Add facts to note EFI status (#232)

jcpunk · trevor-vaughan · web-flow · commit 6710c519f5a5 · 2020-09-17T12:25:04.000-04:00
See: tools/testing/selftests/kexec/kexec_common_lib.sh

Co-authored-by: Trevor Vaughan &lt;tvaughan@onyxpoint.com&gt;
diff --git a/README.md b/README.md
@@ -65,45 +65,47 @@ See [REFERENCE.md](./REFERENCE.md) for all other reference documentation.
 
 ### Facts
 
-  * **acpid_enabled**        -  Return true if ACPI is available on the system
-  * **boot_dir_uuid**        -  Return the UUID of the partition holding the
-                                boot directory
-  * **cmdline**              -  Returns the contents of `/proc/cmdline` as a
-                                hash
-  * **cpuinfo**              -  Returns the contents of `/proc/cpuinfo` as a
-                                hash
-  * **defaultgateway**       -  Return the default gateway of the system
-  * **defaultgatewayiface**  -  Return the default gw interface of the system
-  * **fips_ciphers**         -  Returns a list of available OpenSSL ciphers
-  * **fips_enabled**         -  Determine whether FIPS is enabled on this system
-  * **fullrun**              -  Determine whether to do an intensive run
-  * **gdm_version**          -  Return the version of GDM that is installed
-  * **grub_version**         -  Return the grub version installed on the system
-  * **init_systems**         -  Return a list of all init systems present on
-   the system
-  * **ipa**                  -  Return a hash containing the IPA domain and
-                                server to which a host is connected
-  * **ipv6_enabled**         -  Return true if IPv6 is enabled and false if not
-  * **login_defs**           -  Return the contents of `/etc/login.defs` as a
-                                hash with downcased keys
-  * **prelink**              -  Returns a hash containing prelink status
-  * **reboot_required**      -  Returns a hash of 'name' => 'reason' entries
-  * **root_dir_uuid**        -  Return the UUID of the partition holding the
-                                `/` directory
-  * **runlevel**             -  Return the current system runlevel
-  * **shmall**               -  Return the value of shmall from sysctl
-  * **simplib__firewalls**   -  Return an array of known firewall commands that
-                                are present on the system.
-  * **simplib__mountpoints** -  Return a hash of mountpoints of particular
-                                interest to SIMP modules.
-  * **simplib_sysctl**       -  Return hash of sysctl values that are relevant
-                                to SIMP
-  * **simp_puppet_settings** -  Returns a hash of all Puppet settings on a node
-  * **tmp_mounts**           -  DEPRECATED - use `simplib__mountpoints`
-                                This fact provides information about `/tmp`,
-                                `/var/tmp`, and `/dev/shm` should they be present
-                                on the system
-  * **uid_min**              -  Return the minimum uid allowed
+  * **acpid_enabled**                 -  Return true if ACPI is available on the system
+  * **boot_dir_uuid**                 -  Return the UUID of the partition holding the
+                                         boot directory
+  * **cmdline**                       -  Returns the contents of `/proc/cmdline` as a
+                                         hash
+  * **cpuinfo**                       -  Returns the contents of `/proc/cpuinfo` as a
+                                         hash
+  * **defaultgateway**                -  Return the default gateway of the system
+  * **defaultgatewayiface**           -  Return the default gw interface of the system
+  * **fips_ciphers**                  -  Returns a list of available OpenSSL ciphers
+  * **fips_enabled**                  -  Determine whether FIPS is enabled on this system
+  * **fullrun**                       -  Determine whether to do an intensive run
+  * **gdm_version**                   -  Return the version of GDM that is installed
+  * **grub_version**                  -  Return the grub version installed on the system
+  * **init_systems**                  -  Return a list of all init systems present on
+                                         the system
+  * **ipa**                           -  Return a hash containing the IPA domain and
+                                         server to which a host is connected
+  * **ipv6_enabled**                  -  Return true if IPv6 is enabled and false if not
+  * **login_defs**                    -  Return the contents of `/etc/login.defs` as a
+                                         hash with downcased keys
+  * **prelink**                       -  Returns a hash containing prelink status
+  * **reboot_required**               -  Returns a hash of 'name' => 'reason' entries
+  * **root_dir_uuid**                 -  Return the UUID of the partition holding the
+                                         `/` directory
+  * **runlevel**                      -  Return the current system runlevel
+  * **shmall**                        -  Return the value of shmall from sysctl
+  * **simplib__efi_enabled**          -  Returns true if the system is using EFI
+  * **simplib__secure_boot_enabled**  -  Returns true if the host is using uEFI Secure Boot
+  * **simplib__firewalls**            -  Return an array of known firewall commands that
+                                         are present on the system.
+  * **simplib__mountpoints**          -  Return a hash of mountpoints of particular
+                                         interest to SIMP modules.
+  * **simplib_sysctl**                -  Return hash of sysctl values that are relevant
+                                         to SIMP
+  * **simp_puppet_settings**          -  Returns a hash of all Puppet settings on a node
+  * **tmp_mounts**                    -  DEPRECATED - use `simplib__mountpoints`
+                                         This fact provides information about `/tmp`,
+                                         `/var/tmp`, and `/dev/shm` should they be present
+                                         on the system
+  * **uid_min**                       -  Return the minimum uid allowed
 
