From: Eric Snowberg <eric.snowberg@oracle.com>
To: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Cc: "David Howells" <dhowells@redhat.com>,
"James Bottomley" <James.Bottomley@HansenPartnership.com>,
"Jarkko Sakkinen" <jarkko@kernel.org>,
"Mickaël Salaün" <mic@digikod.net>,
keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 4/4] integrity: Load mokx variables into the blacklist keyring
Date: Fri, 12 Mar 2021 14:49:05 -0700 [thread overview]
Message-ID: <92182F5F-327E-4F1D-A7D9-42355625C84C@oracle.com> (raw)
In-Reply-To: <4b275a33-28ac-78c2-e075-ea2eda4f13a8@canonical.com>
> On Mar 12, 2021, at 11:39 AM, Dimitri John Ledkov <dimitri.ledkov@canonical.com> wrote:
>
> On 25/02/2021 20:59, David Howells wrote:
>> From: Eric Snowberg <eric.snowberg@oracle.com>
>>
>> During boot the Secure Boot Forbidden Signature Database, dbx,
>> is loaded into the blacklist keyring. Systems booted with shim
>> have an equivalent Forbidden Signature Database called mokx.
>> Currently mokx is only used by shim and grub, the contents are
>> ignored by the kernel.
>>
>> Add the ability to load mokx into the blacklist keyring during boot.
>>
>> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
>> Suggested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
>> Signed-off-by: David Howells <dhowells@redhat.com>
>> cc: Jarkko Sakkinen <jarkko@kernel.org>
>> Link: https://lore.kernel.org/r/20210122181054.32635-5-eric.snowberg@oracle.com/ # v5
>> Link: https://lore.kernel.org/r/c33c8e3839a41e9654f41cc92c7231104931b1d7.camel@HansenPartnership.com/
>> ---
>>
>> security/integrity/platform_certs/load_uefi.c | 20 ++++++++++++++++++--
>> 1 file changed, 18 insertions(+), 2 deletions(-)
>>
>> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
>> index ee4b4c666854..f290f78c3f30 100644
>> --- a/security/integrity/platform_certs/load_uefi.c
>> +++ b/security/integrity/platform_certs/load_uefi.c
>> @@ -132,8 +132,9 @@ static int __init load_moklist_certs(void)
>> static int __init load_uefi_certs(void)
>> {
>> efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
>> - void *db = NULL, *dbx = NULL;
>> - unsigned long dbsize = 0, dbxsize = 0;
>> + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
>> + void *db = NULL, *dbx = NULL, *mokx = NULL;
>> + unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0;
>> efi_status_t status;
>> int rc = 0;
>>
>> @@ -175,6 +176,21 @@ static int __init load_uefi_certs(void)
>> kfree(dbx);
>> }
>>
>> + mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
>> + if (!mokx) {
>> + if (status == EFI_NOT_FOUND)
>> + pr_debug("mokx variable wasn't found\n");
>> + else
>> + pr_info("Couldn't get mokx list\n");
>> + } else {
>> + rc = parse_efi_signature_list("UEFI:MokListXRT",
>> + mokx, mokxsize,
>> + get_handler_for_dbx);
>> + if (rc)
>> + pr_err("Couldn't parse mokx signatures %d\n", rc);
>> + kfree(mokx);
>> + }
>> +
>
>
> My preference would be if the above hunk was moved into the
> load_moklist_certs() function which is called just below. Such that
> loading of MokListRT & MOkListXRT are done next to each other.
>
> And also implement loading the same way it is done for MokListRT -
> specifically via the EFI MOKvar config table & then via a variable.
>
> See 726bd8965a5f112d9601f7ce68effa1e46e02bf2 otherwise large MokListXRT
> will fail to parse.
Is this support available from shim now? Previously I thought only
MOK could be loaded from the config table, not MOKx.
next prev parent reply other threads:[~2021-03-12 21:52 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-25 20:58 [PATCH 0/4] keys: Add EFI_CERT_X509_GUID support for dbx/mokx entries David Howells
2021-02-25 20:58 ` [PATCH 1/4] certs: Add EFI_CERT_X509_GUID support for dbx entries David Howells
2021-02-25 20:58 ` [PATCH 2/4] certs: Move load_system_certificate_list to a common function David Howells
2021-02-25 20:58 ` [PATCH 3/4] certs: Add ability to preload revocation certs David Howells
2021-03-03 18:11 ` Nathan Chancellor
2021-02-25 20:59 ` [PATCH 4/4] integrity: Load mokx variables into the blacklist keyring David Howells
2021-03-12 18:39 ` Dimitri John Ledkov
2021-03-12 21:49 ` Eric Snowberg [this message]
2021-03-12 23:53 ` Dimitri John Ledkov
2021-03-13 2:36 ` Eric Snowberg
2021-03-13 8:13 ` David Howells
2021-03-13 14:40 ` Eric Snowberg
2021-05-05 10:00 ` Dimitri John Ledkov
2021-03-13 20:27 ` David Howells
2021-02-26 2:50 ` [PATCH 0/4] keys: Add EFI_CERT_X509_GUID support for dbx/mokx entries Eric Snowberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=92182F5F-327E-4F1D-A7D9-42355625C84C@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=dimitri.ledkov@canonical.com \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).