diff options
| -rwxr-xr-x | bin/boot_mode_test | 67 | ||||
| -rw-r--r-- | jobs/miscellanea.txt.in | 10 |
2 files changed, 69 insertions, 8 deletions
diff --git a/bin/boot_mode_test b/bin/boot_mode_test new file mode 100755 index 0000000..8e4a45d --- /dev/null +++ b/bin/boot_mode_test @@ -0,0 +1,67 @@ +#!/usr/bin/env python3 +""" +Test that the computer booted in EFI mode, with Secure Boot active. + +Copyright (C) 2016 Canonical Ltd. + +Authors: + Rod Smith <rod.smith@canonical.com> + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU General Public License version 3, +as published by the Free Software Foundation. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU General Public License for more details. + +You should have received a copy of the GNU General Public License +along with this program. If not, see <http://www.gnu.org/licenses/>. +""" + + +import os +import sys +import logging + + +def main(): + """Test that the computer booted in EFI mode, with Secure Boot active. + + :returns: + 0 if Secure Boot is active + 1 if Secure Boot is inactive (could be disabled, not supported, + or not booted in EFI mode) + """ + logging.basicConfig(level=logging.INFO) + sb_dir = "/sys/firmware/efi/" + sb_var = sb_dir + "efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" + if os.path.isdir(sb_dir): + if os.path.isfile(sb_var): + sb_info = open(sb_var).read() + if ord(sb_info[4]) == 1: + logging.info("PASS: System booted in EFI mode boot with " + "Secure Boot active.") + return 0 + else: + logging.info("FAIL: System booted in EFI mode boot with " + "Secure Boot available but inactive.") + return 1 + else: + # NOTE: Normally, lack of sb_var indicates that the system + # doesn't support SB, as on many pre-Windows 8 UEFI systems. + # Below is therefore a bit harsh, but is done to ensure that + # no system slips through because it supports Secure Boot but + # does not create the sb_var when SB is inactive or has never + # been activated. + logging.info("FAIL: System booted in EFI mode and does not " + "appear to support Secure Boot.") + return 1 + else: + logging.info("FAIL: System did NOT boot in EFI mode.") + return 1 + + +if __name__ == '__main__': + sys.exit(main()) diff --git a/jobs/miscellanea.txt.in b/jobs/miscellanea.txt.in index 249c638..5005928 100644 --- a/jobs/miscellanea.txt.in +++ b/jobs/miscellanea.txt.in @@ -97,14 +97,8 @@ requires: cpuinfo.platform in ("i386", "x86_64", "aarch64") _summary: EFI-mode boot test _description: - Test to verify that the system booted in EFI mode rather than Legacy/BIOS mode. -command: - if [ -d "/sys/firmware/efi" ] ; then - echo "System booted in EFI mode" - else - echo "System did NOT boot in EFI mode" - exit 1 - fi + Test to verify that the system booted in EFI mode with Secure Boot active. +command: boot_mode_test plugin: shell category_id: 2013.com.canonical.plainbox::miscellanea |