Skip to content

Commit

Permalink
Add facts to note EFI status (#232)
Browse files Browse the repository at this point in the history 
See: tools/testing/selftests/kexec/kexec_common_lib.sh

Co-authored-by: Trevor Vaughan <tvaughan@onyxpoint.com>
  • Loading branch information
@jcpunk @trevor-vaughan
jcpunk and trevor-vaughan authored Sep 17, 2020
1 parent 77628f6 commit 6710c51
Show file tree
Hide file tree
Showing 4 changed files with 202 additions and 39 deletions.
80 changes: 41 additions & 39 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,45 +65,47 @@ See [REFERENCE.md](./REFERENCE.md) for all other reference documentation.

### Facts

* **acpid_enabled** - Return true if ACPI is available on the system
* **boot_dir_uuid** - Return the UUID of the partition holding the
boot directory
* **cmdline** - Returns the contents of `/proc/cmdline` as a
hash
* **cpuinfo** - Returns the contents of `/proc/cpuinfo` as a
hash
* **defaultgateway** - Return the default gateway of the system
* **defaultgatewayiface** - Return the default gw interface of the system
* **fips_ciphers** - Returns a list of available OpenSSL ciphers
* **fips_enabled** - Determine whether FIPS is enabled on this system
* **fullrun** - Determine whether to do an intensive run
* **gdm_version** - Return the version of GDM that is installed
* **grub_version** - Return the grub version installed on the system
* **init_systems** - Return a list of all init systems present on
the system
* **ipa** - Return a hash containing the IPA domain and
server to which a host is connected
* **ipv6_enabled** - Return true if IPv6 is enabled and false if not
* **login_defs** - Return the contents of `/etc/login.defs` as a
hash with downcased keys
* **prelink** - Returns a hash containing prelink status
* **reboot_required** - Returns a hash of 'name' => 'reason' entries
* **root_dir_uuid** - Return the UUID of the partition holding the
`/` directory
* **runlevel** - Return the current system runlevel
* **shmall** - Return the value of shmall from sysctl
* **simplib__firewalls** - Return an array of known firewall commands that
are present on the system.
* **simplib__mountpoints** - Return a hash of mountpoints of particular
interest to SIMP modules.
* **simplib_sysctl** - Return hash of sysctl values that are relevant
to SIMP
* **simp_puppet_settings** - Returns a hash of all Puppet settings on a node
* **tmp_mounts** - DEPRECATED - use `simplib__mountpoints`
This fact provides information about `/tmp`,
`/var/tmp`, and `/dev/shm` should they be present
on the system
* **uid_min** - Return the minimum uid allowed
* **acpid_enabled** - Return true if ACPI is available on the system
* **boot_dir_uuid** - Return the UUID of the partition holding the
boot directory
* **cmdline** - Returns the contents of `/proc/cmdline` as a
hash
* **cpuinfo** - Returns the contents of `/proc/cpuinfo` as a
hash
* **defaultgateway** - Return the default gateway of the system
* **defaultgatewayiface** - Return the default gw interface of the system
* **fips_ciphers** - Returns a list of available OpenSSL ciphers
* **fips_enabled** - Determine whether FIPS is enabled on this system
* **fullrun** - Determine whether to do an intensive run
* **gdm_version** - Return the version of GDM that is installed
* **grub_version** - Return the grub version installed on the system
* **init_systems** - Return a list of all init systems present on
the system
* **ipa** - Return a hash containing the IPA domain and
server to which a host is connected
* **ipv6_enabled** - Return true if IPv6 is enabled and false if not
* **login_defs** - Return the contents of `/etc/login.defs` as a
hash with downcased keys
* **prelink** - Returns a hash containing prelink status
* **reboot_required** - Returns a hash of 'name' => 'reason' entries
* **root_dir_uuid** - Return the UUID of the partition holding the
`/` directory
* **runlevel** - Return the current system runlevel
* **shmall** - Return the value of shmall from sysctl
* **simplib__efi_enabled** - Returns true if the system is using EFI
* **simplib__secure_boot_enabled** - Returns true if the host is using uEFI Secure Boot
* **simplib__firewalls** - Return an array of known firewall commands that
are present on the system.
* **simplib__mountpoints** - Return a hash of mountpoints of particular
interest to SIMP modules.
* **simplib_sysctl** - Return hash of sysctl values that are relevant
to SIMP
* **simp_puppet_settings** - Returns a hash of all Puppet settings on a node
* **tmp_mounts** - DEPRECATED - use `simplib__mountpoints`
This fact provides information about `/tmp`,
`/var/tmp`, and `/dev/shm` should they be present
on the system
* **uid_min** - Return the minimum uid allowed

