From e1b77cf7f0d2381565c3ce91b623f739122ad0a4 Mon Sep 17 00:00:00 2001
From: Li Zhou
Date: Tue, 25 Oct 2022 16:36:02 +0800
Subject: [PATCH] kdump-tools: adapt check_secure_boot checking
The kdump-config uses files under /sys/firmware/efi/efivars to detect
secure boot status. But efivars isn't in use because
CONFIG_EFIVAR_FS is not set. We don't want to enable it because
when applying the preempt_rt patch to the Linux kernel,
EFI variables at runtime are disabled by default due to
high latencies
(https://www.spinics.net/lists/linux-rt-users/msg19980.html).
So change to use /sys/kernel/security/lockdown to detect secure
boot status because it is set to 'integrity' in the debian patch
[efi: Lock down the kernel if booted in secure boot mode] which is
in use by us.
Test Plan:
PASS: Run "sudo kdump-config reload" on target successfully.
PASS: Can generate vmcore files in /var/log/crash after kernel panic.
PASS: Above tests are done with both secure boot enabled and disabled.
Story: 2009221
Task: 46644
Signed-off-by: Li Zhou
Change-Id: I4c305ef49af6da84a7558d1fce6bbb19b8569401
---
...ols-adapt-check_secure_boot-checking.patch | 45 +++++++++++++++++++
tools/kdump-tools/debian/deb_patches/series | 1 +
2 files changed, 46 insertions(+)
create mode 100644 tools/kdump-tools/debian/deb_patches/0002-kdump-tools-adapt-check_secure_boot-checking.patch
diff --git a/tools/kdump-tools/debian/deb_patches/0002-kdump-tools-adapt-check_secure_boot-checking.patch b/tools/kdump-tools/debian/deb_patches/0002-kdump-tools-adapt-check_secure_boot-checking.patch
new file mode 100644
index 000000000..0afcc3a7b
--- /dev/null
+++ b/tools/kdump-tools/debian/deb_patches/0002-kdump-tools-adapt-check_secure_boot-checking.patch
@@ -0,0 +1,45 @@
+From 5de1965d635d43d8d7d88074e7ebc9e73287c11f Mon Sep 17 00:00:00 2001
+From: Li Zhou
+Date: Tue, 25 Oct 2022 13:07:35 +0800
+Subject: [PATCH] kdump-tools: adapt check_secure_boot checking
+
+The kdump-config uses files under /sys/firmware/efi/efivars to detect
+secure boot status. But efivars isn't in use because
+CONFIG_EFIVAR_FS is not set. We don't want to enable it because
+when applying the preempt_rt patch to the Linux kernel,
+EFI variables at runtime are disabled by default due to
+high latencies
+(https://www.spinics.net/lists/linux-rt-users/msg19980.html).
+
+So change to use /sys/kernel/security/lockdown to detect secure
+boot status because it is set to 'integrity' in the debian patch
+[efi: Lock down the kernel if booted in secure boot mode] which is
+in use by us.
+
+Signed-off-by: Li Zhou
+---
+ debian/kdump-config.in | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/debian/kdump-config.in b/debian/kdump-config.in
+index eb23da1..543bab4 100755
+--- a/debian/kdump-config.in
++++ b/debian/kdump-config.in
+@@ -351,7 +351,13 @@ check_securelevel()
+ check_secure_boot()
+ {
+ # shellcheck disable=SC2039
+- local sb_path sb sm
++ local sb_path sb sm sb_lock
++
++ sb_lock=$(cat /sys/kernel/security/lockdown | cut -d '[' -f2 | cut -d ']' -f1)
++ echo "Kernel security lockdown: ${sb_lock}"
++ if [ "${sb_lock}" != "none" ] ; then
++ return 0
++ fi
+
+ sb_path=$(find /sys/firmware/efi/efivars -name 'SecureBoot-*' 2>/dev/null)
+ sm_path=$(find /sys/firmware/efi/efivars -name 'SetupMode-*' 2>/dev/null)
+--
+2.25.1
+
diff --git a/tools/kdump-tools/debian/deb_patches/series b/tools/kdump-tools/debian/deb_patches/series
index ed99c1c21..504891a73 100644
--- a/tools/kdump-tools/debian/deb_patches/series
+++ b/tools/kdump-tools/debian/deb_patches/series
@@ -1 +1,2 @@
0001-kdump-tools-add-vmlinuz-and-initrd.img-soft-link.patch
+0002-kdump-tools-adapt-check_secure_boot-checking.patch