[PATCH 1/2] lib: add kernel lockdown check

[Ivan Hu]

Kernel lockdown is added since 4.17 and more patches in 5.4
It blocks the access to the uefi runtime services.
Add the function for checking kernel lockdown status.

Signed-off-by: Ivan Hu <ivan.hu at canonical.com>
---
 src/lib/include/fwts_efi_module.h |  1 +
 src/lib/src/fwts_efi_module.c     | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/src/lib/include/fwts_efi_module.h b/src/lib/include/fwts_efi_module.h
index c086dc3e..c82e26d7 100644
--- a/src/lib/include/fwts_efi_module.h
+++ b/src/lib/include/fwts_efi_module.h
@@ -24,5 +24,6 @@ int fwts_lib_efi_runtime_load_module(fwts_framework *fw);
 int fwts_lib_efi_runtime_unload_module(fwts_framework *fw);
 int fwts_lib_efi_runtime_open(void);
 int fwts_lib_efi_runtime_close(int fd);
+bool fwts_lib_efi_runtime_kernel_lockdown(void);
 
 #endif
diff --git a/src/lib/src/fwts_efi_module.c b/src/lib/src/fwts_efi_module.c
index d49f20b0..bc56acb7 100644
--- a/src/lib/src/fwts_efi_module.c
+++ b/src/lib/src/fwts_efi_module.c
@@ -183,3 +183,21 @@ int fwts_lib_efi_runtime_close(int fd)
 {
 	return close(fd);
 }
+
+/*
+ *  fwts_lib_efi_runtime_kernel_lockdown()
+ *  check if the kernel has been lockdown
+ */
+bool fwts_lib_efi_runtime_kernel_lockdown(void)
+{
+	char *data;
+
+	if ((data = fwts_get("/sys/kernel/security/lockdown")) != NULL) {
+		if (strstr(data, "[none]") == NULL) {
+			free(data);
+			return true;
+		}
+	}
+	free(data);
+	return false;
+}
-- 
2.17.1