[LTP] [PATCH v2 1/5] tst_lockdown: Check other lockdown configuration
Martin Doucha
mdoucha@suse.cz
Tue Jul 25 13:01:53 CEST 2023
Hi,
small nit: there are two spaces after the first tst_kconfig_get().
Otherwise looks good.
Reviewed-by: Martin Doucha <mdoucha@suse.cz>
On 21. 07. 23 11:15, Petr Vorel wrote:
> Originally we checked only CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y
> (non-mainline patch from 2017 [1]. Various distros (older releases) use
> other newer non-mainline patch [2] (originally from Fedora 32), which with
> CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y forces lockdown, when in secure boot.
>
> [1] https://lore.kernel.org/lkml/149141204578.30815.1929675368430800975.stgit@warthog.procyon.org.uk/
> [2] https://lore.kernel.org/lkml/150842483945.7923.12778302394414653081.stgit@warthog.procyon.org.uk/
>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
> ---
> lib/tst_lockdown.c | 9 ++++-----
> 1 file changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c
> index 26a57b6a1..4ce4736c3 100644
> --- a/lib/tst_lockdown.c
> +++ b/lib/tst_lockdown.c
> @@ -50,11 +50,10 @@ int tst_lockdown_enabled(void)
>
> if (access(PATH_LOCKDOWN, F_OK) != 0) {
> char flag;
> -
> - flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN");
> -
> - /* SecureBoot enabled could mean integrity lockdown */
> - if (flag == 'y' && tst_secureboot_enabled() > 0)
> + /* SecureBoot enabled could mean integrity lockdown (non-mainline version) */
> + flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN") == 'y';
> + flag |= tst_kconfig_get("CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT") == 'y';
> + if (flag && tst_secureboot_enabled() > 0)
> return 1;
>
> tst_res(TINFO, "Unable to determine system lockdown state");
--
Martin Doucha mdoucha@suse.cz
SW Quality Engineer
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic
More information about the ltp
mailing list