<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small">Hi Martin,</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Nov 7, 2020 at 1:17 AM Martin Doucha <<a href="mailto:mdoucha@suse.cz">mdoucha@suse.cz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Also check for SecureBoot status in tst_lockdown_enabled() if the lockdown<br>
sysfile is not available/readable<br>
<br>
Signed-off-by: Martin Doucha <<a href="mailto:mdoucha@suse.cz" target="_blank">mdoucha@suse.cz</a>><br>
---<br>
<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> | 1 +<br>
include/mk/<a href="http://config.mk.in" rel="noreferrer" target="_blank">config.mk.in</a> | 4 ++--<br>
include/tst_lockdown.h | 1 +<br>
lib/tst_lockdown.c | 44 +++++++++++++++++++++++++++++++++++++++++<br>
m4/ltp-libefivar.m4 | 9 +++++++++<br>
5 files changed, 57 insertions(+), 2 deletions(-)<br>
create mode 100644 m4/ltp-libefivar.m4<br>
<br>
diff --git a/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> b/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
index 03e4e09c9..d9ca5ad38 100644<br>
--- a/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
+++ b/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
@@ -296,6 +296,7 @@ LTP_CHECK_CAPABILITY_SUPPORT<br>
LTP_CHECK_CC_WARN_OLDSTYLE<br>
LTP_CHECK_CLONE_SUPPORTS_7_ARGS<br>
LTP_CHECK_CRYPTO<br>
+LTP_CHECK_EFIVAR<br>
LTP_CHECK_FORTIFY_SOURCE<br>
LTP_CHECK_KERNEL_DEVEL<br>
LTP_CHECK_KEYUTILS_SUPPORT<br>
diff --git a/include/mk/<a href="http://config.mk.in" rel="noreferrer" target="_blank">config.mk.in</a> b/include/mk/<a href="http://config.mk.in" rel="noreferrer" target="_blank">config.mk.in</a><br>
index 427608a17..cffd11245 100644<br>
--- a/include/mk/<a href="http://config.mk.in" rel="noreferrer" target="_blank">config.mk.in</a><br>
+++ b/include/mk/<a href="http://config.mk.in" rel="noreferrer" target="_blank">config.mk.in</a><br>
@@ -56,8 +56,8 @@ libdir := @libdir@<br>
mandir := @mandir@<br>
<br>
CPPFLAGS := @CPPFLAGS@<br>
-CFLAGS := @CFLAGS@<br>
-LDLIBS := @LIBS@<br>
+CFLAGS := @CFLAGS@ @EFIVAR_CFLAGS@<br>
+LDLIBS := @LIBS@ @EFIVAR_LIBS@<br>
LDFLAGS := @LDFLAGS@<br>
<br>
DEBUG_CFLAGS ?= -g<br>
diff --git a/include/tst_lockdown.h b/include/tst_lockdown.h<br>
index 78eaeccea..172a7daf5 100644<br>
--- a/include/tst_lockdown.h<br>
+++ b/include/tst_lockdown.h<br>
@@ -5,6 +5,7 @@<br>
<br>
#define PATH_LOCKDOWN "/sys/kernel/security/lockdown"<br>
<br>
+int tst_secureboot_enabled(void);<br>
int tst_lockdown_enabled(void);<br>
<br>
#endif /* TST_LOCKDOWN_H */<br>
diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c<br>
index e7c19813c..47a112b4b 100644<br>
--- a/lib/tst_lockdown.c<br>
+++ b/lib/tst_lockdown.c<br>
@@ -2,21 +2,65 @@<br>
<br>
#define TST_NO_DEFAULT_MAIN<br>
<br>
+#include "config.h"<br>
#include <stdio.h><br>
#include <stdlib.h><br>
#include <sys/mount.h><br>
<br>
+#ifdef HAVE_EFIVAR<br>
+#include <efivar.h><br>
+#endif /* HAVE_EFIVAR */<br>
+<br>
#include "tst_test.h"<br>
#include "tst_safe_macros.h"<br>
#include "tst_safe_stdio.h"<br>
#include "tst_lockdown.h"<br>
<br>
+int tst_secureboot_enabled(void)<br>
+{<br>
+#ifdef HAVE_EFIVAR<br>
+ int ret, status = 0;<br>
+ uint8_t *data = NULL;<br>
+ size_t size = 0;<br>
+ uint32_t attrs = 0;<br>
+<br></blockquote><div><br></div><span class="gmail_default" style="font-size:small">Maybe</span> we need <span class="gmail_default" style="font-size:small">call </span>efi_variables_supported() <span class="gmail_default" style="font-size:small">to make sure</span> if the UEFI</div><div class="gmail_quote">variable facility is supported<span class="gmail_default">?</span></div><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
+ efi_error_clear();<br>
+ ret = efi_get_variable(EFI_GLOBAL_GUID, "SecureBoot", &data, &size,<br>
+ &attrs);<br>
+<br>
+ if (ret) {<br>
+ char *fn, *func, *msg;<br>
+ int ln, err, i = 0;<br>
+<br>
+ while (efi_error_get(i++, &fn, &func, &ln, &msg, &err) > 0)<br>
+ tst_res(TINFO, "Efivar error: %s", msg);<br>
+<br>
+ efi_error_clear();<br>
+ } else if (data) {<br>
+ status = *data;<br>
+ tst_res(TINFO, "SecureBoot: %s", status ? "on" : "off");<br>
+ }<br>
+<br>
+ if (data)<br>
+ free(data);<br>
+<br>
+ return status;<br>
+#else /* HAVE_EFIVAR */<br>
+ tst_res(TINFO, "%s(): LTP was built without efivar support", __func__);<br>
+ return -1;<br>
+#endif /* HAVE_EFIVAR */<br>
+}<br>
+<br>
int tst_lockdown_enabled(void)<br>
{<br>
char line[BUFSIZ];<br>
FILE *file;<br>
<br>
if (access(PATH_LOCKDOWN, F_OK) != 0) {<br>
+ /* SecureBoot enabled means integrity lockdown */<br>
+ if (tst_secureboot_enabled() > 0)<br>
+ return 1;<br>
+<br>
tst_res(TINFO, "Unable to determine system lockdown state");<br>
return 0;<br>
}<br>
diff --git a/m4/ltp-libefivar.m4 b/m4/ltp-libefivar.m4<br>
new file mode 100644<br>
index 000000000..0a2750701<br>
--- /dev/null<br>
+++ b/m4/ltp-libefivar.m4<br>
@@ -0,0 +1,9 @@<br>
+dnl SPDX-License-Identifier: GPL-2.0-or-later<br>
+dnl Copyright (c) 2020 SUSE LLC <<a href="mailto:mdoucha@suse.cz" target="_blank">mdoucha@suse.cz</a>><br>
+<br>
+AC_DEFUN([LTP_CHECK_EFIVAR], [<br>
+ dnl efivar library and headers<br>
+ PKG_CHECK_MODULES([EFIVAR], [efivar], [<br>
+ AC_DEFINE([HAVE_EFIVAR], [1], [Define to 1 if you have libefivar library and headers])<br>
+ ], [have_efivar=no])<br>
+])<br>
-- <br>
2.28.0<br>
<br>
<br>
-- <br>
Mailing list info: <a href="https://lists.linux.it/listinfo/ltp" rel="noreferrer" target="_blank">https://lists.linux.it/listinfo/ltp</a><br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Regards,<br></div><div>Li Wang<br></div></div></div></div>