From: Eric Snowberg <eric.snowberg@oracle.com>
To: dhowells@redhat.com, dwmw2@infradead.org, jarkko@kernel.org,
James.Bottomley@HansenPartnership.com
Cc: masahiroy@kernel.org, michal.lkml@markovi.net, jmorris@namei.org,
serge@hallyn.com, eric.snowberg@oracle.com, ardb@kernel.org,
zohar@linux.ibm.com, lszubowi@redhat.com, javierm@redhat.com,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-kbuild@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: [PATCH v5 4/4] integrity: Load mokx variables into the blacklist keyring
Date: Fri, 22 Jan 2021 13:10:54 -0500 [thread overview]
Message-ID: <20210122181054.32635-5-eric.snowberg@oracle.com> (raw)
In-Reply-To: <20210122181054.32635-1-eric.snowberg@oracle.com>
During boot the Secure Boot Forbidden Signature Database, dbx,
is loaded into the blacklist keyring. Systems booted with shim
have an equivalent Forbidden Signature Database called mokx.
Currently mokx is only used by shim and grub, the contents are
ignored by the kernel.
Add the ability to load mokx into the blacklist keyring during boot.
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Suggested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
security/integrity/platform_certs/load_uefi.c | 20 +++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index ee4b4c666854..f290f78c3f30 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -132,8 +132,9 @@ static int __init load_moklist_certs(void)
static int __init load_uefi_certs(void)
{
efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
- void *db = NULL, *dbx = NULL;
- unsigned long dbsize = 0, dbxsize = 0;
+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
+ void *db = NULL, *dbx = NULL, *mokx = NULL;
+ unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0;
efi_status_t status;
int rc = 0;
@@ -175,6 +176,21 @@ static int __init load_uefi_certs(void)
kfree(dbx);
}
+ mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
+ if (!mokx) {
+ if (status == EFI_NOT_FOUND)
+ pr_debug("mokx variable wasn't found\n");
+ else
+ pr_info("Couldn't get mokx list\n");
+ } else {
+ rc = parse_efi_signature_list("UEFI:MokListXRT",
+ mokx, mokxsize,
+ get_handler_for_dbx);
+ if (rc)
+ pr_err("Couldn't parse mokx signatures %d\n", rc);
+ kfree(mokx);
+ }
+
/* Load the MokListRT certs */
rc = load_moklist_certs();
--
2.18.4
next prev parent reply other threads:[~2021-01-22 19:37 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-22 18:10 [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries Eric Snowberg
2021-01-22 18:10 ` [PATCH v5 1/4] certs: Add EFI_CERT_X509_GUID support for dbx entries Eric Snowberg
2021-01-28 3:54 ` Nayna
2021-01-28 4:11 ` Eric Snowberg
2021-01-28 15:35 ` Nayna
2021-01-28 15:58 ` David Howells
2021-01-29 1:56 ` Eric Snowberg
2021-01-22 18:10 ` [PATCH v5 2/4] certs: Move load_system_certificate_list to a common function Eric Snowberg
2021-01-22 18:10 ` [PATCH v5 3/4] certs: Add ability to preload revocation certs Eric Snowberg
2021-01-22 18:10 ` Eric Snowberg [this message]
2021-01-28 15:16 ` [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries David Howells
2021-01-28 15:27 ` Mimi Zohar
2021-01-28 15:29 ` Mimi Zohar
2021-01-28 15:41 ` Eric Snowberg
2021-02-03 16:26 ` Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries] David Howells
2021-02-03 18:49 ` Mickaël Salaün
2021-02-04 3:53 ` Eric Snowberg
2021-02-04 8:26 ` Mickaël Salaün
2021-02-05 0:24 ` Eric Snowberg
2021-02-05 10:27 ` Mickaël Salaün
2021-02-06 1:14 ` Eric Snowberg
2021-02-06 18:30 ` Mickaël Salaün
2021-02-08 23:05 ` Eric Snowberg
2021-02-09 21:53 ` Mickaël Salaün
2021-02-10 12:07 ` Mickaël Salaün
2021-02-09 13:14 ` David Howells
2021-02-09 13:59 ` Mickaël Salaün
2021-02-09 16:46 ` David Howells
2021-02-12 11:49 ` Jarkko Sakkinen
2021-02-04 9:11 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210122181054.32635-5-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=ardb@kernel.org \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jarkko@kernel.org \
--cc=javierm@redhat.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lszubowi@redhat.com \
--cc=masahiroy@kernel.org \
--cc=michal.lkml@markovi.net \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).