| # SPDX-License-Identifier: GPL-2.0 |
| # Prevent loading a kernel image via the kexec_load syscall when |
| # signatures are required. (Dependent on CONFIG_IMA_ARCH_POLICY.) |
| # kexec requires root privileges |
| kconfig_enabled "CONFIG_KEXEC=y" "kexec_load is enabled" |
| log_skip "kexec_load is not enabled" |
| kconfig_enabled "CONFIG_IMA_APPRAISE=y" "IMA enabled" |
| kconfig_enabled "CONFIG_IMA_ARCH_POLICY=y" \ |
| "IMA architecture specific policy enabled" |
| # kexec_load should fail in secure boot mode and CONFIG_IMA_ARCH_POLICY enabled |
| kexec --load $KERNEL_IMAGE > /dev/null 2>&1 |
| if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ]; then |
| log_fail "kexec_load succeeded" |
| elif [ $ima_appraise -eq 0 -o $arch_policy -eq 0 ]; then |
| log_info "Either IMA or the IMA arch policy is not enabled" |
| log_pass "kexec_load succeeded" |
| if [ $secureboot -eq 1 ] && [ $arch_policy -eq 1 ] ; then |
| log_pass "kexec_load failed" |
| log_fail "kexec_load failed" |