Change in coreboot[master]: util/inteltool: add lockdown mode detection - coreboot-gerrit

18 Apr 2022

Eloy has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/63702 )
Change subject: util/inteltool: add lockdown mode detection
......................................................................
util/inteltool: add lockdown mode detection
Change-Id: I9914fe392d53be390924e60dbfb16d3c9d222f44
---
M util/inteltool/inteltool.c
1 file changed, 49 insertions(+), 3 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/02/63702/1

diff --git a/util/inteltool/inteltool.c b/util/inteltool/inteltool.c
index 460f3b1..741c792 100644
--- a/util/inteltool/inteltool.c
+++ b/util/inteltool/inteltool.c
@@ -805,9 +805,55 @@
    if (iopl(3)) {
    	perror("iopl");
 #endif
-		printf("You need to be root.\n");
-		exit(1);
-	}
+                /* Check if kernel is in lockdown mode.
+                 * Whether this part of sysfs is considered a
+                 * stable kernel API part is unknown, since
+                 * there is no explicit documentation
+                 * stating so. There does not seems to be
+                 * any other interface for checking wether the
+                 * kernel is in lockdown mode. Until there is
+                 * something better, parse the sysfs file.
+                 * Because it is a sysfs file, fseek(3) or
+                 * stat(2) are ineffective. You can only
+                 * iterate until the state of the file
+                 * handle is EOF, while it is copied into
+                 * a buffer.
+                 */
+
+                FILE *lockdown_file = fopen("/sys/kernel/security/lockdown", "rb");
+                if (lockdown_file != NULL){
+
+                        /* Loop over file handler until EOF to get filesize in bytes */
+                        FILE *lockdown_file_get_size = fopen("/sys/kernel/security/lockdown", "rb");
+                        char d = fgetc(lockdown_file_get_size);
+                        int filesize = 0;
+                        while (d != EOF){
+                                d = fgetc(lockdown_file_get_size);
+                                filesize++;
+                        }
+                        fclose(lockdown_file_get_size);
+
+                        /* Allocate buffer and copy file into it */
+                        char *buf = malloc(filesize);
+                        char c = fgetc(lockdown_file);
+                        for (int i = 0; i < filesize; i++)
+                        {
+                                buf[i] = c;
+                                c = fgetc(lockdown_file);
+                        }
+                        fclose(lockdown_file);
+
+                        if(strstr(buf, "[integrity]") || strstr(buf, "[confidentiality]")) {
+                                printf("The lockdown mode of the kernel is active. Disable UEFI secure boot.\n");
+                                exit(1);
+                        }
+
+                } /* Failed to open lockdown file, so the problem is likely missing root permissions */
+
+                printf("You need to be root.\n");
+                exit(1);
+
+        }
#ifndef __DARWIN__
    if ((fd_mem = open("/dev/mem", O_RDWR)) < 0) {
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/63702
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: I9914fe392d53be390924e60dbfb16d3c9d222f44
Gerrit-Change-Number: 63702
Gerrit-PatchSet: 1
Gerrit-Owner: Eloy
Gerrit-MessageType: newchange



    