• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // SPDX-License-Identifier: GPL-2.0-or-later
2 
3 #define TST_NO_DEFAULT_MAIN
4 
5 #define PATH_LOCKDOWN	"/sys/kernel/security/lockdown"
6 
7 #include <stdio.h>
8 #include <stdlib.h>
9 #include <sys/mount.h>
10 
11 #include "tst_test.h"
12 #include "tst_safe_macros.h"
13 #include "tst_safe_stdio.h"
14 #include "tst_lockdown.h"
15 #include "tst_private.h"
16 
17 #if defined(__powerpc64__) || defined(__ppc64__)
18 # define SECUREBOOT_VAR "/proc/device-tree/ibm,secure-boot"
19 # define VAR_DATA_SIZE 4
20 #else
21 # define SECUREBOOT_VAR "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"
22 # define VAR_DATA_SIZE 5
23 #endif
24 
tst_secureboot_enabled(void)25 int tst_secureboot_enabled(void)
26 {
27 	int fd;
28 	char data[5];
29 
30 	if (access(SECUREBOOT_VAR, F_OK)) {
31 		tst_res(TINFO, "SecureBoot sysfs file not available");
32 		return -1;
33 	}
34 
35 	fd = open(SECUREBOOT_VAR, O_RDONLY);
36 
37 	if (fd == -1) {
38 		tst_res(TINFO | TERRNO,
39 			"Cannot open SecureBoot file");
40 		return -1;
41 	} else if (fd < 0) {
42 		tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd);
43 		return -1;
44 	}
45 	SAFE_READ(1, fd, data, VAR_DATA_SIZE);
46 	SAFE_CLOSE(fd);
47 	tst_res(TINFO, "SecureBoot: %s", data[VAR_DATA_SIZE - 1] ? "on" : "off");
48 	return data[VAR_DATA_SIZE - 1];
49 }
50 
tst_lockdown_enabled(void)51 int tst_lockdown_enabled(void)
52 {
53 	char line[BUFSIZ];
54 	FILE *file;
55 	int ret;
56 
57 	if (access(PATH_LOCKDOWN, F_OK) != 0) {
58 		char flag;
59 
60 		/* SecureBoot enabled could mean integrity lockdown (non-mainline version) */
61 #if defined(__powerpc64__) || defined(__ppc64__)
62 		flag = tst_kconfig_get("CONFIG_SECURITY_LOCKDOWN_LSM") == 'y';
63 		flag |= tst_kconfig_get("CONFIG_SECURITY_LOCKDOWN_LSM_EARLY") == 'y';
64 #else
65 		flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN") == 'y';
66 		flag |= tst_kconfig_get("CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT") == 'y';
67 #endif
68 
69 		if (flag && tst_secureboot_enabled() > 0)
70 			return 1;
71 
72 		tst_res(TINFO, "Unable to determine system lockdown state");
73 		return 0;
74 	}
75 
76 	file = SAFE_FOPEN(PATH_LOCKDOWN, "r");
77 	if (!fgets(line, sizeof(line), file))
78 		tst_brk(TBROK | TERRNO, "fgets %s", PATH_LOCKDOWN);
79 	SAFE_FCLOSE(file);
80 
81 	ret = strstr(line, "[none]") == NULL;
82 	tst_res(TINFO, "Kernel lockdown: %s", ret ? "on" : "off");
83 
84 	return ret;
85 }
86