kdump-tools: adapt check_secure_boot checking

The kdump-config uses files under /sys/firmware/efi/efivars to detect secure boot status. But efivars isn't in use because CONFIG_EFIVAR_FS is not set. We don't want to enable it because when applying the preempt_rt patch to the Linux kernel, EFI variables at runtime are disabled by default due to high latencies (https://www.spinics.net/lists/linux-rt-users/msg19980.html). So change to use /sys/kernel/security/lockdown to detect secure boot status because it is set to 'integrity' in the debian patch [efi: Lock down the kernel if booted in secure boot mode] which is in use by us. Test Plan: PASS: Run "sudo kdump-config reload" on target successfully. PASS: Can generate vmcore files in /var/log/crash after kernel panic. PASS: Above tests are done with both secure boot enabled and disabled. Story: 2009221 Task: 46644 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: I4c305ef49af6da84a7558d1fce6bbb19b8569401
2022-10-25 16:36:02 +08:00 · 2022-10-25 16:36:02 +08:00 · e1b77cf7f0
commit e1b77cf7f0
parent 49c7ab3605
2 changed files with 46 additions and 0 deletions
--- a/tools/kdump-tools/debian/deb_patches/0002-kdump-tools-adapt-check_secure_boot-checking.patch
+++ b/tools/kdump-tools/debian/deb_patches/0002-kdump-tools-adapt-check_secure_boot-checking.patch
@ -0,0 +1,45 @@
 From 5de1965d635d43d8d7d88074e7ebc9e73287c11f Mon Sep 17 00:00:00 2001
 From: Li Zhou <li.zhou@windriver.com>
 Date: Tue, 25 Oct 2022 13:07:35 +0800
 Subject: [PATCH] kdump-tools: adapt check_secure_boot checking
 The kdump-config uses files under /sys/firmware/efi/efivars to detect
 secure boot status. But efivars isn't in use because
 CONFIG_EFIVAR_FS is not set. We don't want to enable it because
 when applying the preempt_rt patch to the Linux kernel,
 EFI variables at runtime are disabled by default due to
 high latencies
 (https://www.spinics.net/lists/linux-rt-users/msg19980.html).
 So change to use /sys/kernel/security/lockdown to detect secure
 boot status because it is set to 'integrity' in the debian patch
 [efi: Lock down the kernel if booted in secure boot mode] which is
 in use by us.
 Signed-off-by: Li Zhou <li.zhou@windriver.com>
 ---
 debian/kdump-config.in | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/debian/kdump-config.in b/debian/kdump-config.in
 index eb23da1..543bab4 100755
 --- a/debian/kdump-config.in
 +++ b/debian/kdump-config.in
@@ -351,7 +351,13 @@ check_securelevel()
 check_secure_boot()
 {
 	# shellcheck disable=SC2039
 -	local sb_path sb sm
 +	local sb_path sb sm sb_lock
 +
 +	sb_lock=$(cat /sys/kernel/security/lockdown | cut -d '[' -f2 | cut -d ']' -f1)
 +	echo "Kernel security lockdown: ${sb_lock}"
 +	if [ "${sb_lock}" != "none" ] ; then
 +		return 0
 +	fi
 	sb_path=$(find /sys/firmware/efi/efivars -name 'SecureBoot-*' 2>/dev/null)
 	sm_path=$(find /sys/firmware/efi/efivars -name 'SetupMode-*' 2>/dev/null)
 -- 
 2.25.1
--- a/tools/kdump-tools/debian/deb_patches/series
+++ b/tools/kdump-tools/debian/deb_patches/series
@ -1 +1,2 @@
 0001-kdump-tools-add-vmlinuz-and-initrd.img-soft-link.patch
 0002-kdump-tools-adapt-check_secure_boot-checking.patch
`@ -1 +1,2 @@`
	`0001-kdump-tools-add-vmlinuz-and-initrd.img-soft-link.patch`	`0001-kdump-tools-add-vmlinuz-and-initrd.img-soft-link.patch`
		`0002-kdump-tools-adapt-check_secure_boot-checking.patch`