kernel-tests master: Add test to validate secureboot signer (e9df946)
jforbes at fedoraproject.org
jforbes at fedoraproject.org
Wed Oct 28 16:07:19 UTC 2015
Repository : http://git.fedorahosted.org/cgit/kernel-tests.git
On branch : master
>---------------------------------------------------------------
commit e9df94673a8558de46a4ee5cd54e413766840c71
Author: Justin M. Forbes <jforbes at redhat.com>
Date: Wed Oct 28 11:06:55 2015 -0500
Add test to validate secureboot signer
>---------------------------------------------------------------
config.example | 3 ++
runtests.sh | 44 +++++++++++++++++-------------
secureboot/check_SB_signature/runtest.sh | 22 +++++++++++++++
3 files changed, 50 insertions(+), 19 deletions(-)
diff --git a/config.example b/config.example
index 370ae5e..0ed8c40 100644
--- a/config.example
+++ b/config.example
@@ -7,6 +7,9 @@ submit=none
# submit=anonymous
# submit=authenticated
+# Check Signature for Secure Boot
+# checksig=y
+# validsig="Fedora Secure Boot Signer"
# FAS User credentials.
# Storing your FAS password here is technically possible, but not advisable
diff --git a/runtests.sh b/runtests.sh
index 2a22401..abf1571 100755
--- a/runtests.sh
+++ b/runtests.sh
@@ -85,6 +85,10 @@ performance)
exit 1
esac
+# Test Secure Boot?
+if [ "$checksig" == "y" ]; then
+ dirlist="secureboot $dirlist"
+fi
#Basic logfile headers
echo "Date: $(date)" > $logfile
@@ -111,27 +115,29 @@ do
if [ "$testset" == "performance" ]; then
./runtest.sh >>$logfile
+ elif [ "$dir" == "secureboot" ]; then
+ ./runtest.sh "$validsig" &>>$logfile
else
./runtest.sh &>>$logfile
- complete=$?
- case $complete in
- 0)
- result=PASS
- ;;
- 3)
- result=SKIP
- ;;
- *)
- result=FAIL
- esac
- printf "%-65s%-8s\n" "$testname" "$result"
- if [ "$result" == "FAIL" ]; then
- cleanrun=FAIL
- if [ "$failedtests" == "None" ]; then
- failedtests="$testname"
- else
- failedtests="$failedtests $testname"
- fi
+ fi
+ complete=$?
+ case $complete in
+ 0)
+ result=PASS
+ ;;
+ 3)
+ result=SKIP
+ ;;
+ *)
+ result=FAIL
+ esac
+ printf "%-65s%-8s\n" "$testname" "$result"
+ if [ "$result" == "FAIL" ]; then
+ cleanrun=FAIL
+ if [ "$failedtests" == "None" ]; then
+ failedtests="$testname"
+ else
+ failedtests="$failedtests $testname"
fi
fi
popd &>/dev/null
diff --git a/secureboot/check_SB_signature/runtest.sh b/secureboot/check_SB_signature/runtest.sh
new file mode 100755
index 0000000..10eceb9
--- /dev/null
+++ b/secureboot/check_SB_signature/runtest.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+#
+# Licensed under the terms of the GNU GPL License version 2
+
+# Check the Secure Boot Signer
+
+# Make sure pesign is available
+if [ ! -f /usr/bin/pesign ]; then
+ echo "pesign is required to check the secure boot signature"
+ exit 3
+fi
+
+validsig=$1
+echo "Looking for Signature $validsig"
+kver=$(uname -r)
+signer=$(/usr/bin/pesign -i /boot/vmlinuz-$kver -S | grep "common name")
+echo $signer
+if [ "$signer" == "The signer's common name is $validsig" ]; then
+ exit 0
+else
+ exit -1
+fi
More information about the kernel
mailing list