From: Mimi Zohar <zohar@linux.ibm.com>
To: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>,
James Morris <jmorris@namei.org>
Cc: Eric Snowberg <eric.snowberg@oracle.com>,
David Howells <dhowells@redhat.com>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, "Lee, Chun-Yi" <jlee@suse.com>,
Petr Vorel <pvorel@suse.cz>
Subject: Re: [PATCH] integrity: Do not load MOK and MOKx when secure boot be disabled
Date: Tue, 21 Dec 2021 07:56:04 -0500 [thread overview]
Message-ID: <15ff5c8f3a3ffc2929baf3accd5670bb524f2f6f.camel@linux.ibm.com> (raw)
In-Reply-To: <20211218020905.7187-1-jlee@suse.com>
Hi Joey,
On Sat, 2021-12-18 at 10:09 +0800, Lee, Chun-Yi wrote:
> The security of Machine Owner Key (MOK) relies on secure boot. When
> secure boot is disabled, EFI firmware will not verify binary code. Then
> arbitrary efi binary code can modify MOK when rebooting.
>
> This patch prevents MOK/MOKx be loaded when secure boot be disabled.
>
> Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
Sorry for the delay in testing this patch. I got the booster Friday
and am still suffering from fever spikes, chills, and headaches. The
kexec selftest might need to be updated as well.
thanks,
Mimi
> ---
> security/integrity/platform_certs/load_uefi.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
> index f290f78c3f30..08b6d12f99b4 100644
> --- a/security/integrity/platform_certs/load_uefi.c
> +++ b/security/integrity/platform_certs/load_uefi.c
> @@ -6,6 +6,7 @@
> #include <linux/err.h>
> #include <linux/efi.h>
> #include <linux/slab.h>
> +#include <linux/ima.h>
> #include <keys/asymmetric-type.h>
> #include <keys/system_keyring.h>
> #include "../integrity.h"
> @@ -176,6 +177,10 @@ static int __init load_uefi_certs(void)
> kfree(dbx);
> }
>
> + /* the MOK/MOKx can not be trusted when secure boot is disabled */
> + if (!arch_ima_get_secureboot())
> + return 0;
> +
> mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
> if (!mokx) {
> if (status == EFI_NOT_FOUND)
next prev parent reply other threads:[~2021-12-21 12:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-18 2:09 [PATCH] integrity: Do not load MOK and MOKx when secure boot be disabled Lee, Chun-Yi
2021-12-21 12:56 ` Mimi Zohar [this message]
2021-12-21 23:28 ` Mimi Zohar
2021-12-23 4:10 ` joeyli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=15ff5c8f3a3ffc2929baf3accd5670bb524f2f6f.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=eric.snowberg@oracle.com \
--cc=jlee@suse.com \
--cc=jmorris@namei.org \
--cc=joeyli.kernel@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pvorel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.