Add kernel lockdown utility functions to linux.py

maramsmurthy · maramsmurthy · commit 95da8b794691 · 2026-05-18T19:26:53.000+05:30
This commit adds three new utility functions to avocado.utils.linux for
managing kernel lockdown security feature:

1. is_kernel_lockdown_enabled(): Check current lockdown state
   - Returns tuple of (mode, is_enabled)
   - Supports none, integrity, and confidentiality modes
   - Handles cases where lockdown feature is unavailable

2. enable_kernel_lockdown_integrity(): Enable integrity mode
   - Prevents kernel modification
   - Verifies mode change via sysfs
   - Validates dmesg for lockdown message

3. enable_kernel_lockdown_confidentiality(): Enable confidentiality mode
   - Most restrictive mode (prevents modification and data exposure)
   - Verifies mode change via sysfs
   - Validates dmesg for lockdown message

All functions follow PEP 8 standards and include comprehensive docstrings.
Lockdown mode transitions are one-way at runtime and require reboot to
downgrade.

Signed-off-by: Maram Srimannarayana Murthy &lt;msmurthy@linux.vnet.ibm.com&gt;
diff --git a/avocado/utils/linux.py b/avocado/utils/linux.py
@@ -25,7 +25,7 @@
 
 import os
 
-from avocado.utils import genio, process
+from avocado.utils import dmesg, genio, process
 
 
 class UnsupportedMachineError(Exception):
@@ -94,7 +94,9 @@ def is_os_secureboot_enabled():
             if "00000002" in line:
                 return True
     except FileNotFoundError as exc:
-        raise UnsupportedMachineError("lsprop not a supported command") from exc
+        raise UnsupportedMachineError(
+            "lsprop not a supported command"
+        ) from exc
     return False
 
 
@@ -117,3 +119,124 @@ def enable_sched_schedstats():
     if is_sched_schedstats_enabled():
         return True
     return False
+
+
+def is_kernel_lockdown_enabled():
+    """
+    Check the current kernel lockdown state.
+
+    The kernel lockdown feature restricts certain kernel functionalities
+    to protect the system from unauthorized access or modification.
+
+    Lockdown modes:
+    - none: Lockdown disabled
+    - integrity: Prevents kernel modification
+    - confidentiality: Prevents modification and data exposure
+
+    :return: Tuple of (mode_string, is_enabled_boolean)
+             Returns ("none", False) if lockdown is disabled
+             Returns ("integrity", True) if integrity mode is enabled
+             Returns ("confidentiality", True) if confidentiality mode
+             is enabled
+             Returns (None, False) if lockdown feature is not available
+    :rtype: tuple(str, bool)
+    """
+    lockdown_path = "/sys/kernel/security/lockdown"
+    try:
+        lockdown_status = genio.read_one_line(lockdown_path).strip()
+        for mode in ["none", "integrity", "confidentiality"]:
+            if f"[{mode}]" in lockdown_status:
+                is_enabled = mode != "none"
+                return (mode, is_enabled)
+        return ("none", False)
+    except FileNotFoundError:
+        return (None, False)
+    except PermissionError:
+        return (None, False)
+
+
+def enable_kernel_lockdown_integrity():
+    """
+    Enable kernel lockdown in integrity mode.
+
+    Integrity mode prevents kernel modification but allows reading
+    kernel data. This mode can be enabled from 'none' state or is
+    already active if in 'integrity' or 'confidentiality' mode.
+
+    Note: Lockdown mode transitions are one-way at runtime:
+    - none → integrity (allowed)
+    - none → confidentiality (allowed)
+    - integrity → confidentiality (allowed)
+    - Cannot downgrade without reboot
+
+    Expected dmesg output when enabled:
+    "Kernel is locked down from securityfs; see man kernel_lockdown.7"
+
+    :return: True if integrity mode is enabled successfully or already
+             enabled, False otherwise
+    :rtype: bool
+    """
+    lockdown_path = "/sys/kernel/security/lockdown"
+    current_mode, _ = is_kernel_lockdown_enabled()
+
+    if current_mode is None:
+        return False
+
+    if current_mode in ["integrity", "confidentiality"]:
+        return True
+
+    try:
+        genio.write_one_line(lockdown_path, "integrity")
+        new_mode, _ = is_kernel_lockdown_enabled()
+        if new_mode in ["integrity", "confidentiality"]:
+            expected_msg = "Kernel is locked down from securityfs"
+            dmesg_errors = dmesg.collect_errors_dmesg([expected_msg])
+            if not dmesg_errors:
+                return False
+            return True
+        return False
+    except (PermissionError, IOError):
+        return False
+
+
+def enable_kernel_lockdown_confidentiality():
+    """
+    Enable kernel lockdown in confidentiality mode.
+
+    Confidentiality mode prevents both kernel modification and data
+    exposure. This is the most restrictive lockdown mode and can be
+    enabled from any lower mode (none or integrity).
+
+    Note: Lockdown mode transitions are one-way at runtime:
+    - none → confidentiality (allowed)
+    - integrity → confidentiality (allowed)
+    - Cannot downgrade without reboot
+
+    Expected dmesg output when enabled:
+    "Kernel is locked down from securityfs; see man kernel_lockdown.7"
+
+    :return: True if confidentiality mode is enabled successfully or
+             already enabled, False otherwise
+    :rtype: bool
+    """
+    lockdown_path = "/sys/kernel/security/lockdown"
+    current_mode, _ = is_kernel_lockdown_enabled()
+
+    if current_mode is None:
+        return False
+
+    if current_mode == "confidentiality":
+        return True
+
+    try:
+        genio.write_one_line(lockdown_path, "confidentiality")
+        new_mode, _ = is_kernel_lockdown_enabled()
+        if new_mode == "confidentiality":
+            expected_msg = "Kernel is locked down from securityfs"
+            dmesg_errors = dmesg.collect_errors_dmesg([expected_msg])
+            if not dmesg_errors:
+                return False
+            return True
+        return False
+    except (PermissionError, IOError):
+        return False
