| Message ID | 20200323065119.5178-1-ivan.hu@canonical.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | None | expand |
On 2020-03-23 12:51 a.m., Ivan Hu wrote: > Check the kernel lockdown status and give warnings for those which > test uefi runtime services via kernel efi_test driver. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > Acked-by: Anthony Wong <anthony.wong@canonical.com> > --- > src/lib/include/fwts_efi_module.h | 2 +- > src/lib/src/fwts_efi_module.c | 10 +++++++--- > src/uefi/securebootcert/securebootcert.c | 4 ++++ > src/uefi/uefirtauthvar/uefirtauthvar.c | 4 ++++ > src/uefi/uefirtmisc/uefirtmisc.c | 4 ++++ > src/uefi/uefirttime/uefirttime.c | 4 ++++ > src/uefi/uefirtvariable/uefirtvariable.c | 4 ++++ > src/uefi/uefivarinfo/uefivarinfo.c | 4 ++++ > 8 files changed, 32 insertions(+), 4 deletions(-) > > diff --git a/src/lib/include/fwts_efi_module.h b/src/lib/include/fwts_efi_module.h > index c82e26d7..7b40332a 100644 > --- a/src/lib/include/fwts_efi_module.h > +++ b/src/lib/include/fwts_efi_module.h > @@ -24,6 +24,6 @@ int fwts_lib_efi_runtime_load_module(fwts_framework *fw); > int fwts_lib_efi_runtime_unload_module(fwts_framework *fw); > int fwts_lib_efi_runtime_open(void); > int fwts_lib_efi_runtime_close(int fd); > -bool fwts_lib_efi_runtime_kernel_lockdown(void); > +int fwts_lib_efi_runtime_kernel_lockdown(fwts_framework *fw); > > #endif > diff --git a/src/lib/src/fwts_efi_module.c b/src/lib/src/fwts_efi_module.c > index bc56acb7..3c21b6d3 100644 > --- a/src/lib/src/fwts_efi_module.c > +++ b/src/lib/src/fwts_efi_module.c > @@ -188,16 +188,20 @@ int fwts_lib_efi_runtime_close(int fd) > * fwts_lib_efi_runtime_kernel_lockdown() > * check if the kernel has been lockdown > */ > -bool fwts_lib_efi_runtime_kernel_lockdown(void) > +int fwts_lib_efi_runtime_kernel_lockdown(fwts_framework *fw) > { > char *data; > > if ((data = fwts_get("/sys/kernel/security/lockdown")) != NULL) { > if (strstr(data, "[none]") == NULL) { > free(data); > - return true; > + fwts_log_info(fw, "Kernel is in lockdown mode. Aborted."); > + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); > + fwts_log_info(fw, "Make sure you disable secureboot and disable " > + "the kernel lockdown, (by kernel parameter lockdown=None)."); > + return FWTS_ABORTED; > } > } > free(data); > - return false; > + return FWTS_OK; > } > diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c > index 93efe894..87ace3e5 100644 > --- a/src/uefi/securebootcert/securebootcert.c > +++ b/src/uefi/securebootcert/securebootcert.c > @@ -427,6 +427,10 @@ static int securebootcert_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) { > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefirtauthvar/uefirtauthvar.c b/src/uefi/uefirtauthvar/uefirtauthvar.c > index 4b1ebe08..a2a88d77 100644 > --- a/src/uefi/uefirtauthvar/uefirtauthvar.c > +++ b/src/uefi/uefirtauthvar/uefirtauthvar.c > @@ -120,6 +120,10 @@ static int uefirtauthvar_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) { > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefirtmisc/uefirtmisc.c b/src/uefi/uefirtmisc/uefirtmisc.c > index 5031bc48..c4176992 100644 > --- a/src/uefi/uefirtmisc/uefirtmisc.c > +++ b/src/uefi/uefirtmisc/uefirtmisc.c > @@ -50,6 +50,10 @@ static int uefirtmisc_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) { > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefirttime/uefirttime.c b/src/uefi/uefirttime/uefirttime.c > index e316c0ab..ea8c3577 100644 > --- a/src/uefi/uefirttime/uefirttime.c > +++ b/src/uefi/uefirttime/uefirttime.c > @@ -174,6 +174,10 @@ static int uefirttime_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) { > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefirtvariable/uefirtvariable.c b/src/uefi/uefirtvariable/uefirtvariable.c > index fbb877a6..3986d1d3 100644 > --- a/src/uefi/uefirtvariable/uefirtvariable.c > +++ b/src/uefi/uefirtvariable/uefirtvariable.c > @@ -100,6 +100,10 @@ static int uefirtvariable_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) { > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c > index 79672b8e..b407f5c6 100644 > --- a/src/uefi/uefivarinfo/uefivarinfo.c > +++ b/src/uefi/uefivarinfo/uefivarinfo.c > @@ -41,6 +41,10 @@ static int uefivarinfo_init(fwts_framework *fw) > return FWTS_ABORTED; > } > > + if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) { > + return FWTS_ABORTED; > + } > + > if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { > fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); > return FWTS_ABORTED; > Acked-by: Alex Hung <alex.hung@canonical.com>
