Repository : http://git.fedorahosted.org/cgit/kernel-tests.git On branch : master >--------------------------------------------------------------- commit e9df94673a8558de46a4ee5cd54e413766840c71 Author: Justin M. Forbes <jforbes@xxxxxxxxxx> Date: Wed Oct 28 11:06:55 2015 -0500 Add test to validate secureboot signer >--------------------------------------------------------------- config.example | 3 ++ runtests.sh | 44 +++++++++++++++++------------- secureboot/check_SB_signature/runtest.sh | 22 +++++++++++++++ 3 files changed, 50 insertions(+), 19 deletions(-) diff --git a/config.example b/config.example index 370ae5e..0ed8c40 100644 --- a/config.example +++ b/config.example @@ -7,6 +7,9 @@ submit=none # submit=anonymous # submit=authenticated +# Check Signature for Secure Boot +# checksig=y +# validsig="Fedora Secure Boot Signer" # FAS User credentials. # Storing your FAS password here is technically possible, but not advisable diff --git a/runtests.sh b/runtests.sh index 2a22401..abf1571 100755 --- a/runtests.sh +++ b/runtests.sh @@ -85,6 +85,10 @@ performance) exit 1 esac +# Test Secure Boot? +if [ "$checksig" == "y" ]; then + dirlist="secureboot $dirlist" +fi #Basic logfile headers echo "Date: $(date)" > $logfile @@ -111,27 +115,29 @@ do if [ "$testset" == "performance" ]; then ./runtest.sh >>$logfile + elif [ "$dir" == "secureboot" ]; then + ./runtest.sh "$validsig" &>>$logfile else ./runtest.sh &>>$logfile - complete=$? - case $complete in - 0) - result=PASS - ;; - 3) - result=SKIP - ;; - *) - result=FAIL - esac - printf "%-65s%-8s\n" "$testname" "$result" - if [ "$result" == "FAIL" ]; then - cleanrun=FAIL - if [ "$failedtests" == "None" ]; then - failedtests="$testname" - else - failedtests="$failedtests $testname" - fi + fi + complete=$? + case $complete in + 0) + result=PASS + ;; + 3) + result=SKIP + ;; + *) + result=FAIL + esac + printf "%-65s%-8s\n" "$testname" "$result" + if [ "$result" == "FAIL" ]; then + cleanrun=FAIL + if [ "$failedtests" == "None" ]; then + failedtests="$testname" + else + failedtests="$failedtests $testname" fi fi popd &>/dev/null diff --git a/secureboot/check_SB_signature/runtest.sh b/secureboot/check_SB_signature/runtest.sh new file mode 100755 index 0000000..10eceb9 --- /dev/null +++ b/secureboot/check_SB_signature/runtest.sh @@ -0,0 +1,22 @@ +#!/bin/sh +# +# Licensed under the terms of the GNU GPL License version 2 + +# Check the Secure Boot Signer + +# Make sure pesign is available +if [ ! -f /usr/bin/pesign ]; then + echo "pesign is required to check the secure boot signature" + exit 3 +fi + +validsig=$1 +echo "Looking for Signature $validsig" +kver=$(uname -r) +signer=$(/usr/bin/pesign -i /boot/vmlinuz-$kver -S | grep "common name") +echo $signer +if [ "$signer" == "The signer's common name is $validsig" ]; then + exit 0 +else + exit -1 +fi _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel