From 0102f3bd05c10ff57d501e835317de61b949efe8 Mon Sep 17 00:00:00 2001 From: Nageswara R Sastry Date: Thu, 7 Sep 2023 10:10:10 +0530 Subject: [PATCH] lib/tst_lockdown.c: Add PPC64 architecture support Add PPC64 architecture support to the lockdown library. Signed-off-by: R Nageswara Sastry Reviewed-by: Martin Doucha Reviewed-by: Cyril Hrubis --- lib/tst_lockdown.c | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/lib/tst_lockdown.c b/lib/tst_lockdown.c index 9086eba36ff..38d83088600 100644 --- a/lib/tst_lockdown.c +++ b/lib/tst_lockdown.c @@ -14,33 +14,38 @@ #include "tst_lockdown.h" #include "tst_private.h" -#define EFIVAR_SECUREBOOT "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" +#if defined(__powerpc64__) || defined(__ppc64__) +# define SECUREBOOT_VAR "/proc/device-tree/ibm,secure-boot" +# define VAR_DATA_SIZE 4 +#else +# define SECUREBOOT_VAR "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" +# define VAR_DATA_SIZE 5 +#endif int tst_secureboot_enabled(void) { int fd; char data[5]; - if (access(EFIVAR_SECUREBOOT, F_OK)) { - tst_res(TINFO, "Efivar FS not available"); + if (access(SECUREBOOT_VAR, F_OK)) { + tst_res(TINFO, "SecureBoot sysfs file not available"); return -1; } - fd = open(EFIVAR_SECUREBOOT, O_RDONLY); + fd = open(SECUREBOOT_VAR, O_RDONLY); if (fd == -1) { tst_res(TINFO | TERRNO, - "Cannot open SecureBoot Efivar sysfile"); + "Cannot open SecureBoot file"); return -1; } else if (fd < 0) { tst_brk(TBROK | TERRNO, "Invalid open() return value %d", fd); return -1; } - - SAFE_READ(1, fd, data, 5); + SAFE_READ(1, fd, data, VAR_DATA_SIZE); SAFE_CLOSE(fd); - tst_res(TINFO, "SecureBoot: %s", data[4] ? "on" : "off"); - return data[4]; + tst_res(TINFO, "SecureBoot: %s", data[VAR_DATA_SIZE - 1] ? "on" : "off"); + return data[VAR_DATA_SIZE - 1]; } int tst_lockdown_enabled(void) @@ -51,9 +56,16 @@ int tst_lockdown_enabled(void) if (access(PATH_LOCKDOWN, F_OK) != 0) { char flag; + /* SecureBoot enabled could mean integrity lockdown (non-mainline version) */ +#if defined(__powerpc64__) || defined(__ppc64__) + flag = tst_kconfig_get("CONFIG_SECURITY_LOCKDOWN_LSM") == 'y'; + flag |= tst_kconfig_get("CONFIG_SECURITY_LOCKDOWN_LSM_EARLY") == 'y'; +#else flag = tst_kconfig_get("CONFIG_EFI_SECURE_BOOT_LOCK_DOWN") == 'y'; flag |= tst_kconfig_get("CONFIG_LOCK_DOWN_IN_EFI_SECURE_BOOT") == 'y'; +#endif + if (flag && tst_secureboot_enabled() > 0) return 1;