Message ID | 20200320090038.15263-1-ivan.hu@canonical.com |
---|---|
State | Accepted |
Headers | show |
Series | [1/2] lib: add kernel lockdown check | expand |
On Fri, Mar 20, 2020 at 5:00 PM Ivan Hu <ivan.hu@canonical.com> wrote: > > Kernel lockdown is added since 4.17 and more patches in 5.4 > It blocks the access to the uefi runtime services. > Add the function for checking kernel lockdown status. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > --- > src/lib/include/fwts_efi_module.h | 1 + > src/lib/src/fwts_efi_module.c | 18 ++++++++++++++++++ > 2 files changed, 19 insertions(+) > > diff --git a/src/lib/include/fwts_efi_module.h b/src/lib/include/fwts_efi_module.h > index c086dc3e..c82e26d7 100644 > --- a/src/lib/include/fwts_efi_module.h > +++ b/src/lib/include/fwts_efi_module.h > @@ -24,5 +24,6 @@ int fwts_lib_efi_runtime_load_module(fwts_framework *fw); > int fwts_lib_efi_runtime_unload_module(fwts_framework *fw); > int fwts_lib_efi_runtime_open(void); > int fwts_lib_efi_runtime_close(int fd); > +bool fwts_lib_efi_runtime_kernel_lockdown(void); > > #endif > diff --git a/src/lib/src/fwts_efi_module.c b/src/lib/src/fwts_efi_module.c > index d49f20b0..bc56acb7 100644 > --- a/src/lib/src/fwts_efi_module.c > +++ b/src/lib/src/fwts_efi_module.c > @@ -183,3 +183,21 @@ int fwts_lib_efi_runtime_close(int fd) > { > return close(fd); > } > + > +/* > + * fwts_lib_efi_runtime_kernel_lockdown() > + * check if the kernel has been lockdown > + */ > +bool fwts_lib_efi_runtime_kernel_lockdown(void) > +{ > + char *data; > + > + if ((data = fwts_get("/sys/kernel/security/lockdown")) != NULL) { > + if (strstr(data, "[none]") == NULL) { > + free(data); > + return true; > + } > + } > + free(data); > + return false; > +} > -- > 2.17.1 Acked-by: Anthony Wong <anthony.wong@canonical.com>
On 20/03/2020 09:00, Ivan Hu wrote: > Kernel lockdown is added since 4.17 and more patches in 5.4 > It blocks the access to the uefi runtime services. > Add the function for checking kernel lockdown status. > > Signed-off-by: Ivan Hu <ivan.hu@canonical.com> > --- > src/lib/include/fwts_efi_module.h | 1 + > src/lib/src/fwts_efi_module.c | 18 ++++++++++++++++++ > 2 files changed, 19 insertions(+) > > diff --git a/src/lib/include/fwts_efi_module.h b/src/lib/include/fwts_efi_module.h > index c086dc3e..c82e26d7 100644 > --- a/src/lib/include/fwts_efi_module.h > +++ b/src/lib/include/fwts_efi_module.h > @@ -24,5 +24,6 @@ int fwts_lib_efi_runtime_load_module(fwts_framework *fw); > int fwts_lib_efi_runtime_unload_module(fwts_framework *fw); > int fwts_lib_efi_runtime_open(void); > int fwts_lib_efi_runtime_close(int fd); > +bool fwts_lib_efi_runtime_kernel_lockdown(void); > > #endif > diff --git a/src/lib/src/fwts_efi_module.c b/src/lib/src/fwts_efi_module.c > index d49f20b0..bc56acb7 100644 > --- a/src/lib/src/fwts_efi_module.c > +++ b/src/lib/src/fwts_efi_module.c > @@ -183,3 +183,21 @@ int fwts_lib_efi_runtime_close(int fd) > { > return close(fd); > } > + > +/* > + * fwts_lib_efi_runtime_kernel_lockdown() > + * check if the kernel has been lockdown > + */ > +bool fwts_lib_efi_runtime_kernel_lockdown(void) > +{ > + char *data; > + > + if ((data = fwts_get("/sys/kernel/security/lockdown")) != NULL) { > + if (strstr(data, "[none]") == NULL) { > + free(data); > + return true; > + } > + } > + free(data); > + return false; > +} > Acked-by: Colin Ian King <colin.king@canonical.com>
diff --git a/src/lib/include/fwts_efi_module.h b/src/lib/include/fwts_efi_module.h index c086dc3e..c82e26d7 100644 --- a/src/lib/include/fwts_efi_module.h +++ b/src/lib/include/fwts_efi_module.h @@ -24,5 +24,6 @@ int fwts_lib_efi_runtime_load_module(fwts_framework *fw); int fwts_lib_efi_runtime_unload_module(fwts_framework *fw); int fwts_lib_efi_runtime_open(void); int fwts_lib_efi_runtime_close(int fd); +bool fwts_lib_efi_runtime_kernel_lockdown(void); #endif diff --git a/src/lib/src/fwts_efi_module.c b/src/lib/src/fwts_efi_module.c index d49f20b0..bc56acb7 100644 --- a/src/lib/src/fwts_efi_module.c +++ b/src/lib/src/fwts_efi_module.c @@ -183,3 +183,21 @@ int fwts_lib_efi_runtime_close(int fd) { return close(fd); } + +/* + * fwts_lib_efi_runtime_kernel_lockdown() + * check if the kernel has been lockdown + */ +bool fwts_lib_efi_runtime_kernel_lockdown(void) +{ + char *data; + + if ((data = fwts_get("/sys/kernel/security/lockdown")) != NULL) { + if (strstr(data, "[none]") == NULL) { + free(data); + return true; + } + } + free(data); + return false; +}
Kernel lockdown is added since 4.17 and more patches in 5.4 It blocks the access to the uefi runtime services. Add the function for checking kernel lockdown status. Signed-off-by: Ivan Hu <ivan.hu@canonical.com> --- src/lib/include/fwts_efi_module.h | 1 + src/lib/src/fwts_efi_module.c | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+)