### Run stages

Expand Down
11 changes: 11 additions & 0 deletions lib/facter/simplib__efi_enabled.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# _Description_
#
# Return true if system booted via EFI
#
Facter.add("simplib__efi_enabled") do
confine :kernel => 'Linux'

setcode do
File.exist?('/sys/firmware/efi')
end
end
47 changes: 47 additions & 0 deletions lib/facter/simplib__secure_boot_enabled.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# _Description_
#
# Return true if system booted via UEFI Secure Boot
#
Facter.add("simplib__secure_boot_enabled") do
confine :kernel => 'Linux'

setcode do
secure_boot_status = false
Dir.glob('/sys/firmware/efi/efivars/SecureBoot-*').each do | file |
begin
File.open(file, 'r') do | hexcode |
# skip leading status codes
hexcode.read(4)
code = hexcode.read()
# If we didn't get any data, unpacking will fail
secure_boot_status = (1 == code.unpack('H*').first.to_i) if code
end
rescue Errno::EPERM, Errno::EACCES
next
end

break if secure_boot_status
end

setup_mode_status = false
if secure_boot_status
Dir.glob('/sys/firmware/efi/efivars/SetupMode-*').each do | file |
begin
File.open(file, 'r') do | hexcode |
# skip leading status codes
hexcode.read(4)
code = hexcode.read()
# If we didn't get any data, unpacking will fail
setup_mode_status = (0 == code.unpack('H*').first.to_i) if code
end
rescue Errno::EPERM, Errno::EACCES
next
end

break if setup_mode_status
end
end

secure_boot_status & setup_mode_status
end
end
103 changes: 103 additions & 0 deletions spec/unit/facter/simplib__secure_boot_enabled.rb
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
# frozen_string_literal: true

require 'spec_helper'

describe 'simplib__secure_boot_enabled' do
before :each do
Facter.clear
Facter.stubs(:value).with(:kernel).returns('Linux')
end

context 'without SecureBoot files in /sys/firmware/efi/efivars' do
it do
Dir.stubs(:glob).with('/sys/firmware/efi/efivars/SecureBoot-*').returns([])

expect(Facter.fact('simplib__secure_boot_enabled').value).to match(false)
end
end

context 'with a SecureBoot file in /sys/firmware/efi/efivars' do
before :each do
@sb_tempfile = Tempfile.new('simplib__secure_boot_enabled')
@sm_tempfile = Tempfile.new('simplib__secure_boot_enabled')

Dir.stubs(:glob).with('/sys/firmware/efi/efivars/SecureBoot-*').returns([@sb_tempfile.path])
Dir.stubs(:glob).with('/sys/firmware/efi/efivars/SetupMode-*').returns([@sm_tempfile.path])
end

after :each do
File.unlink(@sb_tempfile) if File.exist?(@sb_tempfile)
File.unlink(@sm_tempfile) if File.exist?(@sm_tempfile)
end

context 'with SecureBoot enabled' do
before :each do
File.open(@sb_tempfile, 'wb') do |fh|
fh.write('1234')
fh.write([1].pack('C'))
end
end

context 'with SetupMode disabled' do
before :each do
File.open(@sm_tempfile, 'w') do |fh|
fh.write('1234')
fh.write([0].pack('C'))
end
end

it do
expect(Facter.fact('simplib__secure_boot_enabled').value).to match(true)
end
end

context 'with SetupMode enabled' do
before :each do
File.open(@sm_tempfile, 'w') do |fh|
fh.write('1234')
fh.write([1].pack('C'))
end
end

it do
expect(Facter.fact('simplib__secure_boot_enabled').value).to match(false)
end
end
end

context 'with SecureBoot disabled' do
before :each do
File.open(@sb_tempfile, 'w') do |fh|
fh.write('1234')
fh.write([0].pack('C'))
end
end

context 'with SetupMode disabled' do
before :each do
File.open(@sm_tempfile, 'w') do |fh|
fh.write('1234')
fh.write([0].pack('C'))
end
end

it do
expect(Facter.fact('simplib__secure_boot_enabled').value).to match(false)
end
end

context 'with SetupMode enabled' do
before :each do
File.open(@sm_tempfile, 'w') do |fh|
fh.write('1234')
fh.write([1].pack('C'))
end
end

it do
expect(Facter.fact('simplib__secure_boot_enabled').value).to match(false)
end
end
end
end
end

0 comments on commit 6710c51

Please sign in to comment.