| Message ID | 20200320090038.15263-2-ivan.hu@canonical.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [1/2] lib: add kernel lockdown check | expand |
On Fri, Mar 20, 2020 at 5:00 PM Ivan Hu <ivan.hu@canonical.com> wrote: > > Check the kernel lockdown status and give warnings for those which > test uefi runtime services via kernel efi_test driver. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > --- > src/uefi/securebootcert/securebootcert.c | 8 ++++++++ > src/uefi/uefirtauthvar/uefirtauthvar.c | 8 ++++++++ > src/uefi/uefirtmisc/uefirtmisc.c | 8 ++++++++ > src/uefi/uefirttime/uefirttime.c | 8 ++++++++ > src/uefi/uefirtvariable/uefirtvariable.c | 8 ++++++++ > src/uefi/uefivarinfo/uefivarinfo.c | 8 ++++++++ > 6 files changed, 48 insertions(+) > > diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c > index 93efe894..852b2316 100644 > --- a/src/uefi/securebootcert/securebootcert.c > +++ b/src/uefi/securebootcert/securebootcert.c > @@ -427,6 +427,14 @@ static int securebootcert_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown()) { > + fwts_log_info(fw, "Kernel is lockdown. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefirtauthvar/uefirtauthvar.c b/src/uefi/uefirtauthvar/uefirtauthvar.c > index 4b1ebe08..eef4a61a 100644 > --- a/src/uefi/uefirtauthvar/uefirtauthvar.c > +++ b/src/uefi/uefirtauthvar/uefirtauthvar.c > @@ -120,6 +120,14 @@ static int uefirtauthvar_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown()) { > + fwts_log_info(fw, "Kernel is lockdown. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefirtmisc/uefirtmisc.c b/src/uefi/uefirtmisc/uefirtmisc.c > index 5031bc48..11cbf9bf 100644 > --- a/src/uefi/uefirtmisc/uefirtmisc.c > +++ b/src/uefi/uefirtmisc/uefirtmisc.c > @@ -50,6 +50,14 @@ static int uefirtmisc_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown()) { > + fwts_log_info(fw, "Kernel is lockdown. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefirttime/uefirttime.c b/src/uefi/uefirttime/uefirttime.c > index e316c0ab..ce27ded3 100644 > --- a/src/uefi/uefirttime/uefirttime.c > +++ b/src/uefi/uefirttime/uefirttime.c > @@ -174,6 +174,14 @@ static int uefirttime_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown()) { > + fwts_log_info(fw, "Kernel is lockdown. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefirtvariable/uefirtvariable.c b/src/uefi/uefirtvariable/uefirtvariable.c > index fbb877a6..0f37b174 100644 > --- a/src/uefi/uefirtvariable/uefirtvariable.c > +++ b/src/uefi/uefirtvariable/uefirtvariable.c > @@ -100,6 +100,14 @@ static int uefirtvariable_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown()) { > + fwts_log_info(fw, "Kernel is lockdown. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c > index 79672b8e..9f7eb61d 100644 > --- a/src/uefi/uefivarinfo/uefivarinfo.c > +++ b/src/uefi/uefivarinfo/uefivarinfo.c > @@ -41,6 +41,14 @@ static int uefivarinfo_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown()) { > + fwts_log_info(fw, "Kernel is lockdown. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > -- > 2.17.1 Looks like we have quite a bit of duplicated codes in these functions that could use some refactoring, but I think we can deal with that later. Acked-by: Anthony Wong <anthony.wong@canonical.com>
