From ac57af852bd4e3b33d99b20e5fa6e58c55b6ef3f Mon Sep 17 00:00:00 2001 From: Maram Srimannarayana Murthy Date: Mon, 18 May 2026 19:26:53 +0530 Subject: [PATCH] Add kernel lockdown utility functions to linux.py This commit adds three new utility functions to avocado.utils.linux for managing kernel lockdown security feature: 1. is_kernel_lockdown_enabled(): Check current lockdown state - Returns tuple of (mode, is_enabled) - Supports none, integrity, and confidentiality modes - Handles cases where lockdown feature is unavailable 2. enable_kernel_lockdown_integrity(): Enable integrity mode - Prevents kernel modification - Verifies mode change via sysfs 3. enable_kernel_lockdown_confidentiality(): Enable confidentiality mode - Most restrictive mode (prevents modification and data exposure) - Verifies mode change via sysfs All functions follow PEP 8 standards and include comprehensive docstrings. Lockdown mode transitions are one-way at runtime and require reboot to downgrade. Changes in v2 (addressing gemini-code-assist review): - Removed redundant and fragile dmesg verification from lockdown functions - Removed unused dmesg import - Simplified logic to rely solely on sysfs state verification - Improved reliability and performance by avoiding expensive dmesg operations Signed-off-by: Maram Srimannarayana Murthy --- avocado/utils/linux.py | 68 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 67 insertions(+), 1 deletion(-) diff --git a/avocado/utils/linux.py b/avocado/utils/linux.py index 6ea409a519..4e934a03f6 100644 --- a/avocado/utils/linux.py +++ b/avocado/utils/linux.py @@ -94,7 +94,9 @@ def is_os_secureboot_enabled(): if "00000002" in line: return True except FileNotFoundError as exc: - raise UnsupportedMachineError("lsprop not a supported command") from exc + raise UnsupportedMachineError( + "lsprop not a supported command" + ) from exc return False @@ -117,3 +119,67 @@ def enable_sched_schedstats(): if is_sched_schedstats_enabled(): return True return False + + +def is_kernel_lockdown_enabled(): + """ + Returns tuple of (mode, is_enabled) for kernel lockdown state. + """ + lockdown_path = "/sys/kernel/security/lockdown" + try: + lockdown_status = genio.read_one_line(lockdown_path).strip() + for mode in ["none", "integrity", "confidentiality"]: + if f"[{mode}]" in lockdown_status: + is_enabled = mode != "none" + return (mode, is_enabled) + return ("none", False) + except FileNotFoundError: + return (None, False) + except PermissionError: + return (None, False) + + +def enable_kernel_lockdown_integrity(): + """ + Enable kernel lockdown in integrity mode + + :return: True if integrity mode enabled, False if not enabled + """ + lockdown_path = "/sys/kernel/security/lockdown" + current_mode, _ = is_kernel_lockdown_enabled() + + if current_mode is None: + return False + + if current_mode in ["integrity", "confidentiality"]: + return True + + try: + genio.write_one_line(lockdown_path, "integrity") + new_mode, _ = is_kernel_lockdown_enabled() + return new_mode in ["integrity", "confidentiality"] + except (PermissionError, IOError): + return False + + +def enable_kernel_lockdown_confidentiality(): + """ + Enable kernel lockdown in confidentiality mode + + :return: True if confidentiality mode enabled, False if not enabled + """ + lockdown_path = "/sys/kernel/security/lockdown" + current_mode, _ = is_kernel_lockdown_enabled() + + if current_mode is None: + return False + + if current_mode == "confidentiality": + return True + + try: + genio.write_one_line(lockdown_path, "confidentiality") + new_mode, _ = is_kernel_lockdown_enabled() + return new_mode == "confidentiality" + except (PermissionError, IOError): + return False