From patchwork Mon Mar 23 06:51:19 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ivan Hu <ivan.hu@canonical.com>
X-Patchwork-Id: 1259869
Return-Path: <fwts-devel-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=none (no SPF record)
	smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19;
	helo=huckleberry.canonical.com;
	envelope-from=fwts-devel-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 48m4mT4z5Nz9sQt;
	Mon, 23 Mar 2020 17:51:35 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <fwts-devel-bounces@lists.ubuntu.com>)
	id 1jGGvp-0007TO-Nt; Mon, 23 Mar 2020 06:51:29 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <ivan.hu@canonical.com>) id 1jGGvm-0007RQ-HY
	for fwts-devel@lists.ubuntu.com; Mon, 23 Mar 2020 06:51:26 +0000
Received: from [106.104.73.87] (helo=canonical.com)
	by youngberry.canonical.com with esmtpsa
	(TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
	(envelope-from <ivan.hu@canonical.com>)
	id 1jGGvl-0001sk-Oo; Mon, 23 Mar 2020 06:51:26 +0000
From: Ivan Hu <ivan.hu@canonical.com>
To: fwts-devel@lists.ubuntu.com
Subject: [PATCH 2/2][V2][V2] uefi: check the kernel lockdown for uefi tests
Date: Mon, 23 Mar 2020 14:51:19 +0800
Message-Id: <20200323065119.5178-1-ivan.hu@canonical.com>
X-Mailer: git-send-email 2.17.1
X-BeenThere: fwts-devel@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Firmware Test Suite Development <fwts-devel.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/fwts-devel>,
	<mailto:fwts-devel-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/fwts-devel>
List-Post: <mailto:fwts-devel@lists.ubuntu.com>
List-Help: <mailto:fwts-devel-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/fwts-devel>,
	<mailto:fwts-devel-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: fwts-devel-bounces@lists.ubuntu.com
Sender: "fwts-devel" <fwts-devel-bounces@lists.ubuntu.com>

Check the kernel lockdown status and give warnings for those which
test uefi runtime services via kernel efi_test driver.

Signed-off-by: Ivan Hu <ivan.hu@canonical.com>
Acked-by: Anthony Wong <anthony.wong@canonical.com>
Acked-by: Alex Hung <alex.hung@canonical.com>
---
 src/lib/include/fwts_efi_module.h        |  2 +-
 src/lib/src/fwts_efi_module.c            | 10 +++++++---
 src/uefi/securebootcert/securebootcert.c |  4 ++++
 src/uefi/uefirtauthvar/uefirtauthvar.c   |  4 ++++
 src/uefi/uefirtmisc/uefirtmisc.c         |  4 ++++
 src/uefi/uefirttime/uefirttime.c         |  4 ++++
 src/uefi/uefirtvariable/uefirtvariable.c |  4 ++++
 src/uefi/uefivarinfo/uefivarinfo.c       |  4 ++++
 8 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/src/lib/include/fwts_efi_module.h b/src/lib/include/fwts_efi_module.h
index c82e26d7..7b40332a 100644
--- a/src/lib/include/fwts_efi_module.h
+++ b/src/lib/include/fwts_efi_module.h
@@ -24,6 +24,6 @@ int fwts_lib_efi_runtime_load_module(fwts_framework *fw);
 int fwts_lib_efi_runtime_unload_module(fwts_framework *fw);
 int fwts_lib_efi_runtime_open(void);
 int fwts_lib_efi_runtime_close(int fd);
-bool fwts_lib_efi_runtime_kernel_lockdown(void);
+int fwts_lib_efi_runtime_kernel_lockdown(fwts_framework *fw);
 
 #endif
diff --git a/src/lib/src/fwts_efi_module.c b/src/lib/src/fwts_efi_module.c
index bc56acb7..3c21b6d3 100644
--- a/src/lib/src/fwts_efi_module.c
+++ b/src/lib/src/fwts_efi_module.c
@@ -188,16 +188,20 @@ int fwts_lib_efi_runtime_close(int fd)
  *  fwts_lib_efi_runtime_kernel_lockdown()
  *  check if the kernel has been lockdown
  */
-bool fwts_lib_efi_runtime_kernel_lockdown(void)
+int fwts_lib_efi_runtime_kernel_lockdown(fwts_framework *fw)
 {
 	char *data;
 
