[LTP] [PATCH] Add tst_secureboot_enabled() helper function
Li Wang
liwang@redhat.com
Mon Nov 9 08:46:20 CET 2020
Hi Martin,
On Sat, Nov 7, 2020 at 1:17 AM Martin Doucha <mdoucha@suse.cz> wrote:
> Also check for SecureBoot status in tst_lockdown_enabled() if the lockdown
> sysfile is not available/readable
>
> Signed-off-by: Martin Doucha <mdoucha@suse.cz>
> ---
> configure.ac | 1 +
> include/mk/config.mk.in | 4 ++--
> include/tst_lockdown.h | 1 +
> lib/tst_lockdown.c | 44 +++++++++++++++++++++++++++++++++++++++++
> m4/ltp-libefivar.m4 | 9 +++++++++
> 5 files changed, 57 insertions(+), 2 deletions(-)
> create mode 100644 m4/ltp-libefivar.m4
>
> diff --git a/configure.ac b/configure.ac
> index 03e4e09c9..d9ca5ad38 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -296,6 +296,7 @@ LTP_CHECK_CAPABILITY_SUPPORT
> LTP_CHECK_CC_WARN_OLDSTYLE
> LTP_CHECK_CLONE_SUPPORTS_7_ARGS
> LTP_CHECK_CRYPTO
> +LTP_CHECK_EFIVAR
> LTP_CHECK_FORTIFY_SOURCE
> LTP_CHECK_KERNEL_DEVEL
> LTP_CHECK_KEYUTILS_SUPPORT
> diff --git a/include/mk/config.mk.in b/include/mk/config.mk.in
> index 427608a17..cffd11245 100644
> --- a/include/mk/config.mk.in
> +++ b/include/mk/config.mk.in
> @@ -56,8 +56,8 @@ libdir := @libdir@
> mandir := @mandir@
>
> CPPFLAGS := @CPPFLAGS@
> -CFLAGS := @CFLAGS@
> -LDLIBS := @LIBS@
> +CFLAGS := @CFLAGS@ @EFIVAR_CFLAGS@
> +LDLIBS := @LIBS@ @EFIVAR_LIBS@
> LDFLAGS := @LDFLAGS@
>
> DEBUG_CFLAGS ?= -g
> diff --git a/include/tst_lockdown.h b/include/tst_lockdown.h
> index 78eaeccea..172a7daf5 100644
> --- a/include/tst_lockdown.h
> +++ b/include/tst_lockdown.h
> @@ -5,6 +5,7 @@
>
> #define PATH_LOCKDOWN "/sys/kernel/security/lockdown"
>
> +int tst_secureboot_enabled(void);
> int tst_lockdown_enabled(void);
>
> #endif /* TST_LOCKDOWN_H */
> diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c
> index e7c19813c..47a112b4b 100644
> --- a/lib/tst_lockdown.c
> +++ b/lib/tst_lockdown.c
> @@ -2,21 +2,65 @@
>
> #define TST_NO_DEFAULT_MAIN
>
> +#include "config.h"
> #include <stdio.h>
> #include <stdlib.h>
> #include <sys/mount.h>
>
> +#ifdef HAVE_EFIVAR
> +#include <efivar.h>
> +#endif /* HAVE_EFIVAR */
> +
> #include "tst_test.h"
> #include "tst_safe_macros.h"
> #include "tst_safe_stdio.h"
> #include "tst_lockdown.h"
>
> +int tst_secureboot_enabled(void)
> +{
> +#ifdef HAVE_EFIVAR
> + int ret, status = 0;
> + uint8_t *data = NULL;
> + size_t size = 0;
> + uint32_t attrs = 0;
> +
>
Maybe we need call efi_variables_supported() to make sure if the UEFI
variable facility is supported?
> + efi_error_clear();
> + ret = efi_get_variable(EFI_GLOBAL_GUID, "SecureBoot", &data, &size,
> + &attrs);
> +
> + if (ret) {
> + char *fn, *func, *msg;
> + int ln, err, i = 0;
> +
> + while (efi_error_get(i++, &fn, &func, &ln, &msg, &err) > 0)
> + tst_res(TINFO, "Efivar error: %s", msg);
> +
> + efi_error_clear();
> + } else if (data) {
> + status = *data;
> + tst_res(TINFO, "SecureBoot: %s", status ? "on" : "off");
> + }
> +
> + if (data)
> + free(data);
> +
> + return status;
> +#else /* HAVE_EFIVAR */
> + tst_res(TINFO, "%s(): LTP was built without efivar support",
> __func__);
> + return -1;
> +#endif /* HAVE_EFIVAR */
> +}
> +
> int tst_lockdown_enabled(void)
> {
> char line[BUFSIZ];
> FILE *file;
>
> if (access(PATH_LOCKDOWN, F_OK) != 0) {
> + /* SecureBoot enabled means integrity lockdown */
> + if (tst_secureboot_enabled() > 0)
> + return 1;
> +
> tst_res(TINFO, "Unable to determine system lockdown
> state");
> return 0;
> }
> diff --git a/m4/ltp-libefivar.m4 b/m4/ltp-libefivar.m4
> new file mode 100644
> index 000000000..0a2750701
> --- /dev/null
> +++ b/m4/ltp-libefivar.m4
> @@ -0,0 +1,9 @@
> +dnl SPDX-License-Identifier: GPL-2.0-or-later
> +dnl Copyright (c) 2020 SUSE LLC <mdoucha@suse.cz>
> +
> +AC_DEFUN([LTP_CHECK_EFIVAR], [
> + dnl efivar library and headers
> + PKG_CHECK_MODULES([EFIVAR], [efivar], [
> + AC_DEFINE([HAVE_EFIVAR], [1], [Define to 1 if you have
> libefivar library and headers])
> + ], [have_efivar=no])
> +])
> --
> 2.28.0
>
>
> --
> Mailing list info: https://lists.linux.it/listinfo/ltp
>
>
--
Regards,
Li Wang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.it/pipermail/ltp/attachments/20201109/6ae7c68e/attachment.htm>
More information about the ltp
mailing list