On 20/03/2020 09:00, Ivan Hu wrote: > Check the kernel lockdown status and give warnings for those which > test uefi runtime services via kernel efi_test driver. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > --- > src/uefi/securebootcert/securebootcert.c | 8 ++++++++ > src/uefi/uefirtauthvar/uefirtauthvar.c | 8 ++++++++ > src/uefi/uefirtmisc/uefirtmisc.c | 8 ++++++++ > src/uefi/uefirttime/uefirttime.c | 8 ++++++++ > src/uefi/uefirtvariable/uefirtvariable.c | 8 ++++++++ > src/uefi/uefivarinfo/uefivarinfo.c | 8 ++++++++ > 6 files changed, 48 insertions(+) > > diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c > index 93efe894..852b2316 100644 > --- a/src/uefi/securebootcert/securebootcert.c > +++ b/src/uefi/securebootcert/securebootcert.c > @@ -427,6 +427,14 @@ static int securebootcert_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown()) { > + fwts_log_info(fw, "Kernel is lockdown. Aborted."); Maybe this could be re-phrases, e.g. "Kernel is in lockdown mode. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > + } This lockdown message is being repeated a lot of times, so I'd prefer it if a helper function was written to print this message rather than cut-n-paste it many times. > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefirtauthvar/uefirtauthvar.c b/src/uefi/uefirtauthvar/uefirtauthvar.c > index 4b1ebe08..eef4a61a 100644 > --- a/src/uefi/uefirtauthvar/uefirtauthvar.c > +++ b/src/uefi/uefirtauthvar/uefirtauthvar.c > @@ -120,6 +120,14 @@ static int uefirtauthvar_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown()) { > + fwts_log_info(fw, "Kernel is lockdown. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefirtmisc/uefirtmisc.c b/src/uefi/uefirtmisc/uefirtmisc.c > index 5031bc48..11cbf9bf 100644 > --- a/src/uefi/uefirtmisc/uefirtmisc.c > +++ b/src/uefi/uefirtmisc/uefirtmisc.c > @@ -50,6 +50,14 @@ static int uefirtmisc_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown()) { > + fwts_log_info(fw, "Kernel is lockdown. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefirttime/uefirttime.c b/src/uefi/uefirttime/uefirttime.c > index e316c0ab..ce27ded3 100644 > --- a/src/uefi/uefirttime/uefirttime.c > +++ b/src/uefi/uefirttime/uefirttime.c > @@ -174,6 +174,14 @@ static int uefirttime_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown()) { > + fwts_log_info(fw, "Kernel is lockdown. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefirtvariable/uefirtvariable.c b/src/uefi/uefirtvariable/uefirtvariable.c > index fbb877a6..0f37b174 100644 > --- a/src/uefi/uefirtvariable/uefirtvariable.c > +++ b/src/uefi/uefirtvariable/uefirtvariable.c > @@ -100,6 +100,14 @@ static int uefirtvariable_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown()) { > + fwts_log_info(fw, "Kernel is lockdown. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c > index 79672b8e..9f7eb61d 100644 > --- a/src/uefi/uefivarinfo/uefivarinfo.c > +++ b/src/uefi/uefivarinfo/uefivarinfo.c > @@ -41,6 +41,14 @@ static int uefivarinfo_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown()) { > + fwts_log_info(fw, "Kernel is lockdown. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; >
diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c index 93efe894..852b2316 100644 --- a/src/uefi/securebootcert/securebootcert.c +++ b/src/uefi/securebootcert/securebootcert.c @@ -427,6 +427,14 @@ static int securebootcert_init(fwts_framework *fw) return FWTS_ABORTED; } + if (fwts_lib_efi_runtime_kernel_lockdown()) { + fwts_log_info(fw, "Kernel is lockdown. Aborted."); + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); + fwts_log_info(fw, "Make sure you disable secureboot and disable " + "the kernel lockdown, (by kernel parameter lockdown=None)."); + return FWTS_ABORTED; + } + if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); return FWTS_ABORTED; diff --git a/src/uefi/uefirtauthvar/uefirtauthvar.c b/src/uefi/uefirtauthvar/uefirtauthvar.c index 4b1ebe08..eef4a61a 100644 --- a/src/uefi/uefirtauthvar/uefirtauthvar.c +++ b/src/uefi/uefirtauthvar/uefirtauthvar.c @@ -120,6 +120,14 @@ static int uefirtauthvar_init(fwts_framework *fw) return FWTS_ABORTED; } + if (fwts_lib_efi_runtime_kernel_lockdown()) { + fwts_log_info(fw, "Kernel is lockdown. Aborted."); + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); + fwts_log_info(fw, "Make sure you disable secureboot and disable " + "the kernel lockdown, (by kernel parameter lockdown=None)."); + return FWTS_ABORTED; + } + if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); return FWTS_ABORTED; diff --git a/src/uefi/uefirtmisc/uefirtmisc.c b/src/uefi/uefirtmisc/uefirtmisc.c index 5031bc48..11cbf9bf 100644 --- a/src/uefi/uefirtmisc/uefirtmisc.c +++ b/src/uefi/uefirtmisc/uefirtmisc.c @@ -50,6 +50,14 @@ static int uefirtmisc_init(fwts_framework *fw) return FWTS_ABORTED; } + if (fwts_lib_efi_runtime_kernel_lockdown()) { + fwts_log_info(fw, "Kernel is lockdown. Aborted."); + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); + fwts_log_info(fw, "Make sure you disable secureboot and disable " + "the kernel lockdown, (by kernel parameter lockdown=None)."); + return FWTS_ABORTED; + } + if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); return FWTS_ABORTED; diff --git a/src/uefi/uefirttime/uefirttime.c b/src/uefi/uefirttime/uefirttime.c index e316c0ab..ce27ded3 100644 --- a/src/uefi/uefirttime/uefirttime.c +++ b/src/uefi/uefirttime/uefirttime.c @@ -174,6 +174,14 @@ static int uefirttime_init(fwts_framework *fw) return FWTS_ABORTED; } + if (fwts_lib_efi_runtime_kernel_lockdown()) { + fwts_log_info(fw, "Kernel is lockdown. Aborted."); + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); + fwts_log_info(fw, "Make sure you disable secureboot and disable " + "the kernel lockdown, (by kernel parameter lockdown=None)."); + return FWTS_ABORTED; + } + if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); return FWTS_ABORTED; diff --git a/src/uefi/uefirtvariable/uefirtvariable.c b/src/uefi/uefirtvariable/uefirtvariable.c index fbb877a6..0f37b174 100644 --- a/src/uefi/uefirtvariable/uefirtvariable.c +++ b/src/uefi/uefirtvariable/uefirtvariable.c @@ -100,6 +100,14 @@ static int uefirtvariable_init(fwts_framework *fw) return FWTS_ABORTED; } + if (fwts_lib_efi_runtime_kernel_lockdown()) { + fwts_log_info(fw, "Kernel is lockdown. Aborted."); + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); + fwts_log_info(fw, "Make sure you disable secureboot and disable " + "the kernel lockdown, (by kernel parameter lockdown=None)."); + return FWTS_ABORTED; + } + if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); return FWTS_ABORTED; diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c index 79672b8e..9f7eb61d 100644 --- a/src/uefi/uefivarinfo/uefivarinfo.c +++ b/src/uefi/uefivarinfo/uefivarinfo.c @@ -41,6 +41,14 @@ static int uefivarinfo_init(fwts_framework *fw) return FWTS_ABORTED; } + if (fwts_lib_efi_runtime_kernel_lockdown()) { + fwts_log_info(fw, "Kernel is lockdown. Aborted."); + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); + fwts_log_info(fw, "Make sure you disable secureboot and disable " + "the kernel lockdown, (by kernel parameter lockdown=None)."); + return FWTS_ABORTED; + } + if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); return FWTS_ABORTED;
Check the kernel lockdown status and give warnings for those which test uefi runtime services via kernel efi_test driver. Signed-off-by: Ivan Hu <ivan.hu@canonical.com> --- src/uefi/securebootcert/securebootcert.c | 8 ++++++++ src/uefi/uefirtauthvar/uefirtauthvar.c | 8 ++++++++ src/uefi/uefirtmisc/uefirtmisc.c | 8 ++++++++ src/uefi/uefirttime/uefirttime.c | 8 ++++++++ src/uefi/uefirtvariable/uefirtvariable.c | 8 ++++++++ src/uefi/uefivarinfo/uefivarinfo.c | 8 ++++++++ 6 files changed, 48 insertions(+)