[LTP] [PATCH] Add tst_secureboot_enabled() helper function

All of lore.kernel.org
 help / color / mirror / Atom feed

* [LTP] [PATCH] Add tst_secureboot_enabled() helper function
@ 2020-11-06 17:17 Martin Doucha
  2020-11-06 17:55 ` Petr Vorel
  2020-11-09  7:46 ` Li Wang
  0 siblings, 2 replies; 3+ messages in thread
From: Martin Doucha @ 2020-11-06 17:17 UTC (permalink / raw)
  To: ltp

Also check for SecureBoot status in tst_lockdown_enabled() if the lockdown
sysfile is not available/readable

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---
 configure.ac            |  1 +
 include/mk/config.mk.in |  4 ++--
 include/tst_lockdown.h  |  1 +
 lib/tst_lockdown.c      | 44 +++++++++++++++++++++++++++++++++++++++++
 m4/ltp-libefivar.m4     |  9 +++++++++
 5 files changed, 57 insertions(+), 2 deletions(-)
 create mode 100644 m4/ltp-libefivar.m4

diff --git a/configure.ac b/configure.ac
index 03e4e09c9..d9ca5ad38 100644
--- a/configure.ac
+++ b/configure.ac
@@ -296,6 +296,7 @@ LTP_CHECK_CAPABILITY_SUPPORT
 LTP_CHECK_CC_WARN_OLDSTYLE
 LTP_CHECK_CLONE_SUPPORTS_7_ARGS
 LTP_CHECK_CRYPTO
+LTP_CHECK_EFIVAR
 LTP_CHECK_FORTIFY_SOURCE
 LTP_CHECK_KERNEL_DEVEL
 LTP_CHECK_KEYUTILS_SUPPORT
diff --git a/include/mk/config.mk.in b/include/mk/config.mk.in
index 427608a17..cffd11245 100644
--- a/include/mk/config.mk.in
+++ b/include/mk/config.mk.in
@@ -56,8 +56,8 @@ libdir			:= @libdir@
 mandir			:= @mandir@
 
 CPPFLAGS		:= @CPPFLAGS@
-CFLAGS			:= @CFLAGS@
-LDLIBS			:= @LIBS@
+CFLAGS			:= @CFLAGS@ @EFIVAR_CFLAGS@
+LDLIBS			:= @LIBS@ @EFIVAR_LIBS@
 LDFLAGS			:= @LDFLAGS@
 
 DEBUG_CFLAGS		?= -g
diff --git a/include/tst_lockdown.h b/include/tst_lockdown.h
index 78eaeccea..172a7daf5 100644
--- a/include/tst_lockdown.h
+++ b/include/tst_lockdown.h
@@ -5,6 +5,7 @@
 
 #define PATH_LOCKDOWN	"/sys/kernel/security/lockdown"
 
+int tst_secureboot_enabled(void);
 int tst_lockdown_enabled(void);
 
 #endif /* TST_LOCKDOWN_H */
diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c
index e7c19813c..47a112b4b 100644
--- a/lib/tst_lockdown.c
+++ b/lib/tst_lockdown.c
@@ -2,21 +2,65 @@
 
 #define TST_NO_DEFAULT_MAIN
 
+#include "config.h"
 #include <stdio.h>
 #include <stdlib.h>
 #include <sys/mount.h>
 
+#ifdef HAVE_EFIVAR
+#include <efivar.h>
+#endif /* HAVE_EFIVAR */
+
 #include "tst_test.h"
 #include "tst_safe_macros.h"
 #include "tst_safe_stdio.h"
 #include "tst_lockdown.h"
 
+int tst_secureboot_enabled(void)
+{
+#ifdef HAVE_EFIVAR
+	int ret, status = 0;
+	uint8_t *data = NULL;
+	size_t size = 0;
+	uint32_t attrs = 0;
+
+	efi_error_clear();
+	ret = efi_get_variable(EFI_GLOBAL_GUID, "SecureBoot", &data, &size,
+		&attrs);
+
+	if (ret) {
+		char *fn, *func, *msg;
+		int ln, err, i = 0;
+
+		while (efi_error_get(i++, &fn, &func, &ln, &msg, &err) > 0)
+			tst_res(TINFO, "Efivar error: %s", msg);
+
+		efi_error_clear();
+	} else if (data) {
+		status = *data;
+		tst_res(TINFO, "SecureBoot: %s", status ? "on" : "off");
+	}
+
+	if (data)
+		free(data);
+
+	return status;
+#else /* HAVE_EFIVAR */
+	tst_res(TINFO, "%s(): LTP was built without efivar support", __func__);
+	return -1;
+#endif /* HAVE_EFIVAR */
+}
+
 int tst_lockdown_enabled(void)
 {
 	char line[BUFSIZ];
 	FILE *file;
 
