ACK [PATCH 1/2] lib: add kernel lockdown check

Colin Ian King colin.king at canonical.com
Fri Mar 20 15:50:03 UTC 2020


On 20/03/2020 09:00, Ivan Hu wrote:
> Kernel lockdown is added since 4.17 and more patches in 5.4
> It blocks the access to the uefi runtime services.
> Add the function for checking kernel lockdown status.
> 
> Signed-off-by: Ivan Hu <ivan.hu at canonical.com>
> ---
>  src/lib/include/fwts_efi_module.h |  1 +
>  src/lib/src/fwts_efi_module.c     | 18 ++++++++++++++++++
>  2 files changed, 19 insertions(+)
> 
> diff --git a/src/lib/include/fwts_efi_module.h b/src/lib/include/fwts_efi_module.h
> index c086dc3e..c82e26d7 100644
> --- a/src/lib/include/fwts_efi_module.h
> +++ b/src/lib/include/fwts_efi_module.h
> @@ -24,5 +24,6 @@ int fwts_lib_efi_runtime_load_module(fwts_framework *fw);
>  int fwts_lib_efi_runtime_unload_module(fwts_framework *fw);
>  int fwts_lib_efi_runtime_open(void);
>  int fwts_lib_efi_runtime_close(int fd);
> +bool fwts_lib_efi_runtime_kernel_lockdown(void);
>  
>  #endif
> diff --git a/src/lib/src/fwts_efi_module.c b/src/lib/src/fwts_efi_module.c
> index d49f20b0..bc56acb7 100644
> --- a/src/lib/src/fwts_efi_module.c
> +++ b/src/lib/src/fwts_efi_module.c
> @@ -183,3 +183,21 @@ int fwts_lib_efi_runtime_close(int fd)
>  {
>  	return close(fd);
>  }
> +
> +/*
> + *  fwts_lib_efi_runtime_kernel_lockdown()
> + *  check if the kernel has been lockdown
> + */
> +bool fwts_lib_efi_runtime_kernel_lockdown(void)
> +{
> +	char *data;
> +
> +	if ((data = fwts_get("/sys/kernel/security/lockdown")) != NULL) {
> +		if (strstr(data, "[none]") == NULL) {
> +			free(data);
> +			return true;
> +		}
> +	}
> +	free(data);
> +	return false;
> +}
> 

Acked-by: Colin Ian King <colin.king at canonical.com>



More information about the fwts-devel mailing list