[PATCH v2] UBUNTU: SAUCE: ubuntu_boot: implement revocation list checks
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Thu Aug 5 12:26:40 UTC 2021
Implement revocation list checks. If kernel supports revocation lists,
check that 2012 canonical signing key is revoked.
Most kernels will skip this test reporting NA result, those kernels
that have support for revocation lists will check that it is correctly
configured and visible at runtime.
It is intentional for this to be part of ubuntu_boot test - kernels
failing this check must not be signed.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
---
Changes since v1:
- make the new code bilingual compatible with both python 2 and 3.
- tested with sudo ./autotest-local -v
tests/ubuntu_boot/control.ubuntu both on older kernels (overall
pass, 3 pass 1 NA) and newer kernels (overall pass, 4 passing)
ubuntu_boot/control.ubuntu | 1 +
ubuntu_boot/ubuntu_boot.py | 30 +++++++++++++++++++++++++++++-
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/ubuntu_boot/control.ubuntu b/ubuntu_boot/control.ubuntu
index f73d68c2d3..5f4e3a29bd 100644
--- a/ubuntu_boot/control.ubuntu
+++ b/ubuntu_boot/control.ubuntu
@@ -11,3 +11,4 @@ DOC = '''
job.run_test_detail('ubuntu_boot', test_name='log_check', tag='log_check', timeout=60*5)
job.run_test_detail('ubuntu_boot', test_name='boot_smoke_test', tag='boot_smoke_test', timeout=60*5)
job.run_test_detail('ubuntu_boot', test_name='kernel_tainted', tag='kernel_tainted', timeout=60*5)
+job.run_test_detail('ubuntu_boot', test_name='kernel_revocation_list', tag='kernel_revocation_list', timeout=60*5)
diff --git a/ubuntu_boot/ubuntu_boot.py b/ubuntu_boot/ubuntu_boot.py
index a67f21d49f..3ae1a4dae8 100644
--- a/ubuntu_boot/ubuntu_boot.py
+++ b/ubuntu_boot/ubuntu_boot.py
@@ -8,7 +8,7 @@ from autotest.client.shared import error
class ubuntu_boot(test.test):
version = 1
def setup(self):
- pkgs = [ 'python3' ]
+ pkgs = [ 'python3', 'keyutils' ]
cmd = 'yes "" | DEBIAN_FRONTEND=noninteractive apt-get install --yes --force-yes ' + ' '.join(pkgs)
self.results = utils.system_output(cmd, retain_output=True)
@@ -58,6 +58,31 @@ class ubuntu_boot(test.test):
result = utils.system('python3 %s/kernel_taint_test.py' % self.bindir, ignore_status=True)
return result
+ def kernel_revocation_list(self):
+ '''Test for kernel builtin revoked keys'''
+ config_file = "/boot/config-" + os.uname()[2]
+ revocation_list_available = False
+ for line in open(config_file):
+ if re.search("CONFIG_SYSTEM_REVOCATION_LIST", line):
+ revocation_list_available = True
+ break
+ if not revocation_list_available:
+ print('SKIP: Kernel Revocation List NA.')
+ raise error.TestNAError()
+ revocations = utils.system_output("keyctl list %:.blacklist", retain_output=True)
+ patterns = [
+ b'.* asymmetric: Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0',
+ ]
+ missing_patterns = False
+ for pat in patterns:
+ print('Scanning for pattern "{}"'.format(pat))
+ if not re.search(pat, revocations):
+ print('Pattern not found.')
+ missing_patterns = True
+ if missing_patterns:
+ raise error.TestFail()
+ print('GOOD: Kernel Revocation List.')
+
def run_once(self, test_name, exit_on_error=True):
if test_name == 'log_check':
if not self.log_check():
@@ -71,6 +96,9 @@ class ubuntu_boot(test.test):
else:
print('GOOD: Kernel not tainted.')
return
+ elif test_name == 'kernel_revocation_list':
+ self.kernel_revocation_list()
+ return
cmd = "uname -a"
utils.system(cmd)
--
2.30.2
More information about the kernel-team
mailing list