<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small">Hi Martin,</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Nov 7, 2020 at 1:17 AM Martin Doucha <<a href="mailto:mdoucha@suse.cz">mdoucha@suse.cz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Also check for SecureBoot status in tst_lockdown_enabled() if the lockdown<br>
sysfile is not available/readable<br>
<br>
Signed-off-by: Martin Doucha <<a href="mailto:mdoucha@suse.cz" target="_blank">mdoucha@suse.cz</a>><br>
---<br>
 <a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a>            |  1 +<br>
 include/mk/<a href="http://config.mk.in" rel="noreferrer" target="_blank">config.mk.in</a> |  4 ++--<br>
 include/tst_lockdown.h  |  1 +<br>
 lib/tst_lockdown.c      | 44 +++++++++++++++++++++++++++++++++++++++++<br>
 m4/ltp-libefivar.m4     |  9 +++++++++<br>
 5 files changed, 57 insertions(+), 2 deletions(-)<br>
 create mode 100644 m4/ltp-libefivar.m4<br>
<br>
diff --git a/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> b/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
index 03e4e09c9..d9ca5ad38 100644<br>
--- a/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
+++ b/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br>
@@ -296,6 +296,7 @@ LTP_CHECK_CAPABILITY_SUPPORT<br>
 LTP_CHECK_CC_WARN_OLDSTYLE<br>
 LTP_CHECK_CLONE_SUPPORTS_7_ARGS<br>
 LTP_CHECK_CRYPTO<br>
+LTP_CHECK_EFIVAR<br>
 LTP_CHECK_FORTIFY_SOURCE<br>
 LTP_CHECK_KERNEL_DEVEL<br>
 LTP_CHECK_KEYUTILS_SUPPORT<br>
diff --git a/include/mk/<a href="http://config.mk.in" rel="noreferrer" target="_blank">config.mk.in</a> b/include/mk/<a href="http://config.mk.in" rel="noreferrer" target="_blank">config.mk.in</a><br>
index 427608a17..cffd11245 100644<br>
--- a/include/mk/<a href="http://config.mk.in" rel="noreferrer" target="_blank">config.mk.in</a><br>
+++ b/include/mk/<a href="http://config.mk.in" rel="noreferrer" target="_blank">config.mk.in</a><br>
@@ -56,8 +56,8 @@ libdir                        := @libdir@<br>
 mandir                 := @mandir@<br>
<br>
 CPPFLAGS               := @CPPFLAGS@<br>
-CFLAGS                 := @CFLAGS@<br>
-LDLIBS                 := @LIBS@<br>
+CFLAGS                 := @CFLAGS@ @EFIVAR_CFLAGS@<br>
+LDLIBS                 := @LIBS@ @EFIVAR_LIBS@<br>
 LDFLAGS                        := @LDFLAGS@<br>
<br>
 DEBUG_CFLAGS           ?= -g<br>
diff --git a/include/tst_lockdown.h b/include/tst_lockdown.h<br>
index 78eaeccea..172a7daf5 100644<br>
--- a/include/tst_lockdown.h<br>
+++ b/include/tst_lockdown.h<br>
@@ -5,6 +5,7 @@<br>
<br>
 #define PATH_LOCKDOWN  "/sys/kernel/security/lockdown"<br>
<br>
+int tst_secureboot_enabled(void);<br>
 int tst_lockdown_enabled(void);<br>
<br>
 #endif /* TST_LOCKDOWN_H */<br>
diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c<br>
index e7c19813c..47a112b4b 100644<br>
--- a/lib/tst_lockdown.c<br>
+++ b/lib/tst_lockdown.c<br>
@@ -2,21 +2,65 @@<br>
<br>
 #define TST_NO_DEFAULT_MAIN<br>
<br>
+#include "config.h"<br>
 #include <stdio.h><br>
 #include <stdlib.h><br>
 #include <sys/mount.h><br>
<br>
+#ifdef HAVE_EFIVAR<br>
+#include <efivar.h><br>
+#endif /* HAVE_EFIVAR */<br>
+<br>
 #include "tst_test.h"<br>
 #include "tst_safe_macros.h"<br>
 #include "tst_safe_stdio.h"<br>
 #include "tst_lockdown.h"<br>
<br>
+int tst_secureboot_enabled(void)<br>
+{<br>
+#ifdef HAVE_EFIVAR<br>
+       int ret, status = 0;<br>
+       uint8_t *data = NULL;<br>
+       size_t size = 0;<br>
+       uint32_t attrs = 0;<br>
+<br></blockquote><div><br></div><span class="gmail_default" style="font-size:small">Maybe</span> we need <span class="gmail_default" style="font-size:small">call </span>efi_variables_supported() <span class="gmail_default" style="font-size:small">to make sure</span> if the UEFI</div><div class="gmail_quote">variable facility is supported<span class="gmail_default">?</span></div><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
+       efi_error_clear();<br>
+       ret = efi_get_variable(EFI_GLOBAL_GUID, "SecureBoot", &data, &size,<br>
+               &attrs);<br>
+<br>
+       if (ret) {<br>
+               char *fn, *func, *msg;<br>
+               int ln, err, i = 0;<br>
+<br>
+               while (efi_error_get(i++, &fn, &func, &ln, &msg, &err) > 0)<br>
+                       tst_res(TINFO, "Efivar error: %s", msg);<br>
+<br>
+               efi_error_clear();<br>
+       } else if (data) {<br>
+               status = *data;<br>
+               tst_res(TINFO, "SecureBoot: %s", status ? "on" : "off");<br>
+       }<br>
+<br>
+       if (data)<br>
+               free(data);<br>
+<br>
+       return status;<br>
+#else /* HAVE_EFIVAR */<br>
+       tst_res(TINFO, "%s(): LTP was built without efivar support", __func__);<br>
+       return -1;<br>
+#endif /* HAVE_EFIVAR */<br>
+}<br>
+<br>
 int tst_lockdown_enabled(void)<br>
 {<br>
        char line[BUFSIZ];<br>
        FILE *file;<br>
<br>
        if (access(PATH_LOCKDOWN, F_OK) != 0) {<br>
+               /* SecureBoot enabled means integrity lockdown */<br>
+               if (tst_secureboot_enabled() > 0)<br>
+                       return 1;<br>
+<br>
                tst_res(TINFO, "Unable to determine system lockdown state");<br>
                return 0;<br>
        }<br>
diff --git a/m4/ltp-libefivar.m4 b/m4/ltp-libefivar.m4<br>
new file mode 100644<br>
index 000000000..0a2750701<br>
--- /dev/null<br>
+++ b/m4/ltp-libefivar.m4<br>
@@ -0,0 +1,9 @@<br>
+dnl SPDX-License-Identifier: GPL-2.0-or-later<br>
+dnl Copyright (c) 2020 SUSE LLC <<a href="mailto:mdoucha@suse.cz" target="_blank">mdoucha@suse.cz</a>><br>
+<br>
+AC_DEFUN([LTP_CHECK_EFIVAR], [<br>
+       dnl efivar library and headers<br>
+       PKG_CHECK_MODULES([EFIVAR], [efivar], [<br>
+               AC_DEFINE([HAVE_EFIVAR], [1], [Define to 1 if you have libefivar library and headers])<br>
+       ], [have_efivar=no])<br>
+])<br>
-- <br>
2.28.0<br>
<br>
<br>
-- <br>
Mailing list info: <a href="https://lists.linux.it/listinfo/ltp" rel="noreferrer" target="_blank">https://lists.linux.it/listinfo/ltp</a><br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div>Regards,<br></div><div>Li Wang<br></div></div></div></div>