From patchwork Wed Jul 28 16:27:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1510926 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=VgfGvjva; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GZfG12gyQz9sS8; Thu, 29 Jul 2021 02:27:35 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1m8mP3-0003kH-MW; Wed, 28 Jul 2021 16:27:29 +0000 Received: from smtp-relay-canonical-0.internal ([10.131.114.83] helo=smtp-relay-canonical-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1m8mP2-0003kB-4P for kernel-team@lists.ubuntu.com; Wed, 28 Jul 2021 16:27:28 +0000 Received: from mail-pj1-f71.google.com (mail-pj1-f71.google.com [209.85.216.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPS id 01EE53F249 for ; Wed, 28 Jul 2021 16:27:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1627489648; bh=uGfl9Zw1fC7tS7D9v/4Mr+S7c6OD9/h7+Bsofan0T/I=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=VgfGvjvaSMLdUNWWBej5BbcW7KyNMJn9Fc4/E4N1FkIuGnD8npGw3nmpfQG5BFube RjZncA22G/InV2EjlPaKOHu4LX5SREzG6wXjYbfGKgVSvqprlzXjUMgcgJp7hc+D61 kH2KNXwrvnM5wL8G4bIL1/qpmOlzaMUpKaP2ox9K3TbN519iZckQkG80MJ/8dj3B1y 5m930HHGcUZzlWqIt9S4OswWxheujSzsfuIJ/jZvO6zIF0Cl3+5OPyoSQ8lWmyOZL1 ghc+JQbMoa7h36slBCrDeZNHQJ1frbVNBnQgpkRism6IfnydYfl1RZZjX3ofhIfALD AsDf8e/4ZQcgw== Received: by mail-pj1-f71.google.com with SMTP id lx12-20020a17090b4b0cb0290176d6de7ddbso3452552pjb.9 for ; Wed, 28 Jul 2021 09:27:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=uGfl9Zw1fC7tS7D9v/4Mr+S7c6OD9/h7+Bsofan0T/I=; b=Jg9/FmUb8HqjCVw0xgrAWYnFPZzY/bGHftaPOh/hs1VQ28/GlAz6XCq2fqHK/EQaUG TVAeKihj+qJixQRw8WVtF6cn0ZEaFaX/E+vq2j2oqTDiR3yoh56bGl7bNfcPSLU+89eU ZQJELYNsWok6kmw7cXLHLUSEOcEpBGs8Qsh6d8ulgHv0rdIytuEUj340a+jFDShf2wPk wSihzpYIf1aIElh+p2V/2Y/0By1sdduYUQLUPGMnqqrwfexjn4cZmnrTQtp5sntcbtEz YMHJucql+f554DqiRYqbjnUKTkmw1bXVcSrjElbHgtE5TeVj0M6MQkJGusSJ8T9f5kSq UGqw== X-Gm-Message-State: AOAM533COMokLA9f/QT7uHCHEz4r+QvwM6YU7d7gYpMJD/1/kaIpbjYx gRodVWY/9l3cHHL/D59+MYNVI+mejT2ClIBlKLjGBpWzG6jG3tvhvkNbR7quTj8urXGs4JI1AQO SSLU9MJkssfI2ShA89HybrdTBK0mV1YdCI7qMkzpWrQ== X-Received: by 2002:a05:6a00:189e:b029:32b:9f66:dcbb with SMTP id x30-20020a056a00189eb029032b9f66dcbbmr493615pfh.72.1627489646298; Wed, 28 Jul 2021 09:27:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwTAbnXvHDLe0ZvUypG3LM2ub9p927Dxynl8nRQb33j/mAr3q6YLhc4Fdjn3R681UzU8WoUtA== X-Received: by 2002:a05:6a00:189e:b029:32b:9f66:dcbb with SMTP id x30-20020a056a00189eb029032b9f66dcbbmr493579pfh.72.1627489645808; Wed, 28 Jul 2021 09:27:25 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:e33:f6e1:b52d:11a8]) by smtp.gmail.com with ESMTPSA id t19sm463589pfg.216.2021.07.28.09.27.