 ### Run stages
 
diff --git a/lib/facter/simplib__efi_enabled.rb b/lib/facter/simplib__efi_enabled.rb
@@ -0,0 +1,11 @@
+# _Description_
+#
+# Return true if system booted via EFI
+#
+Facter.add("simplib__efi_enabled") do
+  confine :kernel => 'Linux'
+
+  setcode do
+    File.exist?('/sys/firmware/efi')
+  end
+end
diff --git a/lib/facter/simplib__secure_boot_enabled.rb b/lib/facter/simplib__secure_boot_enabled.rb
@@ -0,0 +1,47 @@
+# _Description_
+#
+# Return true if system booted via UEFI Secure Boot
+#
+Facter.add("simplib__secure_boot_enabled") do
+  confine :kernel => 'Linux'
+
+  setcode do
+    secure_boot_status = false
+    Dir.glob('/sys/firmware/efi/efivars/SecureBoot-*').each do | file |
+      begin
+        File.open(file, 'r') do | hexcode |
+          # skip leading status codes
+          hexcode.read(4)
+          code = hexcode.read()
+          # If we didn't get any data, unpacking will fail
+          secure_boot_status = (1 == code.unpack('H*').first.to_i) if code
+        end
+      rescue Errno::EPERM, Errno::EACCES
+        next
+      end
+
+      break if secure_boot_status
+    end
+
+    setup_mode_status = false
+    if secure_boot_status
+      Dir.glob('/sys/firmware/efi/efivars/SetupMode-*').each do | file |
+        begin
+          File.open(file, 'r') do | hexcode |
+            # skip leading status codes
+            hexcode.read(4)
+            code = hexcode.read()
+            # If we didn't get any data, unpacking will fail
+            setup_mode_status = (0 == code.unpack('H*').first.to_i) if code
+          end
+        rescue Errno::EPERM, Errno::EACCES
+          next
+        end
+
+        break if setup_mode_status
+      end
+    end
+
+    secure_boot_status & setup_mode_status
+  end
+end
diff --git a/spec/unit/facter/simplib__secure_boot_enabled.rb b/spec/unit/facter/simplib__secure_boot_enabled.rb
@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'simplib__secure_boot_enabled' do
+  before :each do
+    Facter.clear
+    Facter.stubs(:value).with(:kernel).returns('Linux')
+  end
+
+  context 'without SecureBoot files in /sys/firmware/efi/efivars' do
+    it do
+      Dir.stubs(:glob).with('/sys/firmware/efi/efivars/SecureBoot-*').returns([])
+
+      expect(Facter.fact('simplib__secure_boot_enabled').value).to match(false)
+    end
+  end
+
+  context 'with a SecureBoot file in /sys/firmware/efi/efivars' do
+    before :each do
+      @sb_tempfile = Tempfile.new('simplib__secure_boot_enabled')
+      @sm_tempfile = Tempfile.new('simplib__secure_boot_enabled')
+
+      Dir.stubs(:glob).with('/sys/firmware/efi/efivars/SecureBoot-*').returns([@sb_tempfile.path])
+      Dir.stubs(:glob).with('/sys/firmware/efi/efivars/SetupMode-*').returns([@sm_tempfile.path])
+    end
+
+    after :each do
+      File.unlink(@sb_tempfile) if File.exist?(@sb_tempfile)
+      File.unlink(@sm_tempfile) if File.exist?(@sm_tempfile)
+    end
+
+    context 'with SecureBoot enabled' do
+      before :each do
+        File.open(@sb_tempfile, 'wb') do |fh|
+          fh.write('1234')
+          fh.write([1].pack('C'))
+        end
+      end
+
+      context 'with SetupMode disabled' do
+        before :each do
+          File.open(@sm_tempfile, 'w') do |fh|
+            fh.write('1234')
+            fh.write([0].pack('C'))
+          end
+        end
+
+        it do
+          expect(Facter.fact('simplib__secure_boot_enabled').value).to match(true)
+        end
+      end
+
+      context 'with SetupMode enabled' do
+        before :each do
+          File.open(@sm_tempfile, 'w') do |fh|
+            fh.write('1234')
+            fh.write([1].pack('C'))
+          end
+        end
+
+        it do
+          expect(Facter.fact('simplib__secure_boot_enabled').value).to match(false)
+        end
+      end
+    end
+
+    context 'with SecureBoot disabled' do
+      before :each do
+        File.open(@sb_tempfile, 'w') do |fh|
+          fh.write('1234')
+          fh.write([0].pack('C'))
+        end
+      end
+
+      context 'with SetupMode disabled' do
+        before :each do
+          File.open(@sm_tempfile, 'w') do |fh|
+            fh.write('1234')
+            fh.write([0].pack('C'))
+          end
+        end
+
+        it do
+          expect(Facter.fact('simplib__secure_boot_enabled').value).to match(false)
+        end
+      end
+
+      context 'with SetupMode enabled' do
+        before :each do
+          File.open(@sm_tempfile, 'w') do |fh|
+            fh.write('1234')
+            fh.write([1].pack('C'))
+          end
+        end
+
+        it do
+          expect(Facter.fact('simplib__secure_boot_enabled').value).to match(false)
+        end
+      end
+    end
+  end
+end
