Skip to content

Add machine.secureboot resource for Linux Secure Boot status#7088

Merged
tas50 merged 2 commits intomainfrom
feat/machine-secureboot
Apr 2, 2026
Merged

Add machine.secureboot resource for Linux Secure Boot status#7088
tas50 merged 2 commits intomainfrom
feat/machine-secureboot

Conversation

@tas50
Copy link
Copy Markdown
Member

@tas50 tas50 commented Apr 2, 2026

Summary

  • Adds a new machine.secureboot resource to the OS provider that reads UEFI Secure Boot status from Linux EFI variables (/sys/firmware/efi/efivars/)
  • Exposes three computed fields: efi (UEFI boot mode), enabled (Secure Boot active), setupMode (keys modifiable without authentication)
  • Uses double-checked locking to batch-load all fields from a single filesystem read, with graceful fallback for non-EFI systems

Usage

machine.secureboot.enabled
// => true

machine.secureboot { efi enabled setupMode }
// => { efi: true, enabled: true, setupMode: false }

Test plan

  • Unit tests for readEfiVarBool covering enabled, disabled, missing, and truncated variable files
  • Interactive test on a Linux EFI system: mql run local -c "machine.secureboot { * }"
  • Verify graceful behavior on non-EFI (BIOS) systems: all fields return false
  • Verify behavior on macOS/container connections where /sys/firmware/efi doesn't exist

🤖 Generated with Claude Code

mondoo-code-review[bot]
mondoo-code-review bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New machine.secureboot resource for querying Linux Secure Boot status via EFI variables

@github-actions

This comment has been minimized.

Sign in to view
mondoo-code-review[bot]
mondoo-code-review bot approved these changes Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown

@mondoo-code-review mondoo-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

New machine.secureboot resource for querying Linux Secure Boot status works correctly.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 2, 2026

Test Results

5 779 tests  +5   5 775 ✅ +5   2m 7s ⏱️ -17s
  433 suites ±0       4 💤 ±0 
   34 files   ±0       0 ❌ ±0 

Results for commit 421faf0. ± Comparison against base commit f3d35f7.

tas50 and others added 2 commits April 2, 2026 09:52
@tas50 @claude
✨ Add machine.secureboot resource for Linux EFI Secure Boot status
81e634b 
Adds a new machine.secureboot resource to the OS provider that reads
Secure Boot status from Linux EFI variables (/sys/firmware/efi/efivars/).
Exposes three fields: efi (UEFI boot mode), enabled (Secure Boot active),
and setupMode (keys modifiable without authentication).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tas50 @claude
🧹 Address review: use sync.Once, revert copyright, add spelling entries
02c198b 
- Replace double-checked locking with sync.Once for race-free fetching
- Revert unintentional copyright header change in os.lr.versions
- Add "efi" and "secureboot" to spell-check expect.txt

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tas50 tas50 force-pushed the feat/machine-secureboot branch from 421faf0 to 02c198b Compare April 2, 2026 16:53
@tas50 tas50 merged commit 3681b07 into main Apr 2, 2026
19 checks passed
@tas50 tas50 deleted the feat/machine-secureboot branch April 2, 2026 16:53
@github-actions github-actions bot locked and limited conversation to collaborators Apr 2, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@mondoo-code-review mondoo-code-review[bot] mondoo-code-review[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@tas50