From 7e71bb7e14db73234d1866ef975ffa660672a830 Mon Sep 17 00:00:00 2001 From: Pat Riehecky Date: Tue, 15 Sep 2020 14:53:28 -0500 Subject: [PATCH] Add facts to note EFI status --- README.md | 2 ++ lib/facter/efi.rb | 11 +++++++++++ lib/facter/secure_boot_enabled.rb | 25 +++++++++++++++++++++++++ 3 files changed, 38 insertions(+) create mode 100644 lib/facter/efi.rb create mode 100644 lib/facter/secure_boot_enabled.rb diff --git a/README.md b/README.md index f9421307..5ce58220 100644 --- a/README.md +++ b/README.md @@ -74,6 +74,7 @@ See [REFERENCE.md](./REFERENCE.md) for all other reference documentation. hash * **defaultgateway** - Return the default gateway of the system * **defaultgatewayiface** - Return the default gw interface of the system + * **efi_enabled** - Returns true if the system is using EFI * **fips_ciphers** - Returns a list of available OpenSSL ciphers * **fips_enabled** - Determine whether FIPS is enabled on this system * **fullrun** - Determine whether to do an intensive run @@ -91,6 +92,7 @@ See [REFERENCE.md](./REFERENCE.md) for all other reference documentation. * **root_dir_uuid** - Return the UUID of the partition holding the `/` directory * **runlevel** - Return the current system runlevel + * **secure_boot_enabled** - Returns true if the host is using uEFI Secure Boot * **shmall** - Return the value of shmall from sysctl * **simplib__firewalls** - Return an array of known firewall commands that are present on the system. diff --git a/lib/facter/efi.rb b/lib/facter/efi.rb new file mode 100644 index 00000000..e3db5528 --- /dev/null +++ b/lib/facter/efi.rb @@ -0,0 +1,11 @@ +# _Description_ +# +# Return true if system booted via EFI +# +if Facter.value(:kernel).downcase == "linux" then + Facter.add("efi_enabled") do + setcode do + File.exist?('/sys/firmware/efi') + end + end +end diff --git a/lib/facter/secure_boot_enabled.rb b/lib/facter/secure_boot_enabled.rb new file mode 100644 index 00000000..7b91ca37 --- /dev/null +++ b/lib/facter/secure_boot_enabled.rb @@ -0,0 +1,25 @@ +# _Description_ +# +# Return true if system booted via uEFI Secure Boot +# +if Facter.value(:kernel).downcase == "linux" then + Facter.add("secure_boot_enabled") do + setcode do + if File.exist?('/sys/firmware/efi') + Dir.glob('/sys/firmware/efi/efivars/SecureBoot-*').each do | file | + File.open(file, 'r') do | hexcode | + hexcode.read(4) + code = hexcode.read(16).unpack('H*').first.to_i + if code == 1 + true + else + false + end + end + end + else + false + end + end + end +end