xref: /third_party/ltp/lib/tst_lockdown.c (revision f08c3bdf) 
1// SPDX-License-Identifier: GPL-2.0-or-later
2
3#define TST_NO_DEFAULT_MAIN
4
5#define PATH_LOCKDOWN	"/sys/kernel/security/lockdown"
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <sys/mount.h>
10
11#include "tst_test.h"
12#include "tst_safe_macros.h"
13#include "tst_safe_stdio.h"
14#include "tst_lockdown.h"
15#include "tst_private.h"
16
17#if defined(__powerpc64__) || defined(__ppc64__)
18# define SECUREBOOT_VAR "/proc/device-tree/ibm,secure-boot"
19# define VAR_DATA_SIZE 4
20#else
21# define SECUREBOOT_VAR "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"
22# define VAR_DATA_SIZE 5
23#endif
24
25int tst_secureboot_enabled(void)
26{
27	int fd;
28	char data[5];
29
30	if (access(SECUREBOOT_VAR, F_OK)) {
31		tst_res(TINFO, "SecureBoot sysfs file not available");
32		return -1;
33	}
34
35	fd = open(SECUREBOOT_VAR, O_RDONLY);
36
37	if (fd == -1) {
38		tst_res(TINFO | TERRNO,
39			"Cannot open SecureBoot file");
40		return -1;
41	} else if (fd < 0) {
42		tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd);
43		return -1;
44	}
45	SAFE_READ(1, fd, data, VAR_DATA_SIZE);
46	SAFE_CLOSE(fd);
47	tst_res(TINFO, "SecureBoot: %s", data[VAR_DATA_SIZE - 1] ? "on" : "off");
48	return data[VAR_DATA_SIZE - 1];
49}
50
51int tst_lockdown_enabled(void)
52{
53	char line[BUFSIZ];
54	FILE *file;
55	int ret;
56
57	if (access(PATH_LOCKDOWN, F_OK) != 0) {
58		char flag;
59
60		/* SecureBoot enabled could mean integrity lockdown (non-mainline version) */
61#if defined(__powerpc64__) || defined(__ppc64__)
62		flag = tst_kconfig_get("CONFIG_SECURITY_LOCKDOWN_LSM") == 'y';
63		flag |= tst_kconfig_get("CONFIG_SECURITY_LOCKDOWN_LSM_EARLY") == 'y';
64#else
65		flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN") == 'y';
66		flag |= tst_kconfig_get("CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT") == 'y';
67#endif
68
69		if (flag && tst_secureboot_enabled() > 0)
70			return 1;
71
72		tst_res(TINFO, "Unable to determine system lockdown state");
73		return 0;
74	}
75
76	file = SAFE_FOPEN(PATH_LOCKDOWN, "r");
77	if (!fgets(line, sizeof(line), file))
78		tst_brk(TBROK | TERRNO, "fgets %s", PATH_LOCKDOWN);
79	SAFE_FCLOSE(file);
80
81	ret = strstr(line, "[none]") == NULL;
82	tst_res(TINFO, "Kernel lockdown: %s", ret ? "on" : "off");
83
84	return ret;
85}
86