From: Mimi Zohar <zohar@linux.ibm.com>
To: Aditya Garg <gargaditya08@live.com>,
"jarkko@kernel.org" <jarkko@kernel.org>,
"dmitry.kasatkin@gmail.com" <dmitry.kasatkin@gmail.com>,
"jmorris@namei.org" <jmorris@namei.org>,
"serge@hallyn.com" <serge@hallyn.com>,
"ast@kernel.org" <ast@kernel.org>,
"daniel@iogearbox.net" <daniel@iogearbox.net>,
"andrii@kernel.org" <andrii@kernel.org>,
"kafai@fb.com" <kafai@fb.com>,
"songliubraving@fb.com" <songliubraving@fb.com>,
"yhs@fb.com" <yhs@fb.com>,
"john.fastabend@gmail.com" <john.fastabend@gmail.com>,
"kpsingh@kernel.org" <kpsingh@kernel.org>
Cc: "linux-integrity@vger.kernel.org"
<linux-integrity@vger.kernel.org>,
"keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"bpf@vger.kernel.org" <bpf@vger.kernel.org>,
Orlando Chamberlain <redecorating@protonmail.com>,
"admin@kodeit.net" <admin@kodeit.net>,
"stable@vger.kernel.org" <stable@vger.kernel.org>
Subject: Re: [PATCH v4 RESEND] efi: Do not import certificates from UEFI Secure Boot for T2 Macs
Date: Tue, 12 Apr 2022 13:16:30 -0400 [thread overview]
Message-ID: <6545f8241f3d41dd0f55997bfb85ad0de9f1c3e3.camel@linux.ibm.com> (raw)
In-Reply-To: <590ED76A-EE91-4ED1-B524-BC23419C051E@live.com>
On Tue, 2022-04-12 at 16:44 +0000, Aditya Garg wrote:
> From: Aditya Garg <gargaditya08@live.com>
>
> On T2 Macs, the secure boot is handled by the T2 Chip. If enabled, only
> macOS and Windows are allowed to boot on these machines. Moreover, loading
> UEFI Secure Boot certificates is not supported on these machines on Linux.
> An attempt to do so causes a crash with the following logs :-
>
> Call Trace:
> <TASK>
> page_fault_oops+0x4f/0x2c0
> ? search_bpf_extables+0x6b/0x80
> ? search_module_extables+0x50/0x80
> ? search_exception_tables+0x5b/0x60
> kernelmode_fixup_or_oops+0x9e/0x110
> __bad_area_nosemaphore+0x155/0x190
> bad_area_nosemaphore+0x16/0x20
> do_kern_addr_fault+0x8c/0xa0
> exc_page_fault+0xd8/0x180
> asm_exc_page_fault+0x1e/0x30
> (Removed some logs from here)
> ? __efi_call+0x28/0x30
> ? switch_mm+0x20/0x30
> ? efi_call_rts+0x19a/0x8e0
> ? process_one_work+0x222/0x3f0
> ? worker_thread+0x4a/0x3d0
> ? kthread+0x17a/0x1a0
> ? process_one_work+0x3f0/0x3f0
> ? set_kthread_struct+0x40/0x40
> ? ret_from_fork+0x22/0x30
> </TASK>
> ---[ end trace 1f82023595a5927f ]---
> efi: Froze efi_rts_wq and disabled EFI Runtime Services
> integrity: Couldn't get size: 0x8000000000000015
> integrity: MODSIGN: Couldn't get UEFI db list
> efi: EFI Runtime Services are disabled!
> integrity: Couldn't get size: 0x8000000000000015
> integrity: Couldn't get UEFI dbx list
> integrity: Couldn't get size: 0x8000000000000015
> integrity: Couldn't get mokx list
> integrity: Couldn't get size: 0x80000000
>
> As a result of not being able to read or load certificates, secure boot
> cannot be enabled. This patch prevents querying of these UEFI variables,
> since these Macs seem to use a non-standard EFI hardware.
>
> Cc: stable@vger.kernel.org
> Signed-off-by: Aditya Garg <gargaditya08@live.com>
> ---
> v2 :- Reduce code size of the table.
> v3 :- Close the brackets which were left open by mistake.
> v4 :- Fix comment style issues, remove blank spaces and limit use of dmi_first_match()
> v4 RESEND :- Add stable to cc
> .../platform_certs/keyring_handler.h | 8 +++++
> security/integrity/platform_certs/load_uefi.c | 35 +++++++++++++++++++
> 2 files changed, 43 insertions(+)
>
> diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h
> index 284558f30..212d894a8 100644
> --- a/security/integrity/platform_certs/keyring_handler.h
> +++ b/security/integrity/platform_certs/keyring_handler.h
> @@ -35,3 +35,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type);
> efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type);
>
> #endif
> +
> +#ifndef UEFI_QUIRK_SKIP_CERT
> +#define UEFI_QUIRK_SKIP_CERT(vendor, product) \
> + .matches = { \
> + DMI_MATCH(DMI_BOARD_VENDOR, vendor), \
> + DMI_MATCH(DMI_PRODUCT_NAME, product), \
> + },
> +#endif
> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
> index 5f45c3c07..c3393b2b1 100644
> --- a/security/integrity/platform_certs/load_uefi.c
> +++ b/security/integrity/platform_certs/load_uefi.c
> @@ -3,6 +3,7 @@
> #include <linux/kernel.h>
> #include <linux/sched.h>
> #include <linux/cred.h>
> +#include <linux/dmi.h>
> #include <linux/err.h>
> #include <linux/efi.h>
> #include <linux/slab.h>
> @@ -12,6 +13,33 @@
> #include "../integrity.h"
> #include "keyring_handler.h"
>
> +/*
> + * Apple Macs with T2 Security chip seem to be using a non standard
> + * implementation of Secure Boot. For Linux to run on these machines
> + * Secure Boot needs to be turned off, since the T2 Chip manages
> + * Secure Boot and doesn't allow OS other than macOS or Windows to
> + * boot. If turned off, an attempt to get certificates causes a crash,
> + * so we simply prevent doing the same.
> + */
Both the comment here and the patch description above still needs to be
improved. Perhaps something along these lines.
Secure boot on Apple Macs with a T2 Security chip cannot read either
the EFI variables or the certificates stored in different db's (e.g.
db, dbx, MokListXRT). Attempting to read them causes ...
Avoid reading the EFI variables or the certificates stored in different
dbs. As a result, without certificates secure boot signature
verification fails.
thanks,
Mimi
> +static const struct dmi_system_id uefi_skip_cert[] = {
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,2") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,3") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,4") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,2") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,3") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,4") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,2") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir9,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacMini8,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") },
> + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") },
> + { }
> +};
> +
> /*
> * Look to see if a UEFI variable called MokIgnoreDB exists and return true if
> * it does.
> @@ -138,6 +166,13 @@ static int __init load_uefi_certs(void)
> unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0;
> efi_status_t status;
> int rc = 0;
> + const struct dmi_system_id *dmi_id;
> +
> + dmi_id = dmi_first_match(uefi_skip_cert);
> + if (dmi_id) {
> + pr_err("Getting UEFI Secure Boot Certs is not supported on T2 Macs.\n");
> + return false;
> + }
>
> if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
> return false;
next prev parent reply other threads:[~2022-04-12 17:17 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-10 10:49 [PATCH v3 RESEND] efi: Do not import certificates from UEFI Secure Boot for T2 Macs Aditya Garg
2022-04-12 12:32 ` Mimi Zohar
2022-04-12 14:13 ` Aditya Garg
2022-04-12 15:13 ` Mimi Zohar
2022-04-12 15:40 ` Aditya Garg
2022-04-12 16:38 ` Aditya Garg
2022-04-12 16:40 ` [PATCH v4] " Aditya Garg
2022-04-12 16:44 ` [PATCH v4 RESEND] " Aditya Garg
2022-04-12 17:16 ` Mimi Zohar [this message]
2022-04-13 14:03 ` Aditya Garg
2022-04-13 14:04 ` [PATCH v5] " Aditya Garg
2022-04-14 13:30 ` Mimi Zohar
2022-04-15 6:17 ` Aditya Garg
2022-04-15 6:19 ` [PATCH v6] " Aditya Garg
2022-04-15 16:26 ` Mimi Zohar
2022-04-15 17:02 ` Aditya Garg
2022-04-15 17:02 ` [PATCH v7] " Aditya Garg
2022-04-22 17:39 ` [PATCH v7 RESEND] " Aditya Garg
2022-05-13 15:24 ` [PATCH v7] " Mimi Zohar
2022-05-13 18:31 ` Aditya Garg
2022-05-15 12:41 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6545f8241f3d41dd0f55997bfb85ad0de9f1c3e3.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=admin@kodeit.net \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dmitry.kasatkin@gmail.com \
--cc=gargaditya08@live.com \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=keyrings@vger.kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=redecorating@protonmail.com \
--cc=serge@hallyn.com \
--cc=songliubraving@fb.com \
--cc=stable@vger.kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).