[LTP] [PATCH] testcases: add module signature enforcement check

Po-Hsu Lin po-hsu.lin@canonical.com
Thu Dec 26 06:10:20 CET 2024


CONFIG_MODULE_SIG_FORCE kernel config and the module.sig_enforce in
/proc/cmdline can prevent tests from inserting their test modules.
Those tests will either fail with:
  'insmod exited with a non-zero code 1 at tst_cmd.c:121
Or:
  insmod: ERROR: could not insert module ltp_insmod01.ko: Key was
  rejected by service.

Add an extra check like what we did for syscall tests.

Patch tested against a kernel with CONFIG_MODULE_SIG_FORCE=y, and
another with module.sig_enforce added to /proc/cmdline. It's working
as expected.

Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
---
 testcases/commands/insmod/insmod01.sh                  |  5 +++++
 testcases/kernel/device-drivers/acpi/ltp_acpi.c        |  8 ++++++++
 .../device-drivers/block/block_dev_user/block_dev.c    | 10 ++++++++++
 testcases/kernel/device-drivers/pci/tpci_user/tpci.c   |  9 +++++++++
 testcases/kernel/device-drivers/uaccess/uaccess.c      |  9 +++++++++
 testcases/kernel/firmware/fw_load_user/fw_load.c       | 10 +++++++++-
 6 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/testcases/commands/insmod/insmod01.sh b/testcases/commands/insmod/insmod01.sh
index 992b4a05a..00aa632cf 100755
--- a/testcases/commands/insmod/insmod01.sh
+++ b/testcases/commands/insmod/insmod01.sh
@@ -30,6 +30,11 @@ cleanup()
 
 do_test()
 {
+	tst_check_kconfigs "CONFIG_MODULE_SIG_FORCE=y"
+	if [ $? -eq 0 ] || grep module.sig_enforce -qw /proc/cmdline ; then
+		tst_brk TCONF "module signature is enforced, skipping test"
+	fi
+
 	insmod "$TST_MODPATH"
 	if [ $? -ne 0 ]; then
 		tst_res TFAIL "insmod failed"
diff --git a/testcases/kernel/device-drivers/acpi/ltp_acpi.c b/testcases/kernel/device-drivers/acpi/ltp_acpi.c
index 7dba04552..c674b2032 100644
--- a/testcases/kernel/device-drivers/acpi/ltp_acpi.c
+++ b/testcases/kernel/device-drivers/acpi/ltp_acpi.c
@@ -22,6 +22,7 @@
 #include <stdlib.h>
 
 #include "test.h"
+#include "tst_kconfig.h"
 #include "old_module.h"
 #include "safe_macros.h"
 
@@ -128,11 +129,18 @@ static void test_run(void)
 int main(int argc, char *argv[])
 {
 	int acpi_disabled;
+	struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+	struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
 
 	tst_parse_opts(argc, argv, NULL, NULL);
 
 	tst_require_root();
 
+	tst_kcmdline_parse(&params, 1);
+	tst_kconfig_read(&kconfig, 1);
+	if (params.found || kconfig.choice == 'y')
+		tst_brkm(TCONF, tst_exit, "module signature is enforced, skip test");
+
 	tst_sig(FORK, DEF_HANDLER, cleanup);
 
 	tst_module_load(NULL, module_name, NULL);
diff --git a/testcases/kernel/device-drivers/block/block_dev_user/block_dev.c b/testcases/kernel/device-drivers/block/block_dev_user/block_dev.c
index b6e30eb7e..237c23256 100644
--- a/testcases/kernel/device-drivers/block/block_dev_user/block_dev.c
+++ b/testcases/kernel/device-drivers/block/block_dev_user/block_dev.c
@@ -17,6 +17,7 @@
 #include <unistd.h>
 #include <string.h>
 
+#include "tst_kconfig.h"
 #include "tst_test.h"
 #include "tst_module.h"
 
