[LTP] [PATCH 1/4] tst_lockdown: Check other lockdown configuration

Martin Doucha mdoucha@suse.cz
Thu Jul 20 17:16:03 CEST 2023 

Hi,

On 20. 07. 23 17:02, Petr Vorel wrote:
> Originally we checked only CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
> (non-mainline patch from 2017 [1]. Various distros (older releases) use
> other newer non-mainline patch [2] (originally from Fedora 32), which with
> CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y forces lockdown, when in secure boot.
> 
> [1] https://lore.kernel.org/lkml/149141204578.30815.1929675368430800975.stgit@warthog.procyon.org.uk/
> [2] https://lore.kernel.org/lkml/150842483945.7923.12778302394414653081.stgit@warthog.procyon.org.uk/
> 
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
>   lib/tst_lockdown.c | 11 +++++++----
>   1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c
> index 26a57b6a1..f91bc919d 100644
> --- a/lib/tst_lockdown.c
> +++ b/lib/tst_lockdown.c
> @@ -47,18 +47,21 @@ int tst_lockdown_enabled(void)
>   {
>   	char line[BUFSIZ];
>   	FILE *file;
> +	char flag;
>   
>   	if (access(PATH_LOCKDOWN, F_OK) != 0) {
> -		char flag;
> -
> +		/* SecureBoot enabled could mean integrity lockdown (non-mainline version) */
>   		flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN");
> -
> -		/* SecureBoot enabled could mean integrity lockdown */
>   		if (flag == 'y' && tst_secureboot_enabled() > 0)
>   			return 1;
>   
>   		tst_res(TINFO, "Unable to determine system lockdown state");
>   		return 0;
> +	} else {

There should be no "else" branch here. The code above should look like this:

int flag;
flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN") == 'y';
flag |= tst_kconfig_get("CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT") == 'y';
if (flag && tst_secureboot_enabled() > 0)
	return 1;

> +		/* SecureBoot forces lockdown (non-mainline version) */
> +		flag = tst_kconfig_get("CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT");
> +		if (flag == 'y' && tst_secureboot_enabled() > 0)
> +			return 1;
>   	}
>   
>   	file = SAFE_FOPEN(PATH_LOCKDOWN, "r");

-- 
Martin Doucha   mdoucha@suse.cz
SW Quality Engineer
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic

More information about the ltp mailing list