[PATCH v2] UBUNTU: SAUCE: ubuntu_boot: implement revocation list checks
Francis Ginther
francis.ginther at canonical.com
Thu Aug 12 14:39:41 UTC 2021
On Thu, Aug 05, 2021 at 01:26:40PM +0100, Dimitri John Ledkov wrote:
> Implement revocation list checks. If kernel supports revocation lists,
> check that 2012 canonical signing key is revoked.
>
> Most kernels will skip this test reporting NA result, those kernels
> that have support for revocation lists will check that it is correctly
> configured and visible at runtime.
>
> It is intentional for this to be part of ubuntu_boot test - kernels
> failing this check must not be signed.
>
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
Acked-by: Francis Ginther <francis.ginther at canonical.com>
> ---
>
> Changes since v1:
> - make the new code bilingual compatible with both python 2 and 3.
> - tested with sudo ./autotest-local -v
> tests/ubuntu_boot/control.ubuntu both on older kernels (overall
> pass, 3 pass 1 NA) and newer kernels (overall pass, 4 passing)
>
> ubuntu_boot/control.ubuntu | 1 +
> ubuntu_boot/ubuntu_boot.py | 30 +++++++++++++++++++++++++++++-
> 2 files changed, 30 insertions(+), 1 deletion(-)
>
> diff --git a/ubuntu_boot/control.ubuntu b/ubuntu_boot/control.ubuntu
> index f73d68c2d3..5f4e3a29bd 100644
> --- a/ubuntu_boot/control.ubuntu
> +++ b/ubuntu_boot/control.ubuntu
> @@ -11,3 +11,4 @@ DOC = '''
> job.run_test_detail('ubuntu_boot', test_name='log_check', tag='log_check', timeout=60*5)
> job.run_test_detail('ubuntu_boot', test_name='boot_smoke_test', tag='boot_smoke_test', timeout=60*5)
> job.run_test_detail('ubuntu_boot', test_name='kernel_tainted', tag='kernel_tainted', timeout=60*5)
> +job.run_test_detail('ubuntu_boot', test_name='kernel_revocation_list', tag='kernel_revocation_list', timeout=60*5)
> diff --git a/ubuntu_boot/ubuntu_boot.py b/ubuntu_boot/ubuntu_boot.py
> index a67f21d49f..3ae1a4dae8 100644
> --- a/ubuntu_boot/ubuntu_boot.py
> +++ b/ubuntu_boot/ubuntu_boot.py
> @@ -8,7 +8,7 @@ from autotest.client.shared import error
> class ubuntu_boot(test.test):
> version = 1
> def setup(self):
> - pkgs = [ 'python3' ]
> + pkgs = [ 'python3', 'keyutils' ]
> cmd = 'yes "" | DEBIAN_FRONTEND=noninteractive apt-get install --yes --force-yes ' + ' '.join(pkgs)
> self.results = utils.system_output(cmd, retain_output=True)
>
> @@ -58,6 +58,31 @@ class ubuntu_boot(test.test):
> result = utils.system('python3 %s/kernel_taint_test.py' % self.bindir, ignore_status=True)
> return result
>
> + def kernel_revocation_list(self):
> + '''Test for kernel builtin revoked keys'''
> + config_file = "/boot/config-" + os.uname()[2]
> + revocation_list_available = False
> + for line in open(config_file):
> + if re.search("CONFIG_SYSTEM_REVOCATION_LIST", line):
> + revocation_list_available = True
> + break
> + if not revocation_list_available:
> + print('SKIP: Kernel Revocation List NA.')
> + raise error.TestNAError()
> + revocations = utils.system_output("keyctl list %:.blacklist", retain_output=True)
> + patterns = [
> + b'.* asymmetric: Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0',
> + ]
> + missing_patterns = False
> + for pat in patterns:
> + print('Scanning for pattern "{}"'.format(pat))
> + if not re.search(pat, revocations):
> + print('Pattern not found.')
> + missing_patterns = True
> + if missing_patterns:
> + raise error.TestFail()
> + print('GOOD: Kernel Revocation List.')
> +
> def run_once(self, test_name, exit_on_error=True):
> if test_name == 'log_check':
> if not self.log_check():
> @@ -71,6 +96,9 @@ class ubuntu_boot(test.test):
> else:
> print('GOOD: Kernel not tainted.')
> return
> + elif test_name == 'kernel_revocation_list':
> + self.kernel_revocation_list()
> + return
>
> cmd = "uname -a"
> utils.system(cmd)
> --
> 2.30.2
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
More information about the kernel-team
mailing list