Lines Matching +full:boot +full:- +full:enabled
2 # SPDX-License-Identifier: GPL-2.0
6 VERBOSE="${VERBOSE:-1}"
7 IKCONFIG="/tmp/config-`uname -r`"
8 KERNEL_IMAGE="/boot/vmlinuz-`uname -r`"
13 [ $VERBOSE -ne 0 ] && echo "[INFO] $1"
19 [ $VERBOSE -ne 0 ] && echo "$1 [PASS]"
26 [ $VERBOSE -ne 0 ] && echo "$1 [FAIL]"
33 [ $VERBOSE -ne 0 ] && echo "$1"
37 # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
38 # (Based on kdump-lib.sh)
48 if ! grep -q "^\S\+ $efivarfs efivarfs" /proc/mounts; then
52 secure_boot_file=$(find "$efivarfs" -name SecureBoot-* 2>/dev/null)
53 setup_mode_file=$(find "$efivarfs" -name SetupMode-* 2>/dev/null)
54 if [ -f "$secure_boot_file" ] && [ -f "$setup_mode_file" ]; then
55 secureboot_mode=$(hexdump -v -e '/1 "%d\ "' \
56 "$secure_boot_file"|cut -d' ' -f 5)
57 setup_mode=$(hexdump -v -e '/1 "%d\ "' \
58 "$setup_mode_file"|cut -d' ' -f 5)
60 if [ $secureboot_mode -eq 1 ] && [ $setup_mode -eq 0 ]; then
61 log_info "secure boot mode enabled (CONFIG_EFIVAR_FS)"
68 # On powerpc platform, check device-tree property
69 # /proc/device-tree/ibm,secureboot/os-secureboot-enforcing
73 local secure_boot_file="/proc/device-tree/ibm,secureboot/os-secureboot-enforcing"
74 # Check for secure boot file existence
75 if [ -f $secure_boot_file ]; then
76 log_info "Secureboot is enabled (Device tree)"
79 log_info "Secureboot is not enabled (Device tree)"
89 # Check efivar SecureBoot-$(the UUID) and SetupMode-$(the UUID).
90 # The secure boot mode can be accessed as the last integer of
91 # "od -An -t u1 /sys/firmware/efi/efivars/SecureBoot-*". The efi
93 # Return 1 for SecureBoot mode enabled and SetupMode mode disabled.
107 if [ $secureboot_mode -eq 0 ]; then
108 log_info "secure boot mode not enabled"
115 if [ $(id -ru) -ne 0 ]; then
127 grep -E -q $config $IKCONFIG
128 if [ $? -eq 0 ]; then
137 # configs.ko using scripts/extract-ikconfig.
142 local module_dir="/lib/modules/`uname -r`"
145 if [ -f $module_dir/config ]; then
150 if [ ! -f $proc_config ]; then
153 if [ -f $proc_config ]; then
155 if [ $? -eq 0 ]; then
160 local extract_ikconfig="$module_dir/source/scripts/extract-ikconfig"
161 if [ ! -f $extract_ikconfig ]; then
162 log_skip "extract-ikconfig not found"
166 if [ $? -eq 1 ]; then
167 if [ ! -f $configs_module ]; then
168 log_skip "CONFIG_IKCONFIG not enabled"
171 if [ $? -eq 1 ]; then
172 log_skip "CONFIG_IKCONFIG not enabled"
181 if [ -z $SECURITYFS ]; then
183 mount -t securityfs security $SECURITYFS
186 if [ ! -d "$SECURITYFS" ]; then
191 # The policy rule format is an "action" followed by key-value pairs. This
192 # function supports up to two key-value pairs, in any order.
205 if [ ! -e $ima_policy ]; then
209 if [ -n $keypair2 ]; then
210 grep -e "^$action.*$keypair1" "$ima_policy" | \
211 grep -q -e "$keypair2"
213 grep -q -e "^$action.*$keypair1" "$ima_policy"
216 # invert "grep -q" result, returning 1 for found.
217 [ $? -eq 0 ] && ret=1