Re: [PATCH V2 1/3] efi: Support for MOK variable config table

From: Nathan Chancellor <natechancellor@gmail.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Lenny Szubowicz <lszubowi@redhat.com>,
	Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	linux-efi <linux-efi@vger.kernel.org>,
	platform-driver-x86@vger.kernel.org,
	linux-security-module@vger.kernel.org, andy.shevchenko@gmail.com,
	James Morris <jmorris@namei.org>,
	serge@hallyn.com, Kees Cook <keescook@chromium.org>,
	Mimi Zohar <zohar@linux.ibm.com>, Borislav Petkov <bp@alien8.de>,
	Peter Jones <pjones@redhat.com>,
	David Howells <dhowells@redhat.com>,
	prarit@redhat.com
Subject: Re: [PATCH V2 1/3] efi: Support for MOK variable config table
Date: Thu, 1 Oct 2020 14:07:16 -0700	[thread overview]
Message-ID: <20201001210716.GA3767489@ubuntu-m3-large-x86> (raw)
In-Reply-To: <CAMj1kXFoCsO3YqvTZx4nU4mQOhoux1iS1vsa73AZhtc5Y8j59Q@mail.gmail.com>

On Thu, Oct 01, 2020 at 10:57:07PM +0200, Ard Biesheuvel wrote:
> On Thu, 1 Oct 2020 at 19:44, Nathan Chancellor <natechancellor@gmail.com> wrote:
> >
> > On Fri, Sep 04, 2020 at 09:31:05PM -0400, Lenny Szubowicz wrote:
> > > Because of system-specific EFI firmware limitations, EFI volatile
> > > variables may not be capable of holding the required contents of
> > > the Machine Owner Key (MOK) certificate store when the certificate
> > > list grows above some size. Therefore, an EFI boot loader may pass
> > > the MOK certs via a EFI configuration table created specifically for
> > > this purpose to avoid this firmware limitation.
> > >
> > > An EFI configuration table is a much more primitive mechanism
> > > compared to EFI variables and is well suited for one-way passage
> > > of static information from a pre-OS environment to the kernel.
> > >
> > > This patch adds initial kernel support to recognize, parse,
> > > and validate the EFI MOK configuration table, where named
> > > entries contain the same data that would otherwise be provided
> > > in similarly named EFI variables.
> > >
> > > Additionally, this patch creates a sysfs binary file for each
> > > EFI MOK configuration table entry found. These files are read-only
> > > to root and are provided for use by user space utilities such as
> > > mokutil.
> > >
> > > A subsequent patch will load MOK certs into the trusted platform
> > > key ring using this infrastructure.
> > >
> > > Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com>
> >
> > I have not seen this reported yet but this breaks arm allyesconfig and
> > allmodconfig when CPU_LITTLE_ENDIAN is force selected (because CONFIG_EFI
> > will actually be enabled):
> >
> > $ cat le.config
> > CONFIG_CPU_BIG_ENDIAN=n
> >
> > $ make -skj"$(nproc)" ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- KCONFIG_ALLCONFIG=le.config allyesconfig drivers/firmware/efi/mokvar-table.o
> > drivers/firmware/efi/mokvar-table.c: In function 'efi_mokvar_table_init':
> > drivers/firmware/efi/mokvar-table.c:139:5: error: implicit declaration of function 'early_memunmap' [-Werror=implicit-function-declaration]
> >   139 |     early_memunmap(va, map_size);
> >       |     ^~~~~~~~~~~~~~
> > drivers/firmware/efi/mokvar-table.c:148:9: error: implicit declaration of function 'early_memremap' [-Werror=implicit-function-declaration]
> >   148 |    va = early_memremap(efi.mokvar_table, map_size);
> >       |         ^~~~~~~~~~~~~~
> > drivers/firmware/efi/mokvar-table.c:148:7: warning: assignment to 'void *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
> >   148 |    va = early_memremap(efi.mokvar_table, map_size);
> >       |       ^
> > cc1: some warnings being treated as errors
> > make[4]: *** [scripts/Makefile.build:283: drivers/firmware/efi/mokvar-table.o] Error 1
> >
> > Cheers,
> > Nathan
> 
> Hi Nathan,
> 
> Does adding
> 
> #include <asm/early_ioremap.h>
> 
> to drivers/firmware/efi/mokvar-table.c fix the issue?

Indeed, that was much simpler than I thought it would be... If you send
or apply a patch, feel free to add:

Tested-by: Nathan Chancellor <natechancellor@gmail.com>

Cheers,
Nathan