[LTP] [PATCH v6 1/3] Add tst_kconfig_get() helper function

[LTP] [PATCH v6 1/3] Add tst_kconfig_get() helper function

[Martin Doucha]

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---

Changes since v3:
- new patch

Changes since v4:
- moved tst_kconfig_get() declaration to tst_private.h

 include/tst_private.h |  8 ++++++++
 lib/tst_kconfig.c     | 21 +++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/include/tst_private.h b/include/tst_private.h
index e30d34740..fe0955f3b 100644
--- a/include/tst_private.h
+++ b/include/tst_private.h
@@ -29,4 +29,12 @@ void tst_print_svar_change(const char *name, const char *val);
 
 int tst_get_prefix(const char *ip_str, int is_ipv6);
 
+/*
+ * Checks kernel config for a single configuration option and returns its
+ * state if found. The possible return values are the same as for
+ * tst_kconfig_var.choice, with the same meaning. See tst_kconfig_read()
+ * description in tst_kconfig.h.
+ */
+char tst_kconfig_get(const char *confname);
+
 #endif
diff --git a/lib/tst_kconfig.c b/lib/tst_kconfig.c
index 734039e37..2b1087a8d 100644
--- a/lib/tst_kconfig.c
+++ b/lib/tst_kconfig.c
@@ -511,3 +511,24 @@ void tst_kconfig_check(const char *const kconfigs[])
 	if (abort_test)
 		tst_brk(TCONF, "Aborting due to unsuitable kernel config, see above!");
 }
+
+char tst_kconfig_get(const char *confname)
+{
+	struct tst_kconfig_var var;
+
+	var.id_len = strlen(confname);
+
+	if (var.id_len >= sizeof(var.id))
+		tst_brk(TBROK, "Kconfig var name \"%s\" too long", confname);
+
+	strcpy(var.id, confname);
+	var.choice = 0;
+	var.val = NULL;
+
+	tst_kconfig_read(&var, 1);
+
+	if (var.choice == 'v')
+		free(var.val);
+
+	return var.choice;
+}
-- 
2.29.2

[LTP] [PATCH v6 2/3] Add tst_secureboot_enabled() helper function

[Martin Doucha]

Also check for SecureBoot status in tst_lockdown_enabled() if the lockdown
sysfile is not available/readable and the kernel is configured to enable
lockdown automatically under SecureBoot.

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---

Changes since v1:
- check whether machine is in EFI mode first

Changes since v2:
- move tst_secureboot_enabled() code to a separate header file
- move EFIVAR_CFLAGS and EFIVAR_LIBS out of global CFLAGS and LDLIBS

Changes since v3:
- rewritten using direct read from /sys/ (without libefivar)

Changes since v5:
- fixed #includes

 include/tst_lockdown.h |  1 +
 lib/tst_lockdown.c     | 38 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/include/tst_lockdown.h b/include/tst_lockdown.h
index 78eaeccea..172a7daf5 100644
--- a/include/tst_lockdown.h
+++ b/include/tst_lockdown.h
@@ -5,6 +5,7 @@
 
 #define PATH_LOCKDOWN	"/sys/kernel/security/lockdown"
 
+int tst_secureboot_enabled(void);
 int tst_lockdown_enabled(void);
 
 #endif /* TST_LOCKDOWN_H */
diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c
index e7c19813c..cda7d7abd 100644
--- a/lib/tst_lockdown.c
+++ b/lib/tst_lockdown.c
@@ -10,6 +10,36 @@
 #include "tst_safe_macros.h"
 #include "tst_safe_stdio.h"
 #include "tst_lockdown.h"
+#include "tst_private.h"
+
+#define EFIVAR_SECUREBOOT "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"
+
+int tst_secureboot_enabled(void)
+{
+	int fd;
+	char data[5];
+
+	if (access(EFIVAR_SECUREBOOT, F_OK)) {
+		tst_res(TINFO, "Efivar FS not available");
+		return -1;
+	}
+
+	fd = open(EFIVAR_SECUREBOOT, O_RDONLY);
+
+	if (fd == -1) {
+		tst_res(TINFO | TERRNO,
+			"Cannot open SecureBoot Efivar sysfile");
+		return -1;
+	} else if (fd < 0) {
+		tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd);
+		return -1;
+	}
+
+	SAFE_READ(1, fd, data, 5);
+	SAFE_CLOSE(fd);
+	tst_res(TINFO, "SecureBoot: %s", data[4] ? "on" : "off");
+	return data[4];
+}
 
 int tst_lockdown_enabled(void)
 {
@@ -17,6 +47,14 @@ int tst_lockdown_enabled(void)
 	FILE *file;
 
 	if (access(PATH_LOCKDOWN, F_OK) != 0) {
+		char flag;
+
+		flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN");
+
+		/* SecureBoot enabled could mean integrity lockdown */
+		if (flag == 'y' && tst_secureboot_enabled() > 0)
+			return 1;
+
 		tst_res(TINFO, "Unable to determine system lockdown state");
 		return 0;
 	}
-- 
2.29.2

