[LTP] [PATCH 1/4] tst_lockdown: Check other lockdown configuration

[Petr Vorel]

Originally we checked only CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
(non-mainline patch from 2017 [1]. Various distros (older releases) use
other newer non-mainline patch [2] (originally from Fedora 32), which with
CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y forces lockdown, when in secure boot.

[1] https://lore.kernel.org/lkml/149141204578.30815.1929675368430800975.stgit@warthog.procyon.org.uk/
[2] https://lore.kernel.org/lkml/150842483945.7923.12778302394414653081.stgit@warthog.procyon.org.uk/

Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 lib/tst_lockdown.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c
index 26a57b6a1..f91bc919d 100644
--- a/lib/tst_lockdown.c
+++ b/lib/tst_lockdown.c
@@ -47,18 +47,21 @@ int tst_lockdown_enabled(void)
 {
 	char line[BUFSIZ];
 	FILE *file;
+	char flag;
 
 	if (access(PATH_LOCKDOWN, F_OK) != 0) {
-		char flag;
-
+		/* SecureBoot enabled could mean integrity lockdown (non-mainline version) */
 		flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN");
-
-		/* SecureBoot enabled could mean integrity lockdown */
 		if (flag == 'y' && tst_secureboot_enabled() > 0)
 			return 1;
 
 		tst_res(TINFO, "Unable to determine system lockdown state");
 		return 0;
+	} else {
+		/* SecureBoot forces lockdown (non-mainline version) */
+		flag = tst_kconfig_get("CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT");
+		if (flag == 'y' && tst_secureboot_enabled() > 0)
+			return 1;
 	}
 
 	file = SAFE_FOPEN(PATH_LOCKDOWN, "r");
-- 
2.40.1