Linux-EFI Archive on lore.kernel.org
 help / color / Atom feed
From: David Howells <dhowells@redhat.com>
To: keyrings@vger.kernel.org
Cc: matthew.garrett@nebula.com, linux-efi@vger.kernel.org,
	linux-kernel@vger.kernel.org, dhowells@redhat.com,
	linux-security-module@vger.kernel.org,
	Josh Boyer <jwboyer@fedoraproject.org>
Subject: [PATCH 03/16] efi: Disable secure boot if shim is in insecure mode
Date: Wed, 16 Nov 2016 21:47:38 +0000
Message-ID: <147933285855.19316.13896885410459473517.stgit@warthog.procyon.org.uk> (raw)
In-Reply-To: <147933283664.19316.12454053022687659937.stgit@warthog.procyon.org.uk>

From: Josh Boyer <jwboyer@fedoraproject.org>

A user can manually tell the shim boot loader to disable validation of
images it loads.  When a user does this, it creates a UEFI variable called
MokSBState that does not have the runtime attribute set.  Given that the
user explicitly disabled validation, we can honor that and not enable
secure boot mode if that variable is set.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
---

 arch/x86/boot/compressed/eboot.c |   20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c
index 17b376596c96..2729a3844673 100644
--- a/arch/x86/boot/compressed/eboot.c
+++ b/arch/x86/boot/compressed/eboot.c
@@ -540,8 +540,9 @@ static void setup_efi_pci(struct boot_params *params)
 
 static int get_secure_boot(void)
 {
-	u8 sb, setup;
+	u8 sb, setup, moksbstate;
 	unsigned long datasize = sizeof(sb);
+	u32 attr;
 	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
 	efi_status_t status;
 
@@ -565,6 +566,23 @@ static int get_secure_boot(void)
 	if (setup == 1)
 		return 0;
 
+	/* See if a user has put shim into insecure_mode.  If so, and the variable
+	 * doesn't have the runtime attribute set, we might as well honor that.
+	 */
+	var_guid = EFI_SHIM_LOCK_GUID;
+	status = efi_early->call((unsigned long)sys_table->runtime->get_variable,
+				L"MokSBState", &var_guid, &attr, &datasize,
+				&moksbstate);
+
+	/* If it fails, we don't care why.  Default to secure */
+	if (status != EFI_SUCCESS)
+		return 1;
+
+	if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) {
+		if (moksbstate == 1)
+			return 0;
+	}
+
 	return 1;
 }
 