[LTP] [PATCH v6 2/3] Add tst_secureboot_enabled() helper function

[Cyril Hrubis]

Hi!
> +int tst_secureboot_enabled(void)
> +{
> +	int fd;
> +	char data[5];
> +
> +	if (access(EFIVAR_SECUREBOOT, F_OK)) {
> +		tst_res(TINFO, "Efivar FS not available");
> +		return -1;
> +	}
> +
> +	fd = open(EFIVAR_SECUREBOOT, O_RDONLY);
> +
> +	if (fd == -1) {
> +		tst_res(TINFO | TERRNO,
> +			"Cannot open SecureBoot Efivar sysfile");
> +		return -1;
> +	} else if (fd < 0) {
> +		tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd);
> +		return -1;
> +	}

If we change the access() above to R_OK we can just do SAFE_OPEN() here, right?

Other than this the code looks good.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v6 2/3] Add tst_secureboot_enabled() helper function

[Martin Doucha]

On 14. 01. 21 14:38, Cyril Hrubis wrote:
> Hi!
>> +int tst_secureboot_enabled(void)
>> +{
>> +	int fd;
>> +	char data[5];
>> +
>> +	if (access(EFIVAR_SECUREBOOT, F_OK)) {
>> +		tst_res(TINFO, "Efivar FS not available");
>> +		return -1;
>> +	}
>> +
>> +	fd = open(EFIVAR_SECUREBOOT, O_RDONLY);
>> +
>> +	if (fd == -1) {
>> +		tst_res(TINFO | TERRNO,
>> +			"Cannot open SecureBoot Efivar sysfile");
>> +		return -1;
>> +	} else if (fd < 0) {
>> +		tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd);
>> +		return -1;
>> +	}
> 
> If we change the access() above to R_OK we can just do SAFE_OPEN() here, right?
> 
> Other than this the code looks good.

We could change it, but I'd prefer to know that the Efivar FS exists but
cannnot be open()ed due to missing permissions than to mix these two
states into the same vague info message.

-- 
Martin Doucha   mdoucha@suse.cz
QA Engineer for Software Maintenance
SUSE LINUX, s.r.o.
CORSO IIa
Krizikova 148/34
186 00 Prague 8
Czech Republic

[LTP] [PATCH v6 2/3] Add tst_secureboot_enabled() helper function

[Cyril Hrubis]

Hi!
> We could change it, but I'd prefer to know that the Efivar FS exists but
> cannnot be open()ed due to missing permissions than to mix these two
> states into the same vague info message.

Ok. Pushed, thanks.

-- 
Cyril Hrubis
chrubis@suse.cz

[LTP] [PATCH v6 3/3] syscalls/iopl02, ioperm02: Skip when kernel is locked down

[Martin Doucha]

The iopl() and ioperm() syscalls are blocked when the kernel is locked down.
The order of sanity checks is not guaranteed so it's better to skip these
tests even if they accidentally work.

Signed-off-by: Martin Doucha <mdoucha@suse.cz>
---

Changes since v3:
- new patch

 testcases/kernel/syscalls/ioperm/ioperm02.c | 4 ++++
 testcases/kernel/syscalls/iopl/iopl02.c     | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/testcases/kernel/syscalls/ioperm/ioperm02.c b/testcases/kernel/syscalls/ioperm/ioperm02.c
index 1808191bf..80dcb992e 100644
--- a/testcases/kernel/syscalls/ioperm/ioperm02.c
+++ b/testcases/kernel/syscalls/ioperm/ioperm02.c
@@ -45,6 +45,10 @@ static struct tcase_t {
 
 static void setup(void)
 {
+	/* ioperm() is restricted under kernel lockdown. */
+	if (tst_lockdown_enabled())
+		tst_brk(TCONF, "Kernel is locked down, skip this test");
+
 	/*
 	 * The value of IO_BITMAP_BITS (include/asm-i386/processor.h) changed
 	 * from kernel 2.6.8 to permit 16-bits (65536) ioperm
diff --git a/testcases/kernel/syscalls/iopl/iopl02.c b/testcases/kernel/syscalls/iopl/iopl02.c
index 6a817cf2d..a6135ddf3 100644
--- a/testcases/kernel/syscalls/iopl/iopl02.c
+++ b/testcases/kernel/syscalls/iopl/iopl02.c
@@ -52,6 +52,11 @@ static void verify_iopl(unsigned int i)
 static void setup(void)
 {
 	struct passwd *pw;
+
+	/* iopl() is restricted under kernel lockdown. */
+	if (tst_lockdown_enabled())
+		tst_brk(TCONF, "Kernel is locked down, skip this test");
+
 	pw = SAFE_GETPWNAM("nobody");
 	SAFE_SETEUID(pw->pw_uid);
 }
-- 
2.29.2