From: "Lee, Chun-Yi" <jlee@suse.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-fs@vger.kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled
Date: Tue, 13 Mar 2018 18:35:55 +0800 [thread overview]
Message-ID: <20180313103559.13032-2-jlee@suse.com> (raw)
In-Reply-To: <20180313103559.13032-1-jlee@suse.com>
The mok can not be trusted when the secure boot is disabled. Which
means that the kernel embedded certificate is the only trusted key.
Due to db/dbx are authenticated variables, they needs manufacturer's
KEK for update. So db/dbx are secure when secureboot disabled.
Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
certs/load_uefi.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/certs/load_uefi.c b/certs/load_uefi.c
index 3d88459..d6de4d0 100644
--- a/certs/load_uefi.c
+++ b/certs/load_uefi.c
@@ -164,17 +164,6 @@ static int __init load_uefi_certs(void)
}
}
- mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
- if (!mok) {
- pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
- } else {
- rc = parse_efi_signature_list("UEFI:MokListRT",
- mok, moksize, get_handler_for_db);
- if (rc)
- pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
- kfree(mok);
- }
-
dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
if (!dbx) {
pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
@@ -187,6 +176,21 @@ static int __init load_uefi_certs(void)
kfree(dbx);
}
+ /* the MOK can not be trusted when secure boot is disabled */
+ if (!efi_enabled(EFI_SECURE_BOOT))
+ return 0;
+
+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+ if (!mok) {
+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
+ } else {
+ rc = parse_efi_signature_list("UEFI:MokListRT",
+ mok, moksize, get_handler_for_db);
+ if (rc)
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+ kfree(mok);
+ }
+
return rc;
}
late_initcall(load_uefi_certs);
--
2.10.2
next prev parent reply other threads:[~2018-03-13 10:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-13 10:35 [PATCH 0/5 v2] Using the hash in MOKx to blacklist kernel module Lee, Chun-Yi
2018-03-13 10:35 ` Lee, Chun-Yi [this message]
2018-03-13 10:35 ` [PATCH 2/5] MODSIGN: print appropriate status message when getting UEFI certificates list Lee, Chun-Yi
2018-03-13 17:17 ` James Bottomley
2018-03-14 4:40 ` joeyli
2018-03-13 10:37 [PATCH 0/5 v2] Using the hash in MOKx to blacklist kernel module Lee, Chun-Yi
2018-03-13 10:37 ` [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled Lee, Chun-Yi
2018-03-13 17:25 ` Ard Biesheuvel
2018-03-14 10:23 ` joeyli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180313103559.13032-2-jlee@suse.com \
--to=jlee@suse.com \
--cc=dhowells@redhat.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-fs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).