[PATCH v2] UBUNTU: SAUCE: ubuntu_boot: implement revocation list checks

Dimitri John Ledkov dimitri.ledkov at canonical.com
Thu Aug 5 12:40:13 UTC 2021 

On Thu, Aug 5, 2021 at 1:37 PM Stefan Bader <stefan.bader at canonical.com> wrote:
>
> On 05.08.21 14:26, Dimitri John Ledkov wrote:
> > Implement revocation list checks. If kernel supports revocation lists,
> > check that 2012 canonical signing key is revoked.
> >
> > Most kernels will skip this test reporting NA result, those kernels
> > that have support for revocation lists will check that it is correctly
> > configured and visible at runtime.
> >
> > It is intentional for this to be part of ubuntu_boot test - kernels
> > failing this check must not be signed.
> >
> > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
> > ---
>
> Is this [ACT]? ... confused...
>

yes.... this is [PATCH v2 autotest-client-tests] in reference of
https://lists.ubuntu.com/archives/kernel-team/2021-July/122815.html
thread and changes requested there.


> -Stefan
>
> >
> >   Changes since v1:
> >   - make the new code bilingual compatible with both python 2 and 3.
> >   - tested with sudo ./autotest-local -v
> >     tests/ubuntu_boot/control.ubuntu both on older kernels (overall
> >     pass, 3 pass 1 NA) and newer kernels (overall pass, 4 passing)
> >
> >   ubuntu_boot/control.ubuntu |  1 +
> >   ubuntu_boot/ubuntu_boot.py | 30 +++++++++++++++++++++++++++++-
> >   2 files changed, 30 insertions(+), 1 deletion(-)
> >
> > diff --git a/ubuntu_boot/control.ubuntu b/ubuntu_boot/control.ubuntu
> > index f73d68c2d3..5f4e3a29bd 100644
> > --- a/ubuntu_boot/control.ubuntu
> > +++ b/ubuntu_boot/control.ubuntu
> > @@ -11,3 +11,4 @@ DOC = '''
> >   job.run_test_detail('ubuntu_boot', test_name='log_check', tag='log_check', timeout=60*5)
> >   job.run_test_detail('ubuntu_boot', test_name='boot_smoke_test', tag='boot_smoke_test', timeout=60*5)
> >   job.run_test_detail('ubuntu_boot', test_name='kernel_tainted', tag='kernel_tainted', timeout=60*5)
> > +job.run_test_detail('ubuntu_boot', test_name='kernel_revocation_list', tag='kernel_revocation_list', timeout=60*5)
> > diff --git a/ubuntu_boot/ubuntu_boot.py b/ubuntu_boot/ubuntu_boot.py
> > index a67f21d49f..3ae1a4dae8 100644
> > --- a/ubuntu_boot/ubuntu_boot.py
> > +++ b/ubuntu_boot/ubuntu_boot.py
> > @@ -8,7 +8,7 @@ from autotest.client.shared import error
> >   class ubuntu_boot(test.test):
> >       version = 1
> >       def setup(self):
> > -        pkgs = [ 'python3' ]
> > +        pkgs = [ 'python3', 'keyutils' ]
> >           cmd = 'yes "" | DEBIAN_FRONTEND=noninteractive apt-get install --yes --force-yes ' + ' '.join(pkgs)
> >           self.results = utils.system_output(cmd, retain_output=True)
> >
> > @@ -58,6 +58,31 @@ class ubuntu_boot(test.test):
> >           result = utils.system('python3 %s/kernel_taint_test.py' % self.bindir, ignore_status=True)
> >           return result
> >
> > +    def kernel_revocation_list(self):
> > +        '''Test for kernel builtin revoked keys'''
> > +        config_file = "/boot/config-" + os.uname()[2]
> > +        revocation_list_available = False
> > +        for line in open(config_file):
> > +            if re.search("CONFIG_SYSTEM_REVOCATION_LIST", line):
> > +                revocation_list_available = True
> > +                break
> > +        if not revocation_list_available:
> > +            print('SKIP: Kernel Revocation List NA.')
> > +            raise error.TestNAError()
> > +        revocations = utils.system_output("keyctl list %:.blacklist", retain_output=True)
> > +        patterns = [
> > +            b'.* asymmetric: Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0',
> > +        ]
> > +        missing_patterns = False
> > +        for pat in patterns:
> > +            print('Scanning for pattern "{}"'.format(pat))
> > +            if not re.search(pat, revocations):
> > +                print('Pattern not found.')
> > +                missing_patterns = True
> > +        if missing_patterns:
> > +            raise error.TestFail()
> > +        print('GOOD: Kernel Revocation List.')
> > +
> >       def run_once(self, test_name, exit_on_error=True):
> >           if test_name == 'log_check':
> >               if not self.log_check():
> > @@ -71,6 +96,9 @@ class ubuntu_boot(test.test):
> >               else:
> >                   print('GOOD: Kernel not tainted.')
> >               return
> > +        elif test_name == 'kernel_revocation_list':
> > +            self.kernel_revocation_list()
> > +            return
> >
> >           cmd = "uname -a"
> >           utils.system(cmd)
> >
>
>


-- 
Regards,

Dimitri.

More information about the kernel-team mailing list