 	if (access(PATH_LOCKDOWN, F_OK) != 0) {
+		/* SecureBoot enabled means integrity lockdown */
+		if (tst_secureboot_enabled() > 0)
+			return 1;
+
 		tst_res(TINFO, "Unable to determine system lockdown state");
 		return 0;
 	}
diff --git a/m4/ltp-libefivar.m4 b/m4/ltp-libefivar.m4
new file mode 100644
index 000000000..0a2750701
--- /dev/null
+++ b/m4/ltp-libefivar.m4
@@ -0,0 +1,9 @@
+dnl SPDX-License-Identifier: GPL-2.0-or-later
+dnl Copyright (c) 2020 SUSE LLC <mdoucha@suse.cz>
+
+AC_DEFUN([LTP_CHECK_EFIVAR], [
+	dnl efivar library and headers
+	PKG_CHECK_MODULES([EFIVAR], [efivar], [
+		AC_DEFINE([HAVE_EFIVAR], [1], [Define to 1 if you have libefivar library and headers])
+	], [have_efivar=no])
+])
-- 
2.28.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [LTP] [PATCH] Add tst_secureboot_enabled() helper function
  2020-11-06 17:17 [LTP] [PATCH] Add tst_secureboot_enabled() helper function Martin Doucha
@ 2020-11-06 17:55 ` Petr Vorel
  2020-11-09  7:46 ` Li Wang
  1 sibling, 0 replies; 3+ messages in thread
From: Petr Vorel @ 2020-11-06 17:55 UTC (permalink / raw)
  To: ltp

Hi Martin,

> Also check for SecureBoot status in tst_lockdown_enabled() if the lockdown
> sysfile is not available/readable

Reviewed-by: Petr Vorel <pvorel@suse.cz>

Thanks for implementing this!

Kind regards,
Petr

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [LTP] [PATCH] Add tst_secureboot_enabled() helper function
  2020-11-06 17:17 [LTP] [PATCH] Add tst_secureboot_enabled() helper function Martin Doucha
  2020-11-06 17:55 ` Petr Vorel
@ 2020-11-09  7:46 ` Li Wang
  1 sibling, 0 replies; 3+ messages in thread
From: Li Wang @ 2020-11-09  7:46 UTC (permalink / raw)
  To: ltp

Hi Martin,

On Sat, Nov 7, 2020 at 1:17 AM Martin Doucha <mdoucha@suse.cz> wrote:

> Also check for SecureBoot status in tst_lockdown_enabled() if the lockdown
> sysfile is not available/readable
>
> Signed-off-by: Martin Doucha <mdoucha@suse.cz>
> ---
>  configure.ac            |  1 +
>  include/mk/config.mk.in |  4 ++--
>  include/tst_lockdown.h  |  1 +
>  lib/tst_lockdown.c      | 44 +++++++++++++++++++++++++++++++++++++++++
>  m4/ltp-libefivar.m4     |  9 +++++++++
>  5 files changed, 57 insertions(+), 2 deletions(-)
>  create mode 100644 m4/ltp-libefivar.m4
>
> diff --git a/configure.ac b/configure.ac
> index 03e4e09c9..d9ca5ad38 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -296,6 +296,7 @@ LTP_CHECK_CAPABILITY_SUPPORT
>  LTP_CHECK_CC_WARN_OLDSTYLE
>  LTP_CHECK_CLONE_SUPPORTS_7_ARGS
>  LTP_CHECK_CRYPTO
> +LTP_CHECK_EFIVAR
>  LTP_CHECK_FORTIFY_SOURCE
>  LTP_CHECK_KERNEL_DEVEL
>  LTP_CHECK_KEYUTILS_SUPPORT
> diff --git a/include/mk/config.mk.in b/include/mk/config.mk.in
> index 427608a17..cffd11245 100644
> --- a/include/mk/config.mk.in
> +++ b/include/mk/config.mk.in
> @@ -56,8 +56,8 @@ libdir                        := @libdir@
>  mandir                 := @mandir@
>
>  CPPFLAGS               := @CPPFLAGS@
> -CFLAGS                 := @CFLAGS@
> -LDLIBS                 := @LIBS@
> +CFLAGS                 := @CFLAGS@ @EFIVAR_CFLAGS@
> +LDLIBS                 := @LIBS@ @EFIVAR_LIBS@
>  LDFLAGS                        := @LDFLAGS@
>
>  DEBUG_CFLAGS           ?= -g
> diff --git a/include/tst_lockdown.h b/include/tst_lockdown.h
> index 78eaeccea..172a7daf5 100644
> --- a/include/tst_lockdown.h
> +++ b/include/tst_lockdown.h
> @@ -5,6 +5,7 @@
>
>  #define PATH_LOCKDOWN  "/sys/kernel/security/lockdown"
>
> +int tst_secureboot_enabled(void);
>  int tst_lockdown_enabled(void);
>
>  #endif /* TST_LOCKDOWN_H */
> diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c
> index e7c19813c..47a112b4b 100644
> --- a/lib/tst_lockdown.c
> +++ b/lib/tst_lockdown.c
> @@ -2,21 +2,65 @@
>
>  #define TST_NO_DEFAULT_MAIN
>
> +#include "config.h"
>  #include <stdio.h>
>  #include <stdlib.h>
>  #include <sys/mount.h>
>
> +#ifdef HAVE_EFIVAR
> +#include <efivar.h>
> +#endif /* HAVE_EFIVAR */
> +
>  #include "tst_test.h"
>  #include "tst_safe_macros.h"
>  #include "tst_safe_stdio.h"
>  #include "tst_lockdown.h"
>
> +int tst_secureboot_enabled(void)
> +{
> +#ifdef HAVE_EFIVAR
> +       int ret, status = 0;
> +       uint8_t *data = NULL;
> +       size_t size = 0;
> +       uint32_t attrs = 0;
> +
>

