[PATCH autotest-client-tests] UBUNTU: SAUCE: ubuntu_boot: implement revocation list checks
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Wed Jul 28 16:27:16 UTC 2021
Implement revocation list checks. If kernel supports revocation lists,
check that 2012 canonical signing key is revoked.
Most kernels will skip this test, those kernels that have support for
revocation lists will check that it is correctly configured and
visible at runtime.
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
---
Note, tested the function in question partially on v5.10 and v5.13
kernels. I failed at using the test harness directly to partially
execute this test case alone. Thus I am not sure if it runs with
python3 or python2, as I was getting exceptions raised from autotest
itself.
ubuntu_boot/control.ubuntu | 1 +
ubuntu_boot/ubuntu_boot.py | 30 +++++++++++++++++++++++++++++-
2 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/ubuntu_boot/control.ubuntu b/ubuntu_boot/control.ubuntu
index f73d68c2d3..5f4e3a29bd 100644
--- a/ubuntu_boot/control.ubuntu
+++ b/ubuntu_boot/control.ubuntu
@@ -11,3 +11,4 @@ DOC = '''
job.run_test_detail('ubuntu_boot', test_name='log_check', tag='log_check', timeout=60*5)
job.run_test_detail('ubuntu_boot', test_name='boot_smoke_test', tag='boot_smoke_test', timeout=60*5)
job.run_test_detail('ubuntu_boot', test_name='kernel_tainted', tag='kernel_tainted', timeout=60*5)
+job.run_test_detail('ubuntu_boot', test_name='kernel_revocation_list', tag='kernel_revocation_list', timeout=60*5)
diff --git a/ubuntu_boot/ubuntu_boot.py b/ubuntu_boot/ubuntu_boot.py
index a67f21d49f..a986210ad3 100644
--- a/ubuntu_boot/ubuntu_boot.py
+++ b/ubuntu_boot/ubuntu_boot.py
@@ -8,7 +8,7 @@ from autotest.client.shared import error
class ubuntu_boot(test.test):
version = 1
def setup(self):
- pkgs = [ 'python3' ]
+ pkgs = [ 'python3', 'keyutils' ]
cmd = 'yes "" | DEBIAN_FRONTEND=noninteractive apt-get install --yes --force-yes ' + ' '.join(pkgs)
self.results = utils.system_output(cmd, retain_output=True)
@@ -58,6 +58,31 @@ class ubuntu_boot(test.test):
result = utils.system('python3 %s/kernel_taint_test.py' % self.bindir, ignore_status=True)
return result
+ def kernel_revocation_list(self):
+ '''Test for kernel builtin revoked keys'''
+ config_file = "/boot/config-" + os.uname().release
+ revocation_list_available = False
+ for line in open(config_file):
+ if re.search("CONFIG_SYSTEM_REVOCATION_LIST", line):
+ revocation_list_available = True
+ break
+ if not revocation_list_available:
+ print('SKIP: Kernel Revocation List NA.')
+ raise error.TestNAError()
+ revocations = utils.system_output("keyctl list %:.blacklist", retain_output=True)
+ patterns = [
+ b'.* asymmetric: Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0',
+ ]
+ missing_patterns = False
+ for pat in patterns:
+ print('Scanning for pattern "{}"'.format(pat))
+ if not re.search(pat, revocations):
+ print('Pattern not found.')
+ missing_patterns = True
+ if missing_patterns:
+ raise error.TestFail()
+ print('GOOD: Kernel Revocation List.')
+
def run_once(self, test_name, exit_on_error=True):
if test_name == 'log_check':
if not self.log_check():
@@ -71,6 +96,9 @@ class ubuntu_boot(test.test):
else:
print('GOOD: Kernel not tainted.')
return
+ elif test_name == 'kernel_revocation_list':
+ self.kernel_revocation_list()
+ return
cmd = "uname -a"
utils.system(cmd)
--
2.30.2
More information about the kernel-team
mailing list