tests/kola: Add lockdown LSM test

See: https://bugzilla.redhat.com/show_bug.cgi?id=2333706

co-authored by: Bipin B Narayan <[email protected]>

Needs: coreos/coreos-assembler#4112

Author: travier

tests/kola/security/data/commonlib.sh

@@ -0,0 +1 @@
+../../data/commonlib.sh

tests/kola/security/lockdown

@@ -0,0 +1,26 @@
+#!/bin/bash
+## kola:
+##   exclusive: false
+##   tags: needs-secureboot
+##   architectures: x86_64 aarch64
+##   description: Verify that the lockdown LSM is set to integrity when booted using Secure Boot
+#
+# See https://bugzilla.redhat.com/show_bug.cgi?id=2333706
+
+set -xeuo pipefail
+
+. $KOLA_EXT_DATA/commonlib.sh
+
+lockdown_state="$(cat "/sys/kernel/security/lockdown")"
+
+if [[ "$(mokutil --sb)" == "SecureBoot enabled" ]]; then
+    if [[ "${lockdown_state}" == "none [integrity] confidentiality" ]]; then
+        ok "lockdown LSM set to integrity on a Secure Boot system"
+    else
+        fatal "lockdown LSM not set to integrity on a Secure Boot system"
+    fi
+else
+    fatal "system is not running with secure boot enabled"
+fi
+
+exit 1

tests/kola/security/lockdown_no_sb

@@ -0,0 +1,23 @@
+#!/bin/bash
+## kola:
+##   exclusive: false
+##   architectures: x86_64 aarch64
+##   description: Verify that the lockdown LSM is set to integrity when booted using Secure Boot
+#
+# See https://bugzilla.redhat.com/show_bug.cgi?id=2333706
+
+set -xeuo pipefail
+
+. $KOLA_EXT_DATA/commonlib.sh
+
+lockdown_state="$(cat "/sys/kernel/security/lockdown")"
+
+if [[ "$(mokutil --sb)" != "SecureBoot enabled" ]]; then
+    if [[ "${lockdown_state}" == "[none] integrity confidentiality" ]]; then
+        ok "lockdown LSM set to none on a non Secure Boot system"
+    else
+        fatal "lockdown LSM not set to none on a non Secure Boot system"
+    fi
+else
+  fatal "system is running with secure boot enabled"
+fi