Repository : http://git.fedorahosted.org/cgit/kernel-tests.git
On branch : master
commit e9df94673a8558de46a4ee5cd54e413766840c71 Author: Justin M. Forbes jforbes@redhat.com Date: Wed Oct 28 11:06:55 2015 -0500
Add test to validate secureboot signer
config.example | 3 ++ runtests.sh | 44 +++++++++++++++++------------- secureboot/check_SB_signature/runtest.sh | 22 +++++++++++++++ 3 files changed, 50 insertions(+), 19 deletions(-)
diff --git a/config.example b/config.example index 370ae5e..0ed8c40 100644 --- a/config.example +++ b/config.example @@ -7,6 +7,9 @@ submit=none # submit=anonymous # submit=authenticated
+# Check Signature for Secure Boot +# checksig=y +# validsig="Fedora Secure Boot Signer"
# FAS User credentials. # Storing your FAS password here is technically possible, but not advisable diff --git a/runtests.sh b/runtests.sh index 2a22401..abf1571 100755 --- a/runtests.sh +++ b/runtests.sh @@ -85,6 +85,10 @@ performance) exit 1 esac
+# Test Secure Boot? +if [ "$checksig" == "y" ]; then + dirlist="secureboot $dirlist" +fi
#Basic logfile headers echo "Date: $(date)" > $logfile @@ -111,27 +115,29 @@ do
if [ "$testset" == "performance" ]; then ./runtest.sh >>$logfile + elif [ "$dir" == "secureboot" ]; then + ./runtest.sh "$validsig" &>>$logfile else ./runtest.sh &>>$logfile - complete=$? - case $complete in - 0) - result=PASS - ;; - 3) - result=SKIP - ;; - *) - result=FAIL - esac - printf "%-65s%-8s\n" "$testname" "$result" - if [ "$result" == "FAIL" ]; then - cleanrun=FAIL - if [ "$failedtests" == "None" ]; then - failedtests="$testname" - else - failedtests="$failedtests $testname" - fi + fi + complete=$? + case $complete in + 0) + result=PASS + ;; + 3) + result=SKIP + ;; + *) + result=FAIL + esac + printf "%-65s%-8s\n" "$testname" "$result" + if [ "$result" == "FAIL" ]; then + cleanrun=FAIL + if [ "$failedtests" == "None" ]; then + failedtests="$testname" + else + failedtests="$failedtests $testname" fi fi popd &>/dev/null diff --git a/secureboot/check_SB_signature/runtest.sh b/secureboot/check_SB_signature/runtest.sh new file mode 100755 index 0000000..10eceb9 --- /dev/null +++ b/secureboot/check_SB_signature/runtest.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Licensed under the terms of the GNU GPL License version 2 + +# Check the Secure Boot Signer + +# Make sure pesign is available +if [ ! -f /usr/bin/pesign ]; then + echo "pesign is required to check the secure boot signature" + exit 3 +fi + +validsig=$1 +echo "Looking for Signature $validsig" +kver=$(uname -r) +signer=$(/usr/bin/pesign -i /boot/vmlinuz-$kver -S | grep "common name") +echo $signer +if [ "$signer" == "The signer's common name is $validsig" ]; then + exit 0 +else + exit -1 +fi
kernel@lists.fedoraproject.org