selftests/kexec: update get_secureboot_mode

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The get_secureboot_mode() function unnecessarily requires both
CONFIG_EFIVAR_FS and CONFIG_EFI_VARS to be enabled to determine if the
system is booted in secure boot mode. On some systems the old EFI
variable support is not enabled or, possibly, even implemented.

This patch first checks the efivars filesystem for the SecureBoot and
SetupMode flags, but falls back to using the old EFI variable support.

The "secure_boot_file" and "setup_mode_file" couldn't be quoted due to
globbing. This patch also removes the globbing.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>

authored by

Mimi Zohar and committed by

Shuah Khan 7 years ago b433a52a 726ff75f

+67 -21

1 changed file

expand all

tools

testing

selftests

kexec

kexec_common_lib.sh

+67 -21

tools/testing/selftests/kexec/kexec_common_lib.sh

··· 35 35 } 36 36 37 37 # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). 38 + # (Based on kdump-lib.sh) 39 + get_efivarfs_secureboot_mode() 40 + { 41 + local efivarfs="/sys/firmware/efi/efivars" 42 + local secure_boot_file="" 43 + local setup_mode_file="" 44 + local secureboot_mode=0 45 + local setup_mode=0 46 + 47 + # Make sure that efivar_fs is mounted in the normal location 48 + if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then 49 + log_info "efivars is not mounted on $efivarfs" 50 + return 0; 51 + fi 52 + secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null) 53 + setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null) 54 + if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then 55 + secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \ 56 + "$secure_boot_file"|cut -d' ' -f 5) 57 + setup_mode=$(hexdump -v -e '/1 "%d\ "' \ 58 + "$setup_mode_file"|cut -d' ' -f 5) 59 + 60 + if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then 61 + log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)" 62 + return 1; 63 + fi 64 + fi 65 + return 0; 66 + } 67 + 68 + get_efi_var_secureboot_mode() 69 + { 70 + local efi_vars 71 + local secure_boot_file 72 + local setup_mode_file 73 + local secureboot_mode 74 + local setup_mode 75 + 76 + if [ ! -d "$efi_vars" ]; then 77 + log_skip "efi_vars is not enabled\n" 78 + fi 79 + secure_boot_file=$(find "$efi_vars" -name SecureBoot-* 2>/dev/null) 80 + setup_mode_file=$(find "$efi_vars" -name SetupMode-* 2>/dev/null) 81 + if [ -f "$secure_boot_file/data" ] && \ 82 + [ -f "$setup_mode_file/data" ]; then 83 + secureboot_mode=`od -An -t u1 "$secure_boot_file/data"` 84 + setup_mode=`od -An -t u1 "$setup_mode_file/data"` 85 + 86 + if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then 87 + log_info "secure boot mode enabled (CONFIG_EFI_VARS)" 88 + return 1; 89 + fi 90 + fi 91 + return 0; 92 + } 93 + 94 + # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID). 38 95 # The secure boot mode can be accessed either as the last integer 39 96 # of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from 40 97 # "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data". The efi ··· 99 42 # Return 1 for SecureBoot mode enabled and SetupMode mode disabled. 100 43 get_secureboot_mode() 101 44 { 102 - local efivarfs="/sys/firmware/efi/efivars" 103 - local secure_boot_file="$efivarfs/../vars/SecureBoot-*/data" 104 - local setup_mode_file="$efivarfs/../vars/SetupMode-*/data" 105 45 local secureboot_mode=0 106 - local setup_mode=0 107 46 108 - # Make sure that efivars is mounted in the normal location 109 - if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then 110 - log_skip "efivars is not mounted on $efivarfs" 47 + get_efivarfs_secureboot_mode 48 + secureboot_mode=$? 49 + 50 + # fallback to using the efi_var files 51 + if [ $secureboot_mode -eq 0 ]; then 52 + get_efi_var_secureboot_mode 53 + secureboot_mode=$? 111 54 fi 112 55 113 - # Due to globbing, quoting "secure_boot_file" and "setup_mode_file" 114 - # is not possible. (Todo: initialize variables using find or ls.) 115 - if [ ! -e $secure_boot_file ] || [ ! -e $setup_mode_file ]; then 116 - log_skip "unknown secureboot/setup mode" 56 + if [ $secureboot_mode -eq 0 ]; then 57 + log_info "secure boot mode not enabled" 117 58 fi 118 - 119 - secureboot_mode=`od -An -t u1 $secure_boot_file` 120 - setup_mode=`od -An -t u1 $setup_mode_file` 121 - 122 - if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then 123 - log_info "secure boot mode enabled" 124 - return 1; 125 - fi 126 - log_info "secure boot mode not enabled" 127 - return 0; 59 + return $secureboot_mode; 128 60 } 129 61 130 62 require_root_privileges()