[PATCH 2/2][V2][V2] uefi: check the kernel lockdown for uefi tests

Mon Mar 23 06:51:19 UTC 2020

Check the kernel lockdown status and give warnings for those which
test uefi runtime services via kernel efi_test driver.

Signed-off-by: Ivan Hu <ivan.hu at canonical.com>
Acked-by: Anthony Wong <anthony.wong at canonical.com>
---
 src/lib/include/fwts_efi_module.h        |  2 +-
 src/lib/src/fwts_efi_module.c            | 10 +++++++---
 src/uefi/securebootcert/securebootcert.c |  4 ++++
 src/uefi/uefirtauthvar/uefirtauthvar.c   |  4 ++++
 src/uefi/uefirtmisc/uefirtmisc.c         |  4 ++++
 src/uefi/uefirttime/uefirttime.c         |  4 ++++
 src/uefi/uefirtvariable/uefirtvariable.c |  4 ++++
 src/uefi/uefivarinfo/uefivarinfo.c       |  4 ++++
 8 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/src/lib/include/fwts_efi_module.h b/src/lib/include/fwts_efi_module.h
index c82e26d7..7b40332a 100644
--- a/src/lib/include/fwts_efi_module.h
+++ b/src/lib/include/fwts_efi_module.h
@@ -24,6 +24,6 @@ int fwts_lib_efi_runtime_load_module(fwts_framework *fw);
 int fwts_lib_efi_runtime_unload_module(fwts_framework *fw);
 int fwts_lib_efi_runtime_open(void);
 int fwts_lib_efi_runtime_close(int fd);
-bool fwts_lib_efi_runtime_kernel_lockdown(void);
+int fwts_lib_efi_runtime_kernel_lockdown(fwts_framework *fw);
 
 #endif
diff --git a/src/lib/src/fwts_efi_module.c b/src/lib/src/fwts_efi_module.c
index bc56acb7..3c21b6d3 100644
--- a/src/lib/src/fwts_efi_module.c
+++ b/src/lib/src/fwts_efi_module.c
@@ -188,16 +188,20 @@ int fwts_lib_efi_runtime_close(int fd)
  *  fwts_lib_efi_runtime_kernel_lockdown()
  *  check if the kernel has been lockdown
  */
-bool fwts_lib_efi_runtime_kernel_lockdown(void)
+int fwts_lib_efi_runtime_kernel_lockdown(fwts_framework *fw)
 {
 	char *data;
 
 	if ((data = fwts_get("/sys/kernel/security/lockdown")) != NULL) {
 		if (strstr(data, "[none]") == NULL) {
 			free(data);
-			return true;
+			fwts_log_info(fw, "Kernel is in lockdown mode. Aborted.");
+			fwts_log_info(fw, "Please unlock the kernel before you test the UEFI tests.");
+			fwts_log_info(fw, "Make sure you disable secureboot and disable "
+					"the kernel lockdown, (by kernel parameter lockdown=None).");
+			return FWTS_ABORTED;
 		}
 	}
 	free(data);
-	return false;
+	return FWTS_OK;
 }
diff --git a/src/uefi/securebootcert/securebootcert.c b/src/uefi/securebootcert/securebootcert.c
index 93efe894..87ace3e5 100644
--- a/src/uefi/securebootcert/securebootcert.c
+++ b/src/uefi/securebootcert/securebootcert.c
@@ -427,6 +427,10 @@ static int securebootcert_init(fwts_framework *fw)
 		return FWTS_ABORTED;
 	}
 
+	if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) {
+		return FWTS_ABORTED;
+	}
+
 	if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) {
 		fwts_log_info(fw, "Cannot load efi_runtime module. Aborted.");
 		return FWTS_ABORTED;
diff --git a/src/uefi/uefirtauthvar/uefirtauthvar.c b/src/uefi/uefirtauthvar/uefirtauthvar.c
index 4b1ebe08..a2a88d77 100644
--- a/src/uefi/uefirtauthvar/uefirtauthvar.c
+++ b/src/uefi/uefirtauthvar/uefirtauthvar.c
@@ -120,6 +120,10 @@ static int uefirtauthvar_init(fwts_framework *fw)
 		return FWTS_ABORTED;
 	}
 
+	if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) {
+		return FWTS_ABORTED;
+	}
+
 	if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) {
 		fwts_log_info(fw, "Cannot load efi_runtime module. Aborted.");
 		return FWTS_ABORTED;
diff --git a/src/uefi/uefirtmisc/uefirtmisc.c b/src/uefi/uefirtmisc/uefirtmisc.c
index 5031bc48..c4176992 100644
--- a/src/uefi/uefirtmisc/uefirtmisc.c
+++ b/src/uefi/uefirtmisc/uefirtmisc.c
@@ -50,6 +50,10 @@ static int uefirtmisc_init(fwts_framework *fw)
 		return FWTS_ABORTED;
 	}
 
+	if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) {
+		return FWTS_ABORTED;
+	}
+
 	if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) {
 		fwts_log_info(fw, "Cannot load efi_runtime module. Aborted.");
 		return FWTS_ABORTED;
diff --git a/src/uefi/uefirttime/uefirttime.c b/src/uefi/uefirttime/uefirttime.c
index e316c0ab..ea8c3577 100644
--- a/src/uefi/uefirttime/uefirttime.c
+++ b/src/uefi/uefirttime/uefirttime.c
@@ -174,6 +174,10 @@ static int uefirttime_init(fwts_framework *fw)
 		return FWTS_ABORTED;
 	}
 
+	if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) {
+		return FWTS_ABORTED;
+	}
+
 	if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) {
 		fwts_log_info(fw, "Cannot load efi_runtime module. Aborted.");
 		return FWTS_ABORTED;
diff --git a/src/uefi/uefirtvariable/uefirtvariable.c b/src/uefi/uefirtvariable/uefirtvariable.c
index fbb877a6..3986d1d3 100644
--- a/src/uefi/uefirtvariable/uefirtvariable.c
+++ b/src/uefi/uefirtvariable/uefirtvariable.c
@@ -100,6 +100,10 @@ static int uefirtvariable_init(fwts_framework *fw)
 		return FWTS_ABORTED;
 	}
 
+	if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) {
+		return FWTS_ABORTED;
+	}
+
 	if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) {
 		fwts_log_info(fw, "Cannot load efi_runtime module. Aborted.");
 		return FWTS_ABORTED;
diff --git a/src/uefi/uefivarinfo/uefivarinfo.c b/src/uefi/uefivarinfo/uefivarinfo.c
index 79672b8e..b407f5c6 100644
--- a/src/uefi/uefivarinfo/uefivarinfo.c
+++ b/src/uefi/uefivarinfo/uefivarinfo.c
@@ -41,6 +41,10 @@ static int uefivarinfo_init(fwts_framework *fw)
 		return FWTS_ABORTED;
 	}
 
+	if (fwts_lib_efi_runtime_kernel_lockdown(fw) == FWTS_ABORTED) {
+		return FWTS_ABORTED;
+	}
+
 	if (fwts_lib_efi_runtime_load_module(fw) != FWTS_OK) {
 		fwts_log_info(fw, "Cannot load efi_runtime module. Aborted.");
 		return FWTS_ABORTED;
-- 
2.17.1


