From 987aa272b7ead1214e33838fe5eada41a4885154 Mon Sep 17 00:00:00 2001
From: Shahriyar Jalayeri <shahriyar@zededa.com>
Date: Tue, 28 Nov 2023 14:28:16 +0100
Subject: [PATCH] security : check kernel module signing is enabled

Signed-off-by: Shahriyar Jalayeri <shahriyar@zededa.com>
---
 tests/sec/sec_test.go | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tests/sec/sec_test.go b/tests/sec/sec_test.go
index 326554313..2412ddaab 100644
--- a/tests/sec/sec_test.go
+++ b/tests/sec/sec_test.go
@@ -91,6 +91,24 @@ func TestMain(m *testing.M) {
 	os.Exit(res)
 }
 
+func TestKernelModuleSigning(t *testing.T) {
+	log.Println("TestKernelModuleSigning started")
+	defer log.Println("TestKernelModuleSigning finished")
+
+	edgeNode := tc.GetEdgeNode(tc.WithTest(t))
+	tc.WaitForState(edgeNode, 60)
+
+	out, err := rnode.runCommand("cat /proc/config.gz | gunzip > /tmp/running.config && cat /tmp/running.config | grep CONFIG_MODULE_SIG_FORCE")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	status := strings.TrimSpace(string(out))
+	if status != "CONFIG_MODULE_SIG_FORCE=y" {
+		t.Fatal("Kernel module signing is not enabled")
+	}
+}
+
 func TestUnconfinedProcesses(t *testing.T) {
 	log.Println("TestUnconfinedProcesses started")
 	defer log.Println("TestUnconfinedProcesses finished")