testcases: add module signature enforcement check

CONFIG_MODULE_SIG_FORCE kernel config and the module.sig_enforce in /proc/cmdline can prevent tests from inserting their test modules. Those tests will either fail with: 'insmod exited with a non-zero code 1 at tst_cmd.c:121 Or: insmod: ERROR: could not insert module ltp_insmod01.ko: Key was rejected by service. Add an extra check like what we did for syscall tests. Patch tested against a kernel with CONFIG_MODULE_SIG_FORCE=y, and another with module.sig_enforce added to /proc/cmdline. It's working as expected. Link: https://lore.kernel.org/ltp/[email protected]/ Reviewed-by: Petr Vorel <[email protected]> Signed-off-by: Po-Hsu Lin <[email protected]>
SierraWireless · Dec 27, 2024 · 5d9617a · 5d9617a
1 parent 1b6877e
commit 5d9617a
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 1 deletion.
diff --git a/testcases/commands/insmod/insmod01.sh b/testcases/commands/insmod/insmod01.sh
@@ -30,6 +30,11 @@ cleanup()
 
 do_test()
 {
+	tst_check_kconfigs "CONFIG_MODULE_SIG_FORCE=y"
+	if [ $? -eq 0 ] || grep module.sig_enforce -qw /proc/cmdline; then
+		tst_brk TCONF "module signature is enforced, skipping test"
+	fi
+
 	insmod "$TST_MODPATH"
 	if [ $? -ne 0 ]; then
 		tst_res TFAIL "insmod failed"

diff --git a/testcases/kernel/device-drivers/acpi/ltp_acpi.c b/testcases/kernel/device-drivers/acpi/ltp_acpi.c
@@ -22,6 +22,7 @@
 #include <stdlib.h>
 
 #include "test.h"
+#include "tst_kconfig.h"
 #include "old_module.h"
 #include "safe_macros.h"
 
@@ -128,11 +129,18 @@ static void test_run(void)
 int main(int argc, char *argv[])
 {
 	int acpi_disabled;
+	struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+	struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
 
 	tst_parse_opts(argc, argv, NULL, NULL);
 
 	tst_require_root();
 
+	tst_kcmdline_parse(&params, 1);
+	tst_kconfig_read(&kconfig, 1);
+	if (params.found || kconfig.choice == 'y')
+		tst_brkm(TCONF, tst_exit, "module signature is enforced, skip test");
+
 	tst_sig(FORK, DEF_HANDLER, cleanup);
 
 	tst_module_load(NULL, module_name, NULL);

diff --git a/testcases/kernel/device-drivers/block/block_dev_user/block_dev.c b/testcases/kernel/device-drivers/block/block_dev_user/block_dev.c
@@ -17,6 +17,7 @@
 #include <unistd.h>
 #include <string.h>
 
+#include "tst_kconfig.h"
 #include "tst_test.h"
 #include "tst_module.h"
 
@@ -47,6 +48,15 @@ static void run(unsigned int n)
 	 * unregister_blkdev() checks the input device name parameter
 	 * against NULL pointer.
 	 */
+	struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+	struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
+
+	tst_kcmdline_parse(&params, 1);
+	tst_kconfig_read(&kconfig, 1);
+	if (params.found || kconfig.choice == 'y')
+		tst_brk(TCONF, "module signature is enforced, skip test");
+
+
 	n++;
 	if (!run_all_testcases && (n == 8 || n == 9)) {
 		tst_res(TCONF, "Skipped n = %d", n);

diff --git a/testcases/kernel/device-drivers/pci/tpci_user/tpci.c b/testcases/kernel/device-drivers/pci/tpci_user/tpci.c
@@ -27,6 +27,7 @@
 #include <errno.h>
 
 #include "test.h"
+#include "tst_kconfig.h"
 #include "safe_macros.h"
 #include "old_module.h"
 
@@ -49,8 +50,16 @@ static void cleanup(void)
 
 void setup(void)
 {
+	struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+	struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
+
 	tst_require_root();
 
+	tst_kcmdline_parse(&params, 1);
+	tst_kconfig_read(&kconfig, 1);
+	if (params.found || kconfig.choice == 'y')
+		tst_brkm(TCONF, tst_exit, "module signature is enforced, skip test");
+
 	tst_sig(FORK, DEF_HANDLER, cleanup);
 }
 

diff --git a/testcases/kernel/device-drivers/uaccess/uaccess.c b/testcases/kernel/device-drivers/uaccess/uaccess.c
@@ -27,6 +27,7 @@
 #include <unistd.h>
 
 #include "test.h"
+#include "tst_kconfig.h"
 #include "old_module.h"
 #include "safe_macros.h"
 
@@ -92,10 +93,18 @@ static void tc_write_userspace(void)
 
 int main(int argc, char *argv[])
 {
+	struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+	struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
+
 	tst_parse_opts(argc, argv, NULL, NULL);
 
 	tst_require_root();
 
+	tst_kcmdline_parse(&params, 1);
+	tst_kconfig_read(&kconfig, 1);
+	if (params.found || kconfig.choice == 'y')
+		tst_brkm(TCONF, tst_exit, "module signature is enforced, skip test");
+
 	tst_sig(FORK, DEF_HANDLER, cleanup);
 
 	tst_module_load(NULL, module_name, NULL);

diff --git a/testcases/kernel/firmware/fw_load_user/fw_load.c b/testcases/kernel/firmware/fw_load_user/fw_load.c
@@ -29,6 +29,7 @@
 #include <string.h>
 
 #include "test.h"
+#include "tst_kconfig.h"
 #include "safe_macros.h"
 #include "old_module.h"
 
@@ -102,7 +103,9 @@ static void help(void)
 
 void setup(int argc, char *argv[])
 {
-
+	struct tst_kcmdline_var params = TST_KCMDLINE_INIT("module.sig_enforce");
+	struct tst_kconfig_var kconfig = TST_KCONFIG_INIT("CONFIG_MODULE_SIG_FORCE");
+
 	tst_parse_opts(argc, argv, options, help);
 
 	if (nflag) {
@@ -114,6 +117,11 @@ void setup(int argc, char *argv[])
 
 	tst_require_root();
 
+	tst_kcmdline_parse(&params, 1);
+	tst_kconfig_read(&kconfig, 1);
+	if (params.found || kconfig.choice == 'y')
+		tst_brkm(TCONF, tst_exit, "module signature is enforced, skip test");
+
 	char fw_size_param[19];
 	snprintf(fw_size_param, 19, "fw_size=%d", fw_size);
 	char *const mod_params[2] = { fw_size_param, NULL };