Message ID | 20230721091515.1353371-2-pvorel@suse.cz |
---|---|
State | Accepted |
Headers | show |
Series | Add .skip_in_secureboot flag | expand |
Hi, small nit: there are two spaces after the first tst_kconfig_get(). Otherwise looks good. Reviewed-by: Martin Doucha <mdoucha@suse.cz> On 21. 07. 23 11:15, Petr Vorel wrote: > Originally we checked only CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y > (non-mainline patch from 2017 [1]. Various distros (older releases) use > other newer non-mainline patch [2] (originally from Fedora 32), which with > CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y forces lockdown, when in secure boot. > > [1] https://lore.kernel.org/lkml/149141204578.30815.1929675368430800975.stgit@warthog.procyon.org.uk/ > [2] https://lore.kernel.org/lkml/150842483945.7923.12778302394414653081.stgit@warthog.procyon.org.uk/ > > Signed-off-by: Petr Vorel <pvorel@suse.cz> > --- > lib/tst_lockdown.c | 9 ++++----- > 1 file changed, 4 insertions(+), 5 deletions(-) > > diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c > index 26a57b6a1..4ce4736c3 100644 > --- a/lib/tst_lockdown.c > +++ b/lib/tst_lockdown.c > @@ -50,11 +50,10 @@ int tst_lockdown_enabled(void) > > if (access(PATH_LOCKDOWN, F_OK) != 0) { > char flag; > - > - flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN"); > - > - /* SecureBoot enabled could mean integrity lockdown */ > - if (flag == 'y' && tst_secureboot_enabled() > 0) > + /* SecureBoot enabled could mean integrity lockdown (non-mainline version) */ > + flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN") == 'y'; > + flag |= tst_kconfig_get("CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT") == 'y'; > + if (flag && tst_secureboot_enabled() > 0) > return 1; > > tst_res(TINFO, "Unable to determine system lockdown state");
diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c index 26a57b6a1..4ce4736c3 100644 --- a/lib/tst_lockdown.c +++ b/lib/tst_lockdown.c @@ -50,11 +50,10 @@ int tst_lockdown_enabled(void) if (access(PATH_LOCKDOWN, F_OK) != 0) { char flag; - - flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN"); - - /* SecureBoot enabled could mean integrity lockdown */ - if (flag == 'y' && tst_secureboot_enabled() > 0) + /* SecureBoot enabled could mean integrity lockdown (non-mainline version) */ + flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN") == 'y'; + flag |= tst_kconfig_get("CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT") == 'y'; + if (flag && tst_secureboot_enabled() > 0) return 1; tst_res(TINFO, "Unable to determine system lockdown state");
Originally we checked only CONFIG_EFI_SECURE_BOOT_LOCK_DOWN=y (non-mainline patch from 2017 [1]. Various distros (older releases) use other newer non-mainline patch [2] (originally from Fedora 32), which with CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT=y forces lockdown, when in secure boot. [1] https://lore.kernel.org/lkml/149141204578.30815.1929675368430800975.stgit@warthog.procyon.org.uk/ [2] https://lore.kernel.org/lkml/150842483945.7923.12778302394414653081.stgit@warthog.procyon.org.uk/ Signed-off-by: Petr Vorel <pvorel@suse.cz> --- lib/tst_lockdown.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-)