  parent reply index

Thread overview: 76+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-11-16 21:47 [PATCH 00/16] Kernel lockdown David Howells
2016-11-16 21:47 ` [PATCH 01/16] Add the ability to lock down access to the running kernel image David Howells
     [not found]   ` <147933284407.19316.17886320817060158597.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-16 22:20     ` Borislav Petkov
2016-11-16 22:40   ` David Howells
2016-12-25 21:20   ` Pavel Machek
2016-12-25 21:44   ` David Howells
2016-11-16 21:47 ` [PATCH 02/16] efi: Get the secure boot status David Howells
2016-11-17 12:37   ` Lukas Wunner
2016-11-22  0:31     ` [PATCH 2/6] arm/efi: Allow invocation of arbitrary runtime services David Howells
2016-11-22  0:31     ` [PATCH 3/6] efi: Add SHIM and image security database GUID definitions David Howells
2016-11-22  0:32     ` [PATCH 4/6] efi: Get the secure boot status David Howells
2016-11-22 10:44       ` Lukas Wunner
     [not found]         ` <20161122104401.GC1552-JFq808J9C/izQB+pC5nmwQ@public.gmane.org>
2016-11-22 10:49           ` Ard Biesheuvel
2016-11-22 14:52           ` David Howells
     [not found]             ` <25371.1479826321-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-22 20:36               ` Lukas Wunner
2016-11-22 14:47       ` David Howells
2016-11-22 20:30         ` Lukas Wunner
2016-11-23  0:02         ` David Howells
     [not found]       ` <7199.1479826047-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-22 14:57         ` David Howells
2016-11-22  0:32     ` [PATCH 5/6] efi: Disable secure boot if shim is in insecure mode David Howells
2016-11-22 13:03       ` Lukas Wunner
2016-11-22  0:32     ` [PATCH 6/6] efi: Add EFI_SECURE_BOOT bit David Howells
2016-11-22 13:04       ` Lukas Wunner
2016-11-21 11:46   ` [PATCH 02/16] efi: Get the secure boot status David Howells
2016-11-21 19:58     ` Lukas Wunner
     [not found]   ` <20161117123731.GA11573-JFq808J9C/izQB+pC5nmwQ@public.gmane.org>
2016-11-21 11:42     ` David Howells
     [not found]       ` <29779.1479728545-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-21 11:52         ` Ard Biesheuvel
     [not found]       ` <CAKv+Gu-frVDhzORDRZ6XT+FxewsTgrxhXmM=DqaS6Ns4mJhQ9g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-21 12:41         ` David Howells
2016-11-21 13:14           ` Ard Biesheuvel
     [not found]             ` <CAKv+Gu8Lhm=u97hY1y+Y+Ladk=y7pSVNrow8ML1hQUJ9+74B-w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-21 15:17               ` Lukas Wunner
2016-11-21 15:25                 ` Ard Biesheuvel
2016-11-22  0:31     ` [PATCH 1/6] x86/efi: Allow invocation of arbitrary runtime services David Howells
     [not found]       ` <147977469914.6360.17194649697208113702.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-22 10:20         ` Lukas Wunner
2016-11-22 14:17       ` David Howells
2016-11-22 14:58         ` Joe Perches
     [not found]         ` <1479826691.1942.11.camel-6d6DIl74uiNBDgjK7y7TUQ@public.gmane.org>
2016-11-22 15:52           ` David Howells
     [not found]             ` <24973.1479829961-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-22 16:25               ` Joe Perches
2016-11-22 16:40             ` David Howells
2016-11-22 16:51               ` Joe Perches
2016-11-16 21:47 ` David Howells [this message]
2016-11-16 21:47 ` [PATCH 04/16] efi: Lock down the kernel if booted in secure boot mode David Howells
2016-11-16 21:47 ` [PATCH 05/16] efi: Add EFI_SECURE_BOOT bit David Howells
2016-11-17 21:58   ` Ard Biesheuvel
2016-11-18 11:58     ` Josh Boyer
     [not found]       ` <CA+5PVA6F5qEnuL2UaXS9_fJ217J93cEZDDsz9Y2BPwHXcMdX-A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-18 12:10         ` Ard Biesheuvel
     [not found]   ` <CAKv+Gu_8r3oM-jvvuSiXTzxp0YMEVgc5KkScJ2UhGTaXm28L6w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-11-18 17:28     ` David Howells
2016-11-16 21:48 ` [PATCH 06/16] Add a sysrq option to exit secure boot mode David Howells
2016-11-16 21:48 ` [PATCH 07/16] kexec: Disable at runtime if the kernel is locked down David Howells
2016-11-16 21:48 ` [PATCH 08/16] Copy secure_boot flag in boot params across kexec reboot David Howells
2016-11-16 21:48 ` [PATCH 09/16] hibernate: Disable when the kernel is locked down David Howells
2016-11-16 21:48 ` [PATCH 10/16] PCI: Lock down BAR access " David Howells
     [not found] ` <147933283664.19316.12454053022687659937.stgit-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-16 21:48   ` [PATCH 11/16] x86: Lock down IO port " David Howells
2016-11-16 21:49   ` [PATCH 16/16] x86: Restrict MSR " David Howells
2016-11-16 22:27   ` [PATCH 00/16] Kernel lockdown One Thousand Gnomes
2016-11-21 19:53     ` Ard Biesheuvel
2016-11-30 14:27       ` One Thousand Gnomes
2016-11-16 21:48 ` [PATCH 12/16] ACPI: Limit access to custom_method when the kernel is locked down David Howells
2016-11-16 21:48 ` [PATCH 13/16] asus-wmi: Restrict debugfs interface " David Howells
2016-11-16 21:48 ` [PATCH 14/16] Restrict /dev/mem and /dev/kmem " David Howells
2016-11-16 21:49 ` [PATCH 15/16] acpi: Ignore acpi_rsdp kernel param when the kernel has been " David Howells
2016-11-16 22:28 ` [PATCH 00/16] Kernel lockdown Justin Forbes
2016-11-21 23:10 ` [PATCH] Lock down drivers that can have io ports, io mem, irqs and dma changed David Howells
2016-11-22  6:12   ` Dominik Brodowski
2016-11-23 12:58   ` David Howells
2016-11-23 19:21     ` Dominik Brodowski
     [not found]     ` <20161123192143.GA482-SGhQLRGLuNwb6pqDj42GsMgv3T4z79SOrE5yTffgRl4@public.gmane.org>
2016-11-24 17:34       ` David Howells
2016-11-24 20:19         ` Dominik Brodowski
2016-11-25 14:49         ` David Howells
     [not found]   ` <26173.1479769852-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-28 22:32     ` Corey Minyard
2016-11-29  0:11   ` David Howells
2016-11-29  0:23     ` Corey Minyard
2016-11-29 14:03     ` David Howells
     [not found]       ` <6973.1480428211-S6HVgzuS8uM4Awkfq6JHfwNdhmdF6hFW@public.gmane.org>
2016-11-29 14:35         ` Corey Minyard
2016-11-30 14:41         ` One Thousand Gnomes
     [not found]       ` <20161130144105.2b6be4fe-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2016-11-30 16:25         ` David Howells
2016-11-29 10:40   ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=147933285855.19316.13896885410459473517.stgit@warthog.procyon.org.uk \
    --to=dhowells@redhat.com \
    --cc=jwboyer@fedoraproject.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=matthew.garrett@nebula.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-EFI Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-efi/0 linux-efi/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-efi linux-efi/ https://lore.kernel.org/linux-efi \
		linux-efi@vger.kernel.org
	public-inbox-index linux-efi

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-efi


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git