ACK [PATCH 1/2] lib: add kernel lockdown check
Colin Ian King
colin.king at canonical.com
Fri Mar 20 15:50:03 UTC 2020
On 20/03/2020 09:00, Ivan Hu wrote:
> Kernel lockdown is added since 4.17 and more patches in 5.4
> It blocks the access to the uefi runtime services.
> Add the function for checking kernel lockdown status.
>
> Signed-off-by: Ivan Hu <ivan.hu at canonical.com>
> ---
> src/lib/include/fwts_efi_module.h | 1 +
> src/lib/src/fwts_efi_module.c | 18 ++++++++++++++++++
> 2 files changed, 19 insertions(+)
>
> diff --git a/src/lib/include/fwts_efi_module.h b/src/lib/include/fwts_efi_module.h
> index c086dc3e..c82e26d7 100644
> --- a/src/lib/include/fwts_efi_module.h
> +++ b/src/lib/include/fwts_efi_module.h
> @@ -24,5 +24,6 @@ int fwts_lib_efi_runtime_load_module(fwts_framework *fw);
> int fwts_lib_efi_runtime_unload_module(fwts_framework *fw);
> int fwts_lib_efi_runtime_open(void);
> int fwts_lib_efi_runtime_close(int fd);
> +bool fwts_lib_efi_runtime_kernel_lockdown(void);
>
> #endif
> diff --git a/src/lib/src/fwts_efi_module.c b/src/lib/src/fwts_efi_module.c
> index d49f20b0..bc56acb7 100644
> --- a/src/lib/src/fwts_efi_module.c
> +++ b/src/lib/src/fwts_efi_module.c
> @@ -183,3 +183,21 @@ int fwts_lib_efi_runtime_close(int fd)
> {
> return close(fd);
> }
> +
> +/*
> + * fwts_lib_efi_runtime_kernel_lockdown()
> + * check if the kernel has been lockdown
> + */
> +bool fwts_lib_efi_runtime_kernel_lockdown(void)
> +{
> + char *data;
> +
> + if ((data = fwts_get("/sys/kernel/security/lockdown")) != NULL) {
> + if (strstr(data, "[none]") == NULL) {
> + free(data);
> + return true;
> + }
> + }
> + free(data);
> + return false;
> +}
>
Acked-by: Colin Ian King <colin.king at canonical.com>
More information about the fwts-devel
mailing list