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Jul 2021 09:27:25 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [PATCH autotest-client-tests] UBUNTU: SAUCE: ubuntu_boot: implement revocation list checks Date: Wed, 28 Jul 2021 17:27:16 +0100 Message-Id: <20210728162716.79507-1-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Implement revocation list checks. If kernel supports revocation lists, check that 2012 canonical signing key is revoked. Most kernels will skip this test, those kernels that have support for revocation lists will check that it is correctly configured and visible at runtime. Signed-off-by: Dimitri John Ledkov --- Note, tested the function in question partially on v5.10 and v5.13 kernels. I failed at using the test harness directly to partially execute this test case alone. Thus I am not sure if it runs with python3 or python2, as I was getting exceptions raised from autotest itself. ubuntu_boot/control.ubuntu | 1 + ubuntu_boot/ubuntu_boot.py | 30 +++++++++++++++++++++++++++++- 2 files changed, 30 insertions(+), 1 deletion(-) diff --git a/ubuntu_boot/control.ubuntu b/ubuntu_boot/control.ubuntu index f73d68c2d3..5f4e3a29bd 100644 --- a/ubuntu_boot/control.ubuntu +++ b/ubuntu_boot/control.ubuntu @@ -11,3 +11,4 @@ DOC = ''' job.run_test_detail('ubuntu_boot', test_name='log_check', tag='log_check', timeout=60*5) job.run_test_detail('ubuntu_boot', test_name='boot_smoke_test', tag='boot_smoke_test', timeout=60*5) job.run_test_detail('ubuntu_boot', test_name='kernel_tainted', tag='kernel_tainted', timeout=60*5) +job.run_test_detail('ubuntu_boot', test_name='kernel_revocation_list', tag='kernel_revocation_list', timeout=60*5) diff --git a/ubuntu_boot/ubuntu_boot.py b/ubuntu_boot/ubuntu_boot.py index a67f21d49f..a986210ad3 100644 --- a/ubuntu_boot/ubuntu_boot.py +++ b/ubuntu_boot/ubuntu_boot.py @@ -8,7 +8,7 @@ from autotest.client.shared import error class ubuntu_boot(test.test): version = 1 def setup(self): - pkgs = [ 'python3' ] + pkgs = [ 'python3', 'keyutils' ] cmd = 'yes "" | DEBIAN_FRONTEND=noninteractive apt-get install --yes --force-yes ' + ' '.join(pkgs) self.results = utils.system_output(cmd, retain_output=True) @@ -58,6 +58,31 @@ class ubuntu_boot(test.test): result = utils.system('python3 %s/kernel_taint_test.py' % self.bindir, ignore_status=True) return result + def kernel_revocation_list(self): + '''Test for kernel builtin revoked keys''' + config_file = "/boot/config-" + os.uname().release + revocation_list_available = False + for line in open(config_file): + if re.search("CONFIG_SYSTEM_REVOCATION_LIST", line): + revocation_list_available = True + break + if not revocation_list_available: + print('SKIP: Kernel Revocation List NA.') + raise error.TestNAError() + revocations = utils.system_output("keyctl list %:.blacklist", retain_output=True) + patterns = [ + b'.* asymmetric: Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0', + ] + missing_patterns = False + for pat in patterns: + print('Scanning for pattern "{}"'.format(pat)) + if not re.search(pat, revocations): + print('Pattern not found.') + missing_patterns = True + if missing_patterns: + raise error.TestFail() + print('GOOD: Kernel Revocation List.') + def run_once(self, test_name, exit_on_error=True): if test_name == 'log_check': if not self.log_check(): @@ -71,6 +96,9 @@ class ubuntu_boot(test.test): else: print('GOOD: Kernel not tainted.') return + elif test_name == 'kernel_revocation_list': + self.kernel_revocation_list() + return cmd = "uname -a" utils.system(cmd)