[LTP] [PATCH] testcases: add module signature enforcement check
Po-Hsu Lin
po-hsu.lin@canonical.com
Thu Dec 26 06:10:20 CET 2024
CONFIG_MODULE_SIG_FORCE kernel config and the module.sig_enforce in
/proc/cmdline can prevent tests from inserting their test modules.
Those tests will either fail with:
'insmod exited with a non-zero code 1 at tst_cmd.c:121
Or:
insmod: ERROR: could not insert module ltp_insmod01.ko: Key was
rejected by service.
Add an extra check like what we did for syscall tests.
Patch tested against a kernel with CONFIG_MODULE_SIG_FORCE=y, and
another with module.sig_enforce added to /proc/cmdline. It's working
as expected.
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
testcases/commands/insmod/insmod01.sh | 5 +++++
testcases/kernel/device-drivers/acpi/ltp_acpi.c | 8 ++++++++
.../device-drivers/block/block_dev_user/block_dev.c | 10 ++++++++++
testcases/kernel/device-drivers/pci/tpci_user/tpci.c | 9 +++++++++
testcases/kernel/device-drivers/uaccess/uaccess.c | 9 +++++++++
testcases/kernel/firmware/fw_load_user/fw_load.c | 10 +++++++++-
6 files changed, 50 insertions(+), 1 deletion(-)
diff --git a/testcases/commands/insmod/insmod01.sh b/testcases/commands/insmod/insmod01.sh
index 992b4a05a..00aa632cf 100755
--- a/testcases/commands/insmod/insmod01.sh
+++ b/testcases/commands/insmod/insmod01.sh
@@ -30,6 +30,11 @@ cleanup()
do_test()
{
+ tst_check_kconfigs "CONFIG_MODULE_SIG_FORCE=y"
+ if [ $? -eq 0 ] || grep module.sig_enforce -qw /proc/cmdline ; then
+ tst_brk TCONF "module signature is enforced, skipping test"
+ fi
+
insmod "$TST_MODPATH"
if [ $? -ne 0 ]; then
tst_res TFAIL "insmod failed"
diff --git a/testcases/kernel/device-drivers/acpi/ltp_acpi.c b/testcases/kernel/device-drivers/acpi/ltp_acpi.c
index 7dba04552..c674b2032 100644
--- a/testcases/kernel/device-drivers/acpi/ltp_acpi.c
+++ b/testcases/kernel/device-drivers/acpi/ltp_acpi.c
@@ -22,6 +22,7 @@
#include <stdlib.h>
#include "test.h"
+#include "tst_kconfig.h"
#include "old_module.h"
#include "safe_macros.h"
@@ -128,11 +129,18 @@ static void test_run(void)
int main(int argc, char *argv[])
{
int acpi_disabled;
+ struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+ struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
tst_parse_opts(argc, argv, NULL, NULL);
tst_require_root();
+ tst_kcmdline_parse(¶ms, 1);
+ tst_kconfig_read(&kconfig, 1);
+ if (params.found || kconfig.choice == 'y')
+ tst_brkm(TCONF, tst_exit, "module signature is enforced, skip test");
+
tst_sig(FORK, DEF_HANDLER, cleanup);
tst_module_load(NULL, module_name, NULL);
diff --git a/testcases/kernel/device-drivers/block/block_dev_user/block_dev.c b/testcases/kernel/device-drivers/block/block_dev_user/block_dev.c
index b6e30eb7e..237c23256 100644
--- a/testcases/kernel/device-drivers/block/block_dev_user/block_dev.c
+++ b/testcases/kernel/device-drivers/block/block_dev_user/block_dev.c
@@ -17,6 +17,7 @@
#include <unistd.h>
#include <string.h>
+#include "tst_kconfig.h"
#include "tst_test.h"
#include "tst_module.h"
@@ -47,6 +48,15 @@ static void run(unsigned int n)
* unregister_blkdev() checks the input device name parameter
* against NULL pointer.
