Implement secure boot kernel lockdown check

Verify that if we are "secure booted" that kernel lockdown is enabled
os-autoinst · Apr 11, 2022 · 333d0b5 · 333d0b5
1 parent 5b066dd
commit 333d0b5
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/schedule/security/secureboot_kernel_lockdown.yaml b/schedule/security/secureboot_kernel_lockdown.yaml
@@ -0,0 +1,7 @@
+name: Secureboot kernel lockdown check
+description:    >
+    Verify that if we are "secure booted" that kernel lockdown is enabled
+schedule:
+    - boot/boot_to_desktop
+    - console/consoletest_setup
+    - security/secureboot/kernel_lockdown
diff --git a/tests/security/secureboot/kernel_lockdown.pm b/tests/security/secureboot/kernel_lockdown.pm
@@ -0,0 +1,33 @@
+# Copyright 2022 SUSE LLC
+# SPDX-License-Identifier: GPL-2.0-or-later
+#
+# Summary: Verify that if we are "secure booted" that kernel lockdown is enabled
+#
+# Maintainer: rfan1 <richard.fan@suse.com>
+# Tags: poo#109611
+
+use strict;
+use warnings;
+use base 'opensusebasetest';
+use testapi;
+
+sub run {
+    my $self = shift;
+    $self->select_serial_terminal;
+
+    # Make sure system is secureboot enabled
+    validate_script_output('mokutil --sb-state', sub { m/SecureBoot enabled/ });
+
+    # Print the context of "/sys/kernel/security/lockdown" file
+    my $file_cont = script_output('cat /sys/kernel/security/lockdown');
+    record_info('lockdown info', "$file_cont");
+
+    # Make sure lockdown is enabled
+    validate_script_output('if grep "\[none\]" /sys/kernel/security/lockdown; then echo "FAIL"; else echo "PASS"; fi', sub { /PASS/ });
+    my $result = script_run('dd if=/dev/mem count=1');
+    if (!$result) {
+        die('lockdown is NOT enabled');
+    }
+}
+
+1;