diff --git a/src/lib/include/fwts_efi_module.h b/src/lib/include/fwts_efi_module.h index c82e26d7..7b40332a 100644 --- a/src/lib/include/fwts_efi_module.h +++ b/src/lib/include/fwts_efi_module.h @@ -24,6 +24,6 @@ int fwts_lib_efi_runtime_load_module(fwts_framework *fw); int fwts_lib_efi_runtime_unload_module(fwts_framework *fw); int fwts_lib_efi_runtime_open(void); int fwts_lib_efi_runtime_close(int fd); -bool fwts_lib_efi_runtime_kernel_lockdown(void); +int fwts_lib_efi_runtime_kernel_lockdown(fwts_framework *fw); #endif diff --git a/src/lib/src/fwts_efi_module.c b/src/lib/src/fwts_efi_module.c index bc56acb7..3c21b6d3 100644 --- a/src/lib/src/fwts_efi_module.c +++ b/src/lib/src/fwts_efi_module.c @@ -188,16 +188,20 @@ int fwts_lib_efi_runtime_close(int fd) * fwts_lib_efi_runtime_kernel_lockdown() * check if the kernel has been lockdown */ -bool fwts_lib_efi_runtime_kernel_lockdown(void) +int fwts_lib_efi_runtime_kernel_lockdown(fwts_framework *fw) { char *data; if ((data = fwts_get("/sys/kernel/security/lockdown")) != NULL) { if (strstr(data, "[none]") == NULL) { free(data); - return true; + fwts_log_info(fw, "Kernel is in lockdown mode. Aborted."); + fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests."); + fwts_log_info(fw, "Make sure you disable secureboot and disable " + "the kernel lockdown, (by kernel parameter lockdown=None)."); + return FWTS_ABORTED; } } free(data); - return false; + return FWTS_OK; } diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c index 93efe894..87ace3e5 100644 --- a/src/uefi/securebootcert/securebootcert.c +++ b/src/uefi/securebootcert/securebootcert.c @@ -427,6 +427,10 @@ static int securebootcert_init(fwts_framework *fw) return FWTS_ABORTED; } + if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) { + return FWTS_ABORTED; + } + if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); return FWTS_ABORTED; diff --git a/src/uefi/uefirtauthvar/uefirtauthvar.c b/src/uefi/uefirtauthvar/uefirtauthvar.c index 4b1ebe08..a2a88d77 100644 --- a/src/uefi/uefirtauthvar/uefirtauthvar.c +++ b/src/uefi/uefirtauthvar/uefirtauthvar.c @@ -120,6 +120,10 @@ static int uefirtauthvar_init(fwts_framework *fw) return FWTS_ABORTED; } + if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) { + return FWTS_ABORTED; + } + if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); return FWTS_ABORTED; diff --git a/src/uefi/uefirtmisc/uefirtmisc.c b/src/uefi/uefirtmisc/uefirtmisc.c index 5031bc48..c4176992 100644 --- a/src/uefi/uefirtmisc/uefirtmisc.c +++ b/src/uefi/uefirtmisc/uefirtmisc.c @@ -50,6 +50,10 @@ static int uefirtmisc_init(fwts_framework *fw) return FWTS_ABORTED; } + if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) { + return FWTS_ABORTED; + } + if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); return FWTS_ABORTED; diff --git a/src/uefi/uefirttime/uefirttime.c b/src/uefi/uefirttime/uefirttime.c index e316c0ab..ea8c3577 100644 --- a/src/uefi/uefirttime/uefirttime.c +++ b/src/uefi/uefirttime/uefirttime.c @@ -174,6 +174,10 @@ static int uefirttime_init(fwts_framework *fw) return FWTS_ABORTED; } + if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) { + return FWTS_ABORTED; + } + if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); return FWTS_ABORTED; diff --git a/src/uefi/uefirtvariable/uefirtvariable.c b/src/uefi/uefirtvariable/uefirtvariable.c index fbb877a6..3986d1d3 100644 --- a/src/uefi/uefirtvariable/uefirtvariable.c +++ b/src/uefi/uefirtvariable/uefirtvariable.c @@ -100,6 +100,10 @@ static int uefirtvariable_init(fwts_framework *fw) return FWTS_ABORTED; } + if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) { + return FWTS_ABORTED; + } + if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); return FWTS_ABORTED; diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c index 79672b8e..b407f5c6 100644 --- a/src/uefi/uefivarinfo/uefivarinfo.c +++ b/src/uefi/uefivarinfo/uefivarinfo.c @@ -41,6 +41,10 @@ static int uefivarinfo_init(fwts_framework *fw) return FWTS_ABORTED; } + if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) { + return FWTS_ABORTED; + } + if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) { fwts_log_info(fw, "Cannot load efi_runtime module. Aborted."); return FWTS_ABORTED;