*/
+ struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+ struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
+
+ tst_kcmdline_parse(¶ms, 1);
+ tst_kconfig_read(&kconfig, 1);
+ if (params.found || kconfig.choice == 'y')
+ tst_brk(TCONF, "module signature is enforced, skip test");
+
+
n++;
if (!run_all_testcases && (n == 8 || n == 9)) {
tst_res(TCONF, "Skipped n = %d", n);
diff --git a/testcases/kernel/device-drivers/pci/tpci_user/tpci.c b/testcases/kernel/device-drivers/pci/tpci_user/tpci.c
index 96018f18c..aa07fdb42 100644
--- a/testcases/kernel/device-drivers/pci/tpci_user/tpci.c
+++ b/testcases/kernel/device-drivers/pci/tpci_user/tpci.c
@@ -27,6 +27,7 @@
#include <errno.h>
#include "test.h"
+#include "tst_kconfig.h"
#include "safe_macros.h"
#include "old_module.h"
@@ -49,8 +50,16 @@ static void cleanup(void)
void setup(void)
{
+ struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+ struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
+
tst_require_root();
+ tst_kcmdline_parse(¶ms, 1);
+ tst_kconfig_read(&kconfig, 1);
+ if (params.found || kconfig.choice == 'y')
+ tst_brkm(TCONF, tst_exit, "module signature is enforced, skip test");
+
tst_sig(FORK, DEF_HANDLER, cleanup);
}
diff --git a/testcases/kernel/device-drivers/uaccess/uaccess.c b/testcases/kernel/device-drivers/uaccess/uaccess.c
index f682ff7f6..c6dfeb845 100644
--- a/testcases/kernel/device-drivers/uaccess/uaccess.c
+++ b/testcases/kernel/device-drivers/uaccess/uaccess.c
@@ -27,6 +27,7 @@
#include <unistd.h>
#include "test.h"
+#include "tst_kconfig.h"
#include "old_module.h"
#include "safe_macros.h"
@@ -92,10 +93,18 @@ static void tc_write_userspace(void)
int main(int argc, char *argv[])
{
+ struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+ struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
+
tst_parse_opts(argc, argv, NULL, NULL);
tst_require_root();
+ tst_kcmdline_parse(¶ms, 1);
+ tst_kconfig_read(&kconfig, 1);
+ if (params.found || kconfig.choice == 'y')
+ tst_brkm(TCONF, tst_exit, "module signature is enforced, skip test");
+
tst_sig(FORK, DEF_HANDLER, cleanup);
tst_module_load(NULL, module_name, NULL);
diff --git a/testcases/kernel/firmware/fw_load_user/fw_load.c b/testcases/kernel/firmware/fw_load_user/fw_load.c
index 83648b625..b34b56fae 100644
--- a/testcases/kernel/firmware/fw_load_user/fw_load.c
+++ b/testcases/kernel/firmware/fw_load_user/fw_load.c
@@ -29,6 +29,7 @@
#include <string.h>
#include "test.h"
+#include "tst_kconfig.h"
#include "safe_macros.h"
#include "old_module.h"
@@ -102,7 +103,9 @@ static void help(void)
void setup(int argc, char *argv[])
{
-
+ struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+ struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
+
tst_parse_opts(argc, argv, options, help);
if (nflag) {
@@ -114,6 +117,11 @@ void setup(int argc, char *argv[])
tst_require_root();
+ tst_kcmdline_parse(¶ms, 1);
+ tst_kconfig_read(&kconfig, 1);
+ if (params.found || kconfig.choice == 'y')
+ tst_brkm(TCONF, tst_exit, "module signature is enforced, skip test");
+
char fw_size_param[19];
snprintf(fw_size_param, 19, "fw_size=%d", fw_size);
char *const mod_params[2] = { fw_size_param, NULL };
--
2.25.1
More information about the ltp
mailing list