selftests/kexec: update get_secureboot_mode

The get_secureboot_mode() function unnecessarily requires both CONFIG_EFIVAR_FS and CONFIG_EFI_VARS to be enabled to determine if the system is booted in secure boot mode. On some systems the old EFI variable support is not enabled or, possibly, even implemented. This patch first checks the efivars filesystem for the SecureBoot and SetupMode flags, but falls back to using the old EFI variable support. The "secure_boot_file" and "setup_mode_file" couldn't be quoted due to globbing. This patch also removes the globbing. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>

selftests/kexec: update get_secureboot_mode
The get_secureboot_mode() function unnecessarily requires both CONFIG_EFIVAR_FS and CONFIG_EFI_VARS to be enabled to determine if the system is booted in secure boot mode. On some systems the old EFI variable support is not enabled or, possibly, even implemented. This patch first checks the efivars filesystem for the SecureBoot and SetupMode flags, but falls back to using the old EFI variable support. The "secure_boot_file" and "setup_mode_file" couldn't be quoted due to globbing. This patch also removes the globbing. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Petr Vorel <pvorel@suse.cz> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
b433a52a · Mimi Zohar · Shuah Khan · 726ff75f · b433a52a
Commit b433a52a authored Apr 01, 2019 by Mimi Zohar Committed by Shuah Khan Apr 17, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 66 additions and 20 deletions

tools/testing/selftests/kexec/kexec_common_lib.sh tools/testing/selftests/kexec/kexec_common_lib.sh +66 -20

No files found.
--- a/tools/testing/selftests/kexec/kexec_common_lib.sh
+++ b/tools/testing/selftests/kexec/kexec_common_lib.sh
@@ -34,6 +34,63 @@ log_skip()
 	exit 4
 }

+# Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
+# (Based on kdump-lib.sh)
+get_efivarfs_secureboot_mode()
+{
+	local efivarfs="/sys/firmware/efi/efivars"
+	local secure_boot_file=""
+	local setup_mode_file=""
+	local secureboot_mode=0
+	local setup_mode=0
+
+	# Make sure that efivar_fs is mounted in the normal location
+	if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
+		log_info "efivars is not mounted on $efivarfs"
+		return 0;
+	fi
+	secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
+	setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
+	if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
+		secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
+			"$secure_boot_file"|cut -d' ' -f 5)
+		setup_mode=$(hexdump -v -e '/1 "%d\ "' \
+			"$setup_mode_file"|cut -d' ' -f 5)
+
+		if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
+			log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
+			return 1;
+		fi
+	fi
+	return 0;
+}
+
+get_efi_var_secureboot_mode()
+{
+	local efi_vars
+	local secure_boot_file
+	local setup_mode_file
+	local secureboot_mode
+	local setup_mode
+
+	if [ ! -d "$efi_vars" ]; then
+		log_skip "efi_vars is not enabled\n"
+	fi
+	secure_boot_file=$(find "$efi_vars" -name SecureBoot-* 2>/dev/null)
+	setup_mode_file=$(find "$efi_vars" -name SetupMode-* 2>/dev/null)
+	if [ -f "$secure_boot_file/data" ] && \
+	   [ -f "$setup_mode_file/data" ]; then
+		secureboot_mode=`od -An -t u1 "$secure_boot_file/data"`
+		setup_mode=`od -An -t u1 "$setup_mode_file/data"`
+
+		if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
+			log_info "secure boot mode enabled (CONFIG_EFI_VARS)"
+			return 1;
+		fi
+	fi
+	return 0;
+}
+
 # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
 # The secure boot mode can be accessed either as the last integer
 # of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from
@@ -42,32 +99,21 @@ log_skip()
 # Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
 get_secureboot_mode()
 {
-	local efivarfs="/sys/firmware/efi/efivars"
-	local secure_boot_file="$efivarfs/../vars/SecureBoot-*/data"
-	local setup_mode_file="$efivarfs/../vars/SetupMode-*/data"
 	local secureboot_mode=0
-	local setup_mode=0

-	# Make sure that efivars is mounted in the normal location
-	if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
-		log_skip "efivars is not mounted on $efivarfs"
-	fi
+	get_efivarfs_secureboot_mode
+	secureboot_mode=$?

-	# Due to globbing, quoting "secure_boot_file" and "setup_mode_file"
-	# is not possible.  (Todo: initialize variables using find or ls.)
-	if [ ! -e $secure_boot_file ] || [ ! -e $setup_mode_file ]; then
-		log_skip "unknown secureboot/setup mode"
+	# fallback to using the efi_var files
+	if [ $secureboot_mode -eq 0 ]; then
+		get_efi_var_secureboot_mode
+		secureboot_mode=$?
 	fi

-	secureboot_mode=`od -An -t u1 $secure_boot_file`
-	setup_mode=`od -An -t u1 $setup_mode_file`
-
-	if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
-		log_info "secure boot mode enabled"
-		return 1;
+	if [ $secureboot_mode -eq 0 ]; then
+		log_info "secure boot mode not enabled"
 	fi
-	log_info "secure boot mode not enabled"
-	return 0;
+	return $secureboot_mode;
 }

 require_root_privileges()