From: Lenny Szubowicz <lszubowi@redhat.com>
To: Ard Biesheuvel <ardb@kernel.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
linux-efi <linux-efi@vger.kernel.org>,
platform-driver-x86@vger.kernel.org,
linux-security-module@vger.kernel.org, andy.shevchenko@gmail.com,
James Morris <jmorris@namei.org>,
serge@hallyn.com, Kees Cook <keescook@chromium.org>,
zohar@linux.ibm.com, Borislav Petkov <bp@alien8.de>,
Peter Jones <pjones@redhat.com>,
David Howells <dhowells@redhat.com>,
prarit@redhat.com
Subject: Re: [PATCH V2 2/3] integrity: Move import of MokListRT certs to a separate routine
Date: Fri, 11 Sep 2020 11:54:10 -0400 [thread overview]
Message-ID: <f0a079b1-5f02-8618-fdfe-aea2278113c9@redhat.com> (raw)
In-Reply-To: <CAMj1kXEdkdeE8VSZqEzhd__Kb7_ZmG2af6iBpbY3=nsj1-phYw@mail.gmail.com>
On 9/11/20 11:02 AM, Ard Biesheuvel wrote:
> On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <lszubowi@redhat.com> wrote:
>>
>> Move the loading of certs from the UEFI MokListRT into a separate
>> routine to facilitate additional MokList functionality.
>>
>> There is no visible functional change as a result of this patch.
>> Although the UEFI dbx certs are now loaded before the MokList certs,
>> they are loaded onto different key rings. So the order of the keys
>> on their respective key rings is the same.
>>
>> Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com>
>
> Why did you drop Mimi's reviewed-by from this patch?
It was not intentional. I was just not aware that I needed to propagate
Mimi Zohar's reviewed-by from V1 of the patch to V2.
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
V2 includes changes in that patch to incorporate suggestions from
Andy Shevchenko. My assumption was that the maintainer would
gather up the reviewed-by and add any signed-off-by as appropriate,
but it sounds like my assumption was incorrect. In retrospect, I
could see that having the maintainer dig through prior versions
of a patch set for prior reviewed-by tags could be burdensome.
Advice on the expected handling of this would be appreciated.
-Lenny.
>
>> ---
>> security/integrity/platform_certs/load_uefi.c | 63 +++++++++++++------
>> 1 file changed, 44 insertions(+), 19 deletions(-)
>>
>> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
>> index 253fb9a7fc98..c1c622b4dc78 100644
>> --- a/security/integrity/platform_certs/load_uefi.c
>> +++ b/security/integrity/platform_certs/load_uefi.c
>> @@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
>> }
>>
>> /*
>> + * load_moklist_certs() - Load MokList certs
>> + *
>> + * Load the certs contained in the UEFI MokListRT database into the
>> + * platform trusted keyring.
>> + *
>> + * Return: Status
>> + */
>> +static int __init load_moklist_certs(void)
>> +{
>> + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
>> + void *mok;
>> + unsigned long moksize;
>> + efi_status_t status;
>> + int rc;
>> +
>> + /* Get MokListRT. It might not exist, so it isn't an error
>> + * if we can't get it.
>> + */
>> + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
>> + if (mok) {
>> + rc = parse_efi_signature_list("UEFI:MokListRT",
>> + mok, moksize, get_handler_for_db);
>> + kfree(mok);
>> + if (rc)
>> + pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
>> + return rc;
>> + }
>> + if (status == EFI_NOT_FOUND)
>> + pr_debug("MokListRT variable wasn't found\n");
>> + else
>> + pr_info("Couldn't get UEFI MokListRT\n");
>> + return 0;
>> +}
>> +
>> +/*
>> + * load_uefi_certs() - Load certs from UEFI sources
>> + *
>> * Load the certs contained in the UEFI databases into the platform trusted
>> * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
>> * keyring.
>> @@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
>> static int __init load_uefi_certs(void)
>> {
>> efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
>> - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
>> - void *db = NULL, *dbx = NULL, *mok = NULL;
>> - unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
>> + void *db = NULL, *dbx = NULL;
>> + unsigned long dbsize = 0, dbxsize = 0;
>> efi_status_t status;
>> int rc = 0;
>>
>> if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
>> return false;
>>
>> - /* Get db, MokListRT, and dbx. They might not exist, so it isn't
>> - * an error if we can't get them.
>> + /* Get db and dbx. They might not exist, so it isn't an error
>> + * if we can't get them.
>> */
>> if (!uefi_check_ignore_db()) {
>> db = get_cert_list(L"db", &secure_var, &dbsize, &status);
>> @@ -102,20 +138,6 @@ static int __init load_uefi_certs(void)
>> }
>> }
>>
>> - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
>> - if (!mok) {
>> - if (status == EFI_NOT_FOUND)
>> - pr_debug("MokListRT variable wasn't found\n");
>> - else
>> - pr_info("Couldn't get UEFI MokListRT\n");
>> - } else {
>> - rc = parse_efi_signature_list("UEFI:MokListRT",
>> - mok, moksize, get_handler_for_db);
>> - if (rc)
>> - pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
>> - kfree(mok);
>> - }
>> -
>> dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
>> if (!dbx) {
>> if (status == EFI_NOT_FOUND)
>> @@ -131,6 +153,9 @@ static int __init load_uefi_certs(void)
>> kfree(dbx);
>> }
>>
>> + /* Load the MokListRT certs */
>> + rc = load_moklist_certs();
>> +
>> return rc;
>> }
>> late_initcall(load_uefi_certs);
>> --
>> 2.27.0
>>
>
next prev parent reply other threads:[~2020-09-11 15:54 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-05 1:31 [PATCH V2 0/3] integrity: Load certs from EFI MOK config table Lenny Szubowicz
2020-09-05 1:31 ` [PATCH V2 1/3] efi: Support for MOK variable " Lenny Szubowicz
2020-09-21 16:18 ` Arvind Sankar
2020-09-21 16:27 ` Ard Biesheuvel
2020-09-21 16:55 ` Arvind Sankar
2020-09-24 19:09 ` Lenny Szubowicz
2020-10-01 17:44 ` Nathan Chancellor
2020-10-01 20:57 ` Ard Biesheuvel
2020-10-01 21:07 ` Nathan Chancellor
2020-09-05 1:31 ` [PATCH V2 2/3] integrity: Move import of MokListRT certs to a separate routine Lenny Szubowicz
2020-09-11 15:02 ` Ard Biesheuvel
2020-09-11 15:54 ` Lenny Szubowicz [this message]
2020-09-11 15:59 ` Mimi Zohar
2020-09-11 17:18 ` Lenny Szubowicz
2020-09-11 18:16 ` Ard Biesheuvel
2020-09-11 19:08 ` Mimi Zohar
2020-09-11 19:46 ` Lenny Szubowicz
2020-09-05 1:31 ` [PATCH V2 3/3] integrity: Load certs from the EFI MOK config table Lenny Szubowicz
2020-09-11 15:17 ` [PATCH V2 0/3] integrity: Load certs from " Ard Biesheuvel
2020-09-11 16:01 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f0a079b1-5f02-8618-fdfe-aea2278113c9@redhat.com \
--to=lszubowi@redhat.com \
--cc=andy.shevchenko@gmail.com \
--cc=ardb@kernel.org \
--cc=bp@alien8.de \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pjones@redhat.com \
--cc=platform-driver-x86@vger.kernel.org \
--cc=prarit@redhat.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).