struct tst_cap cap_req = TST_CAP(TST_CAP_REQ, CAP_SYS_MODULE);
 static struct tst_cap cap_drop = TST_CAP(TST_CAP_DROP, CAP_SYS_MODULE);
@@ -84,6 +84,8 @@  static void setup(void)
 	tst_module_exists(MODULE_NAME, &mod_path);
 
 	kernel_lockdown = tst_lockdown_enabled();
+	secure_boot = tst_secureboot_enabled();
+
 	SAFE_MKDIR(TEST_DIR, 0700);
 	fd_dir = SAFE_OPEN(TEST_DIR, O_DIRECTORY);
 
@@ -102,8 +104,8 @@  static void run(unsigned int n)
 {
 	struct tcase *tc = &tcases[n];
 
-	if (tc->skip_in_lockdown && kernel_lockdown) {
-		tst_res(TCONF, "Kernel is locked down, skipping %s", tc->name);
+	if (tc->skip_in_lockdown && (kernel_lockdown || secure_boot)) {
+		tst_res(TCONF, "Cannot load unsigned modules, skipping %s", tc->name);
 		return;
 	}
 
diff --git a/testcases/kernel/syscalls/init_module/init_module01.c b/testcases/kernel/syscalls/init_module/init_module01.c
index 79e567cd6..26ff0b93b 100644
--- a/testcases/kernel/syscalls/init_module/init_module01.c
+++ b/testcases/kernel/syscalls/init_module/init_module01.c
@@ -53,6 +53,7 @@  static struct tst_test test = {
 	.setup = setup,
 	.cleanup = cleanup,
 	.needs_root = 1,
-	/* lockdown requires signed modules */
+	/* lockdown and SecureBoot requires signed modules */
 	.skip_in_lockdown = 1,
+	.skip_in_secureboot = 1,
 };
diff --git a/testcases/kernel/syscalls/init_module/init_module02.c b/testcases/kernel/syscalls/init_module/init_module02.c
index ad6569a06..15a482664 100644
--- a/testcases/kernel/syscalls/init_module/init_module02.c
+++ b/testcases/kernel/syscalls/init_module/init_module02.c
@@ -22,7 +22,7 @@ 
 #define MODULE_NAME	"init_module.ko"
 
 static unsigned long size, zero_size;
-static int kernel_lockdown;
+static int kernel_lockdown, secure_boot;
 static void *buf, *faulty_buf, *null_buf;
 
 static struct tst_cap cap_req = TST_CAP(TST_CAP_REQ, CAP_SYS_MODULE);
@@ -54,6 +54,7 @@  static void setup(void)
 	tst_module_exists(MODULE_NAME, NULL);
 
 	kernel_lockdown = tst_lockdown_enabled();
+	secure_boot = tst_secureboot_enabled();
 	fd = SAFE_OPEN(MODULE_NAME, O_RDONLY|O_CLOEXEC);
 	SAFE_FSTAT(fd, &sb);
 	size = sb.st_size;
@@ -67,8 +68,8 @@  static void run(unsigned int n)
 {
 	struct tcase *tc = &tcases[n];
 
-	if (tc->skip_in_lockdown && kernel_lockdown) {
-		tst_res(TCONF, "Kernel is locked down, skipping %s", tc->name);
+	if (tc->skip_in_lockdown && (kernel_lockdown || secure_boot)) {
+		tst_res(TCONF, "Cannot load unsigned modules, skipping %s", tc->name);
 		return;
 	}