From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D800DC33FA1 for ; Mon, 17 Feb 2020 13:38:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id A6B802070B for ; Mon, 17 Feb 2020 13:38:10 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=linaro.org header.i=@linaro.org header.b="m9Ib4xAI" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727513AbgBQNiJ (ORCPT ); Mon, 17 Feb 2020 08:38:09 -0500 Received: from mail-wr1-f65.google.com ([209.85.221.65]:44816 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726779AbgBQNiJ (ORCPT ); Mon, 17 Feb 2020 08:38:09 -0500 Received: by mail-wr1-f65.google.com with SMTP id m16so19736968wrx.11 for ; Mon, 17 Feb 2020 05:38:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nDiRsEAIhvUGr0lYuEJebsL5PJq7c20YrBjsG0G5asE=; b=m9Ib4xAIBqaXvlSAko9uT/dWqaqwCVRkGpAodBbksRx3pH28oU8qRSFzow5t4iDqZq 9V9bL9GnITj1pRVR8K3xRsdlCcCvPq80SAnT8nt6B9If3bxb6W4H/xKmfy5Tvrerc1In YTRPyZI/KB1ZLd3VJvDaQxqLZzZhrTf1le7HuQCP19qI0myl2EJzGGF5mPI+hjB8GD/+ 6nG4OtQ4vdUG/Fe0lRcKlSBGRZEdyqQJArih/bfqU91tPSxgywfrYCLKR8jggkmlIx3j xuYmlr3zYjlbPK8p0+EKn/zTRj9yckxcIX5Mmr0VY+8moVN/EL3z7w+It7Ra3dvD1z56 pCew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nDiRsEAIhvUGr0lYuEJebsL5PJq7c20YrBjsG0G5asE=; b=UTqo5bpjV5AJluxV7kykRon3zDyNz7PrJamRE9Lv0hmR/Nm3TNndsJO9N7fBVnkB0b OS23vBa8m7VRLUgeE9ufc1ZYnXhGhbN1Brn7TdPkSAaivBGMUaViF/PtvcFsxuNL872f 9+bHnetxzDlLqnAs/FJZfuwBYZ9HkZLdAbrX09pSWthHGe9xF5fgR92UFU/YuaQv6xp1 BRbbsnh0JvtpFHY7hC381RjdHo71dH/uZ9BtRmGk4eKASzNNej4PjpxDAEDdsFTGOASt oVVqCNzwLvTuZnWVgaY0ByJElcV7wo1dOGN+kgUOEDjQxGESop+rc6kDnn70c8D2cHAw 9kLA== X-Gm-Message-State: APjAAAWB7K/Wag/cC3UNpKFgF3casjrPoTQ+tDf8Pt3xJzNdZx6EnTE4 iuuZdwLTc+DbzJGAPP2yBezgFUZ2OpXBqxUt4cmhnQ== X-Google-Smtp-Source: APXvYqwOUBucYswqUNyMIHc1aiTamfVBZWGT+dn/rwRaci4zG+s/D1nwmO/6x5V/pkNlnsTqLUeNB8BucEtyklRsh1I= X-Received: by 2002:adf:8564:: with SMTP id 91mr22934838wrh.252.1581946685893; Mon, 17 Feb 2020 05:38:05 -0800 (PST) MIME-Version: 1.0 References: <20200217113947.2070436-1-javierm@redhat.com> In-Reply-To: <20200217113947.2070436-1-javierm@redhat.com> From: Ard Biesheuvel Date: Mon, 17 Feb 2020 14:37:54 +0100 Message-ID: Subject: Re: [RESEND PATCH v2] efi: Only print errors about failing to get certs if EFI vars are found To: Javier Martinez Canillas Cc: Linux Kernel Mailing List , linux-efi , Hans de Goede , Eric Richter , James Morris , Michael Ellerman , Mimi Zohar , Nayna Jain , "Serge E. Hallyn" , YueHaibing , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 17 Feb 2020 at 12:40, Javier Martinez Canillas wrote: > > If CONFIG_LOAD_UEFI_KEYS is enabled, the kernel attempts to load the certs > from the db, dbx and MokListRT EFI variables into the appropriate keyrings. > > But it just assumes that the variables will be present and prints an error > if the certs can't be loaded, even when is possible that the variables may > not exist. For example the MokListRT variable will only be present if shim > is used. > > So only print an error message about failing to get the certs list from an > EFI variable if this is found. Otherwise these printed errors just pollute > the kernel log ring buffer with confusing messages like the following: > > [ 5.427251] Couldn't get size: 0x800000000000000e > [ 5.427261] MODSIGN: Couldn't get UEFI db list > [ 5.428012] Couldn't get size: 0x800000000000000e > [ 5.428023] Couldn't get UEFI MokListRT > > Reported-by: Hans de Goede > Signed-off-by: Javier Martinez Canillas > Tested-by: Hans de Goede Acked-by: Ard Biesheuvel > > --- > > Changes in v2: > - Fix flaws in the logic, that caused the signature list was parsed if > the return code was EFI_NOT_FOUND that pointed out Hans de Goede. > - Print debug messages if the variables are not found. > > security/integrity/platform_certs/load_uefi.c | 40 ++++++++++++------- > 1 file changed, 26 insertions(+), 14 deletions(-) > > diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c > index 111898aad56..f0c90824196 100644 > --- a/security/integrity/platform_certs/load_uefi.c > +++ b/security/integrity/platform_certs/load_uefi.c > @@ -35,16 +35,18 @@ static __init bool uefi_check_ignore_db(void) > * Get a certificate list blob from the named EFI variable. > */ > static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, > - unsigned long *size) > + unsigned long *size, efi_status_t *status) > { > - efi_status_t status; > unsigned long lsize = 4; > unsigned long tmpdb[4]; > void *db; > > - status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); > - if (status != EFI_BUFFER_TOO_SMALL) { > - pr_err("Couldn't get size: 0x%lx\n", status); > + *status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); > + if (*status == EFI_NOT_FOUND) > + return NULL; > + > + if (*status != EFI_BUFFER_TOO_SMALL) { > + pr_err("Couldn't get size: 0x%lx\n", *status); > return NULL; > } > > @@ -52,10 +54,10 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, > if (!db) > return NULL; > > - status = efi.get_variable(name, guid, NULL, &lsize, db); > - if (status != EFI_SUCCESS) { > + *status = efi.get_variable(name, guid, NULL, &lsize, db); > + if (*status != EFI_SUCCESS) { > kfree(db); > - pr_err("Error reading db var: 0x%lx\n", status); > + pr_err("Error reading db var: 0x%lx\n", *status); > return NULL; > } > > @@ -74,6 +76,7 @@ static int __init load_uefi_certs(void) > efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; > void *db = NULL, *dbx = NULL, *mok = NULL; > unsigned long dbsize = 0, dbxsize = 0, moksize = 0; > + efi_status_t status; > int rc = 0; > > if (!efi.get_variable) > @@ -83,9 +86,12 @@ static int __init load_uefi_certs(void) > * an error if we can't get them. > */ > if (!uefi_check_ignore_db()) { > - db = get_cert_list(L"db", &secure_var, &dbsize); > + db = get_cert_list(L"db", &secure_var, &dbsize, &status); > if (!db) { > - pr_err("MODSIGN: Couldn't get UEFI db list\n"); > + if (status == EFI_NOT_FOUND) > + pr_debug("MODSIGN: db variable wasn't found\n"); > + else > + pr_err("MODSIGN: Couldn't get UEFI db list\n"); > } else { > rc = parse_efi_signature_list("UEFI:db", > db, dbsize, get_handler_for_db); > @@ -96,9 +102,12 @@ static int __init load_uefi_certs(void) > } > } > > - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); > + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); > if (!mok) { > - pr_info("Couldn't get UEFI MokListRT\n"); > + if (status == EFI_NOT_FOUND) > + pr_debug("MokListRT variable wasn't found\n"); > + else > + pr_info("Couldn't get UEFI MokListRT\n"); > } else { > rc = parse_efi_signature_list("UEFI:MokListRT", > mok, moksize, get_handler_for_db); > @@ -107,9 +116,12 @@ static int __init load_uefi_certs(void) > kfree(mok); > } > > - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); > + dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status); > if (!dbx) { > - pr_info("Couldn't get UEFI dbx list\n"); > + if (status == EFI_NOT_FOUND) > + pr_debug("dbx variable wasn't found\n"); > + else > + pr_info("Couldn't get UEFI dbx list\n"); > } else { > rc = parse_efi_signature_list("UEFI:dbx", > dbx, dbxsize, > -- > 2.24.1 >