Maybe we need call efi_variables_supported() to make sure if the UEFI
variable facility is supported?


> +       efi_error_clear();
> +       ret = efi_get_variable(EFI_GLOBAL_GUID, "SecureBoot", &data, &size,
> +               &attrs);
> +
> +       if (ret) {
> +               char *fn, *func, *msg;
> +               int ln, err, i = 0;
> +
> +               while (efi_error_get(i++, &fn, &func, &ln, &msg, &err) > 0)
> +                       tst_res(TINFO, "Efivar error: %s", msg);
> +
> +               efi_error_clear();
> +       } else if (data) {
> +               status = *data;
> +               tst_res(TINFO, "SecureBoot: %s", status ? "on" : "off");
> +       }
> +
> +       if (data)
> +               free(data);
> +
> +       return status;
> +#else /* HAVE_EFIVAR */
> +       tst_res(TINFO, "%s(): LTP was built without efivar support",
> __func__);
> +       return -1;
> +#endif /* HAVE_EFIVAR */
> +}
> +
>  int tst_lockdown_enabled(void)
>  {
>         char line[BUFSIZ];
>         FILE *file;
>
>         if (access(PATH_LOCKDOWN, F_OK) != 0) {
> +               /* SecureBoot enabled means integrity lockdown */
> +               if (tst_secureboot_enabled() > 0)
> +                       return 1;
> +
>                 tst_res(TINFO, "Unable to determine system lockdown
> state");
>                 return 0;
>         }
> diff --git a/m4/ltp-libefivar.m4 b/m4/ltp-libefivar.m4
> new file mode 100644
> index 000000000..0a2750701
> --- /dev/null
> +++ b/m4/ltp-libefivar.m4
> @@ -0,0 +1,9 @@
> +dnl SPDX-License-Identifier: GPL-2.0-or-later
> +dnl Copyright (c) 2020 SUSE LLC <mdoucha@suse.cz>
> +
> +AC_DEFUN([LTP_CHECK_EFIVAR], [
> +       dnl efivar library and headers
> +       PKG_CHECK_MODULES([EFIVAR], [efivar], [
> +               AC_DEFINE([HAVE_EFIVAR], [1], [Define to 1 if you have
> libefivar library and headers])
> +       ], [have_efivar=no])
> +])
> --
> 2.28.0
>
>
> --
> Mailing list info: https://lists.linux.it/listinfo/ltp
>
>

-- 
Regards,
Li Wang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.it/pipermail/ltp/attachments/20201109/6ae7c68e/attachment.htm>

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-11-09  7:46 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-11-06 17:17 [LTP] [PATCH] Add tst_secureboot_enabled() helper function Martin Doucha
2020-11-06 17:55 ` Petr Vorel
2020-11-09  7:46 ` Li Wang

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.