diff mbox series

[RFC,1/2] selftests/kexec: remove broken EFI_VARS secure boot fallback check

Message ID 20220616124740.580708-2-ardb@kernel.org (mailing list archive)
State Accepted
Commit c07d2475f9cd7eaf6ddc60b5d284b375699d9553
Headers show
Series efi: get rid of deprecated sysfs varstore interface | expand

Commit Message

Ard Biesheuvel June 16, 2022, 12:47 p.m. UTC
Commit b433a52aa28733e0 ("selftests/kexec: update get_secureboot_mode")
refactored the code that discovers the EFI secure boot mode so it only
depends on either the efivars pseudo filesystem or the efivars sysfs
interface, but never both.

However, the latter version was not implemented correctly, given the
fact that the local 'efi_vars' variable never assumes a value. This
means the fallback has been dead code ever since it was introduced.

So let's drop the fallback altogether. The sysfs interface has been
deprecated for ~10 years now, and is only enabled on x86 to begin with,
so it is time to get rid of it entirely.

Cc: Shuah Khan <shuah@kernel.org>
Cc: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 tools/testing/selftests/kexec/kexec_common_lib.sh | 36 ++------------------
 1 file changed, 2 insertions(+), 34 deletions(-)

Comments

Mimi Zohar June 16, 2022, 6:08 p.m. UTC | #1
On Thu, 2022-06-16 at 14:47 +0200, Ard Biesheuvel wrote:
> Commit b433a52aa28733e0 ("selftests/kexec: update get_secureboot_mode")
> refactored the code that discovers the EFI secure boot mode so it only
> depends on either the efivars pseudo filesystem or the efivars sysfs
> interface, but never both.
> 
> However, the latter version was not implemented correctly, given the
> fact that the local 'efi_vars' variable never assumes a value. This
> means the fallback has been dead code ever since it was introduced.
> 
> So let's drop the fallback altogether. The sysfs interface has been
> deprecated for ~10 years now, and is only enabled on x86 to begin with,
> so it is time to get rid of it entirely.
> 
> Cc: Shuah Khan <shuah@kernel.org>
> Cc: Mimi Zohar <zohar@linux.ibm.com>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

Thanks, Ard.

Reviewed-by:  Mimi Zohar <zohar@linux.ibm.com>
Ard Biesheuvel June 24, 2022, 8:20 a.m. UTC | #2
On Fri, 17 Jun 2022 at 05:51, Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> On Thu, 2022-06-16 at 14:47 +0200, Ard Biesheuvel wrote:
> > Commit b433a52aa28733e0 ("selftests/kexec: update get_secureboot_mode")
> > refactored the code that discovers the EFI secure boot mode so it only
> > depends on either the efivars pseudo filesystem or the efivars sysfs
> > interface, but never both.
> >
> > However, the latter version was not implemented correctly, given the
> > fact that the local 'efi_vars' variable never assumes a value. This
> > means the fallback has been dead code ever since it was introduced.
> >
> > So let's drop the fallback altogether. The sysfs interface has been
> > deprecated for ~10 years now, and is only enabled on x86 to begin with,
> > so it is time to get rid of it entirely.
> >
> > Cc: Shuah Khan <shuah@kernel.org>
> > Cc: Mimi Zohar <zohar@linux.ibm.com>
> > Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
>
> Thanks, Ard.
>
> Reviewed-by:  Mimi Zohar <zohar@linux.ibm.com>
>

Thanks Mimi, I've queued this up in efi/next.
diff mbox series

Patch

diff --git a/tools/testing/selftests/kexec/kexec_common_lib.sh b/tools/testing/selftests/kexec/kexec_common_lib.sh
index 0e114b34d5d7..641ef05863b2 100755
--- a/tools/testing/selftests/kexec/kexec_common_lib.sh
+++ b/tools/testing/selftests/kexec/kexec_common_lib.sh
@@ -65,32 +65,6 @@  get_efivarfs_secureboot_mode()
 	return 0;
 }
 
-get_efi_var_secureboot_mode()
-{
-	local efi_vars
-	local secure_boot_file
-	local setup_mode_file
-	local secureboot_mode
-	local setup_mode
-
-	if [ ! -d "$efi_vars" ]; then
-		log_skip "efi_vars is not enabled\n"
-	fi
-	secure_boot_file=$(find "$efi_vars" -name SecureBoot-* 2>/dev/null)
-	setup_mode_file=$(find "$efi_vars" -name SetupMode-* 2>/dev/null)
-	if [ -f "$secure_boot_file/data" ] && \
-	   [ -f "$setup_mode_file/data" ]; then
-		secureboot_mode=`od -An -t u1 "$secure_boot_file/data"`
-		setup_mode=`od -An -t u1 "$setup_mode_file/data"`
-
-		if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
-			log_info "secure boot mode enabled (CONFIG_EFI_VARS)"
-			return 1;
-		fi
-	fi
-	return 0;
-}
-
 # On powerpc platform, check device-tree property
 # /proc/device-tree/ibm,secureboot/os-secureboot-enforcing
 # to detect secureboot state.
@@ -113,9 +87,8 @@  get_arch()
 }
 
 # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
-# The secure boot mode can be accessed either as the last integer
-# of "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*" or from
-# "od -An -t u1 /sys/firmware/efi/vars/SecureBoot-*/data".  The efi
+# The secure boot mode can be accessed as the last integer of
+# "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*".  The efi
 # SetupMode can be similarly accessed.
 # Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
 get_secureboot_mode()
@@ -129,11 +102,6 @@  get_secureboot_mode()
 	else
 		get_efivarfs_secureboot_mode
 		secureboot_mode=$?
-		# fallback to using the efi_var files
-		if [ $secureboot_mode -eq 0 ]; then
-			get_efi_var_secureboot_mode
-			secureboot_mode=$?
-		fi
 	fi
 
 	if [ $secureboot_mode -eq 0 ]; then