@@ -47,6 +48,15 @@ static void run(unsigned int n)
 	 * unregister_blkdev() checks the input device name parameter
 	 * against NULL pointer.
 	 */
+	struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+	struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
+
+	tst_kcmdline_parse(&params, 1);
+	tst_kconfig_read(&kconfig, 1);
+	if (params.found || kconfig.choice == 'y')
+		tst_brk(TCONF, "module signature is enforced, skip test");
+
+
 	n++;
 	if (!run_all_testcases && (n == 8 || n == 9)) {
 		tst_res(TCONF, "Skipped n = %d", n);
diff --git a/testcases/kernel/device-drivers/pci/tpci_user/tpci.c b/testcases/kernel/device-drivers/pci/tpci_user/tpci.c
index 96018f18c..aa07fdb42 100644
--- a/testcases/kernel/device-drivers/pci/tpci_user/tpci.c
+++ b/testcases/kernel/device-drivers/pci/tpci_user/tpci.c
@@ -27,6 +27,7 @@
 #include <errno.h>
 
 #include "test.h"
+#include "tst_kconfig.h"
 #include "safe_macros.h"
 #include "old_module.h"
 
@@ -49,8 +50,16 @@ static void cleanup(void)
 
 void setup(void)
 {
+	struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+	struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
+
 	tst_require_root();
 
+	tst_kcmdline_parse(&params, 1);
+	tst_kconfig_read(&kconfig, 1);
+	if (params.found || kconfig.choice == 'y')
+		tst_brkm(TCONF, tst_exit, "module signature is enforced, skip test");
+
 	tst_sig(FORK, DEF_HANDLER, cleanup);
 }
 
diff --git a/testcases/kernel/device-drivers/uaccess/uaccess.c b/testcases/kernel/device-drivers/uaccess/uaccess.c
index f682ff7f6..c6dfeb845 100644
--- a/testcases/kernel/device-drivers/uaccess/uaccess.c
+++ b/testcases/kernel/device-drivers/uaccess/uaccess.c
@@ -27,6 +27,7 @@
 #include <unistd.h>
 
 #include "test.h"
+#include "tst_kconfig.h"
 #include "old_module.h"
 #include "safe_macros.h"
 
@@ -92,10 +93,18 @@ static void tc_write_userspace(void)
 
 int main(int argc, char *argv[])
 {
+	struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+	struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
+
 	tst_parse_opts(argc, argv, NULL, NULL);
 
 	tst_require_root();
 
+	tst_kcmdline_parse(&params, 1);
+	tst_kconfig_read(&kconfig, 1);
+	if (params.found || kconfig.choice == 'y')
+		tst_brkm(TCONF, tst_exit, "module signature is enforced, skip test");
+
 	tst_sig(FORK, DEF_HANDLER, cleanup);
 
 	tst_module_load(NULL, module_name, NULL);
diff --git a/testcases/kernel/firmware/fw_load_user/fw_load.c b/testcases/kernel/firmware/fw_load_user/fw_load.c
index 83648b625..b34b56fae 100644
--- a/testcases/kernel/firmware/fw_load_user/fw_load.c
+++ b/testcases/kernel/firmware/fw_load_user/fw_load.c
@@ -29,6 +29,7 @@
 #include <string.h>
 
 #include "test.h"
+#include "tst_kconfig.h"
 #include "safe_macros.h"
 #include "old_module.h"
 
@@ -102,7 +103,9 @@ static void help(void)
 
 void setup(int argc, char *argv[])
 {
-	
+	struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+	struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
+
 	tst_parse_opts(argc, argv, options, help);
 
 	if (nflag) {
@@ -114,6 +117,11 @@ void setup(int argc, char *argv[])
 
 	tst_require_root();
 
+	tst_kcmdline_parse(&params, 1);
+	tst_kconfig_read(&kconfig, 1);
+	if (params.found || kconfig.choice == 'y')
+		tst_brkm(TCONF, tst_exit, "module signature is enforced, skip test");
+
 	char fw_size_param[19];
 	snprintf(fw_size_param, 19, "fw_size=%d", fw_size);
 	char *const mod_params[2] = { fw_size_param, NULL };
-- 
2.25.1



More information about the ltp mailing list