1 // SPDX-License-Identifier: GPL-2.0-or-later
2
3 #define TST_NO_DEFAULT_MAIN
4
5 #define PATH_LOCKDOWN "/sys/kernel/security/lockdown"
6
7 #include <stdio.h>
8 #include <stdlib.h>
9 #include <sys/mount.h>
10
11 #include "tst_test.h"
12 #include "tst_safe_macros.h"
13 #include "tst_safe_stdio.h"
14 #include "tst_lockdown.h"
15 #include "tst_private.h"
16
17 #define EFIVAR_SECUREBOOT "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"
18
tst_secureboot_enabled(void)19 int tst_secureboot_enabled(void)
20 {
21 int fd;
22 char data[5];
23
24 if (access(EFIVAR_SECUREBOOT, F_OK)) {
25 tst_res(TINFO, "Efivar FS not available");
26 return -1;
27 }
28
29 fd = open(EFIVAR_SECUREBOOT, O_RDONLY);
30
31 if (fd == -1) {
32 tst_res(TINFO | TERRNO,
33 "Cannot open SecureBoot Efivar sysfile");
34 return -1;
35 } else if (fd < 0) {
36 tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd);
37 return -1;
38 }
39
40 SAFE_READ(1, fd, data, 5);
41 SAFE_CLOSE(fd);
42 tst_res(TINFO, "SecureBoot: %s", data[4] ? "on" : "off");
43 return data[4];
44 }
45
tst_lockdown_enabled(void)46 int tst_lockdown_enabled(void)
47 {
48 char line[BUFSIZ];
49 FILE *file;
50
51 if (access(PATH_LOCKDOWN, F_OK) != 0) {
52 char flag;
53
54 flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN");
55
56 /* SecureBoot enabled could mean integrity lockdown */
57 if (flag == 'y' && tst_secureboot_enabled() > 0)
58 return 1;
59
60 tst_res(TINFO, "Unable to determine system lockdown state");
61 return 0;
62 }
63
64 file = SAFE_FOPEN(PATH_LOCKDOWN, "r");
65 if (!fgets(line, sizeof(line), file))
66 tst_brk(TBROK | TERRNO, "fgets %s", PATH_LOCKDOWN);
67 SAFE_FCLOSE(file);
68
69 return (strstr(line, "[none]") == NULL);
70 }
71