The get_secureboot_mode() function unnecessarily requires both
CONFIG_EFIVAR_FS and CONFIG_EFI_VARS to be enabled to determine if the
system is booted in secure boot mode. On some systems the old EFI
variable support is not enabled or, possibly, even implemented.
This patch first checks the efivars filesystem for the SecureBoot and
SetupMode flags, but falls back to using the old EFI variable support.
The "secure_boot_file" and "setup_mode_file" couldn't be quoted due to
globbing. This patch also removes the globbing.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
The kernel can be configured to verify PE signed kernel images, IMA
kernel image signatures, both types of signatures, or none. This test
verifies only properly signed kernel images are loaded into memory,
based on the kernel configuration and runtime policies.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Many tests require root privileges. Define a common function.
Suggested-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Define, update and move get_secureboot_mode() to a common file for use
by other tests.
Updated to check both the efivar SecureBoot-$(UUID) and
SetupMode-$(UUID), based on Dave Young's review.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Mimi Zohar