 	if ((data = fwts_get("/sys/kernel/security/lockdown")) != NULL) {
 		if (strstr(data, "[none]") == NULL) {
 			free(data);
-			return true;
+			fwts_log_info(fw, "Kernel is in lockdown mode. Aborted.");
+			fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests.");
+			fwts_log_info(fw, "Make sure you disable secureboot and disable "
+					"the kernel lockdown, (by kernel parameter lockdown=None).");
+			return FWTS_ABORTED;
 		}
 	}
 	free(data);
-	return false;
+	return FWTS_OK;
 }
diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c
index 93efe894..87ace3e5 100644
--- a/src/uefi/securebootcert/securebootcert.c
+++ b/src/uefi/securebootcert/securebootcert.c
@@ -427,6 +427,10 @@ static int securebootcert_init(fwts_framework *fw)
 		return FWTS_ABORTED;
 	}
 
+	if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) {
+		return FWTS_ABORTED;
+	}
+
 	if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) {
 		fwts_log_info(fw, "Cannot load efi_runtime module. Aborted.");
 		return FWTS_ABORTED;
diff --git a/src/uefi/uefirtauthvar/uefirtauthvar.c b/src/uefi/uefirtauthvar/uefirtauthvar.c
index 4b1ebe08..a2a88d77 100644
--- a/src/uefi/uefirtauthvar/uefirtauthvar.c
+++ b/src/uefi/uefirtauthvar/uefirtauthvar.c
@@ -120,6 +120,10 @@ static int uefirtauthvar_init(fwts_framework *fw)
 		return FWTS_ABORTED;
 	}
 
+	if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) {
+		return FWTS_ABORTED;
+	}
+
 	if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) {
 		fwts_log_info(fw, "Cannot load efi_runtime module. Aborted.");
 		return FWTS_ABORTED;
diff --git a/src/uefi/uefirtmisc/uefirtmisc.c b/src/uefi/uefirtmisc/uefirtmisc.c
index 5031bc48..c4176992 100644
--- a/src/uefi/uefirtmisc/uefirtmisc.c
+++ b/src/uefi/uefirtmisc/uefirtmisc.c
@@ -50,6 +50,10 @@ static int uefirtmisc_init(fwts_framework *fw)
 		return FWTS_ABORTED;
 	}
 
+	if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) {
+		return FWTS_ABORTED;
+	}
+
 	if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) {
 		fwts_log_info(fw, "Cannot load efi_runtime module. Aborted.");
 		return FWTS_ABORTED;
diff --git a/src/uefi/uefirttime/uefirttime.c b/src/uefi/uefirttime/uefirttime.c
index e316c0ab..ea8c3577 100644
--- a/src/uefi/uefirttime/uefirttime.c
+++ b/src/uefi/uefirttime/uefirttime.c
@@ -174,6 +174,10 @@ static int uefirttime_init(fwts_framework *fw)
 		return FWTS_ABORTED;
 	}
 
+	if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) {
+		return FWTS_ABORTED;
+	}
+
 	if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) {
 		fwts_log_info(fw, "Cannot load efi_runtime module. Aborted.");
 		return FWTS_ABORTED;
diff --git a/src/uefi/uefirtvariable/uefirtvariable.c b/src/uefi/uefirtvariable/uefirtvariable.c
index fbb877a6..3986d1d3 100644
--- a/src/uefi/uefirtvariable/uefirtvariable.c
+++ b/src/uefi/uefirtvariable/uefirtvariable.c
@@ -100,6 +100,10 @@ static int uefirtvariable_init(fwts_framework *fw)
 		return FWTS_ABORTED;
 	}
 
+	if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) {
+		return FWTS_ABORTED;
+	}
+
 	if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) {
 		fwts_log_info(fw, "Cannot load efi_runtime module. Aborted.");
 		return FWTS_ABORTED;
diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c
index 79672b8e..b407f5c6 100644
--- a/src/uefi/uefivarinfo/uefivarinfo.c
+++ b/src/uefi/uefivarinfo/uefivarinfo.c
@@ -41,6 +41,10 @@ static int uefivarinfo_init(fwts_framework *fw)
 		return FWTS_ABORTED;
 	}
 
+	if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) {
+		return FWTS_ABORTED;
+	}
+
 	if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) {
 		fwts_log_info(fw, "Cannot load efi_runtime module. Aborted.");
 		return FWTS_ABORTED;