From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-fs@vger.kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org, "Lee, Chun-Yi" <jlee@suse.com>,
Josh Boyer <jwboyer@fedoraproject.org>,
James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: [PATCH 3/5] MODSIGN: load blacklist from MOKx
Date: Tue, 13 Mar 2018 18:38:01 +0800 [thread overview]
Message-ID: <20180313103803.13388-4-jlee@suse.com> (raw)
In-Reply-To: <20180313103803.13388-1-jlee@suse.com>
This patch adds the logic to load the blacklisted hash and
certificates from MOKx which is maintained by shim bootloader.
Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
certs/load_uefi.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/certs/load_uefi.c b/certs/load_uefi.c
index f2f372b..dc66a79 100644
--- a/certs/load_uefi.c
+++ b/certs/load_uefi.c
@@ -164,8 +164,8 @@ static int __init load_uefi_certs(void)
{
efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
- void *db = NULL, *dbx = NULL, *mok = NULL;
- unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+ void *db = NULL, *dbx = NULL, *mok = NULL, *mokx = NULL;
+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0, mokxsize = 0;
int rc = 0;
if (!efi.get_variable)
@@ -195,7 +195,7 @@ static int __init load_uefi_certs(void)
kfree(dbx);
}
- /* the MOK can not be trusted when secure boot is disabled */
+ /* the MOK and MOKx can not be trusted when secure boot is disabled */
if (!efi_enabled(EFI_SECURE_BOOT))
return 0;
@@ -208,6 +208,16 @@ static int __init load_uefi_certs(void)
kfree(mok);
}
+ mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize);
+ if (mokx) {
+ rc = parse_efi_signature_list("UEFI:mokx",
+ mokx, mokxsize,
+ get_handler_for_dbx);
+ if (rc)
+ pr_err("Couldn't parse MokListXRT signatures: %d\n", rc);
+ kfree(mokx);
+ }
+
return rc;
}
late_initcall(load_uefi_certs);
--
2.10.2
next prev parent reply other threads:[~2018-03-13 10:39 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-13 10:37 [PATCH 0/5 v2] Using the hash in MOKx to blacklist kernel module Lee, Chun-Yi
2018-03-13 10:37 ` [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled Lee, Chun-Yi
2018-03-13 17:25 ` Ard Biesheuvel
2018-03-14 10:23 ` joeyli
2018-03-13 10:38 ` [PATCH 2/5] MODSIGN: print appropriate status message when getting UEFI certificates list Lee, Chun-Yi
2018-03-13 10:38 ` Lee, Chun-Yi [this message]
2018-03-13 10:38 ` [PATCH 4/5] MODSIGN: checking the blacklisted hash before loading a kernel module Lee, Chun-Yi
2018-03-13 17:18 ` James Bottomley
2018-03-14 6:08 ` joeyli
2018-03-14 14:19 ` James Bottomley
2018-03-15 6:16 ` joeyli
2018-03-15 14:30 ` James Bottomley
2018-03-16 7:32 ` joeyli
2018-03-13 10:38 ` [PATCH 5/5] MODSIGN: check the attributes of db and mok Lee, Chun-Yi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180313103803.13388-4-jlee@suse.com \
--to=joeyli.kernel@gmail.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=dhowells@redhat.com \
--cc=jlee@suse.com \
--cc=jwboyer@fedoraproject.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-fs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).