[LTP] [PATCH 1/4] tst_lockdown: Check other lockdown configuration

Petr Vorel pvorel@suse.cz
Fri Jul 21 10:55:11 CEST 2023


Hi Martin,

...
> > +	char flag;
> >   	if (access(PATH_LOCKDOWN, F_OK) != 0) {
> > -		char flag;
> > -
> > +		/* SecureBoot enabled could mean integrity lockdown (non-mainline version) */
> >   		flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN");
> > -
> > -		/* SecureBoot enabled could mean integrity lockdown */
> >   		if (flag == 'y' && tst_secureboot_enabled() > 0)
> >   			return 1;
> >   		tst_res(TINFO, "Unable to determine system lockdown state");
> >   		return 0;
> > +	} else {

> There should be no "else" branch here. The code above should look like this:

> int flag;
> flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN") == 'y';
> flag |= tst_kconfig_get("CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT") == 'y';
> if (flag && tst_secureboot_enabled() > 0)
> 	return 1;

Good point. I don't know why I thought that the other not-yet upstreamed patch
created lockdown file. I'll send v2.

Kind regards,
Petr

> > +		/* SecureBoot forces lockdown (non-mainline version) */
> > +		flag = tst_kconfig_get("CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT");
> > +		if (flag == 'y' && tst_secureboot_enabled() > 0)
> > +			return 1;
> >   	}
> >   	file = SAFE_FOPEN(PATH_LOCKDOWN, "r");


More information about the ltp mailing list