When loading certificates list from EFI variables, the error
message and efi status code always be emitted to dmesg. It looks
ugly:
[ 2.335031] Couldn't get size: 0x800000000000000e
[ 2.335032] Couldn't get UEFI MokListRT
[ 2.339985] Couldn't get size: 0x800000000000000e
[ 2.339987] Couldn't get UEFI dbx list
This cosmetic patch set moved the above messages to the error
handling code path. And, it adds a function to transfer EFI status
code to string to improve the readability of debug log. The function
can also be used in other EFI log.
Lee, Chun-Yi (2):
efi: add a function for transferring status to string
efi: show error messages only when loading certificates is failed
include/linux/efi.h | 26 +++++++++++++++++
security/integrity/platform_certs/load_uefi.c | 41 ++++++++++++++-------------
2 files changed, 48 insertions(+), 19 deletions(-)
--
2.16.4
This function can be used to transfer EFI status code to string
to improve the readability of debug log.
Signed-off-by: "Lee, Chun-Yi" <[email protected]>
---
include/linux/efi.h | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/include/linux/efi.h b/include/linux/efi.h
index d87acf62958e..08daf4cdd807 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -42,6 +42,32 @@
#define EFI_ABORTED (21 | (1UL << (BITS_PER_LONG-1)))
#define EFI_SECURITY_VIOLATION (26 | (1UL << (BITS_PER_LONG-1)))
+#define EFI_STATUS_STR(_status) \
+ case EFI_##_status: \
+ return "EFI_" __stringify(_status);
+
+static inline char *
+efi_status_to_str(unsigned long status)
+{
+ switch (status) {
+ EFI_STATUS_STR(SUCCESS)
+ EFI_STATUS_STR(LOAD_ERROR)
+ EFI_STATUS_STR(INVALID_PARAMETER)
+ EFI_STATUS_STR(UNSUPPORTED)
+ EFI_STATUS_STR(BAD_BUFFER_SIZE)
+ EFI_STATUS_STR(BUFFER_TOO_SMALL)
+ EFI_STATUS_STR(NOT_READY)
+ EFI_STATUS_STR(DEVICE_ERROR)
+ EFI_STATUS_STR(WRITE_PROTECTED)
+ EFI_STATUS_STR(OUT_OF_RESOURCES)
+ EFI_STATUS_STR(NOT_FOUND)
+ EFI_STATUS_STR(ABORTED)
+ EFI_STATUS_STR(SECURITY_VIOLATION)
+ }
+
+ return "";
+}
+
typedef unsigned long efi_status_t;
typedef u8 efi_bool_t;
typedef u16 efi_char16_t; /* UNICODE character */
--
2.16.4
When loading certificates list from EFI variables, the error
message and efi status code always be emitted to dmesg. It looks
ugly:
[ 2.335031] Couldn't get size: 0x800000000000000e
[ 2.335032] Couldn't get UEFI MokListRT
[ 2.339985] Couldn't get size: 0x800000000000000e
[ 2.339987] Couldn't get UEFI dbx list
This cosmetic patch moved the messages to the error handling code
path. And, it also shows the corresponding status string of status
code.
Signed-off-by: "Lee, Chun-Yi" <[email protected]>
---
security/integrity/platform_certs/load_uefi.c | 41 ++++++++++++++-------------
1 file changed, 22 insertions(+), 19 deletions(-)
diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 81b19c52832b..3b766831d2c5 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -1,4 +1,5 @@
// SPDX-License-Identifier: GPL-2.0
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/kernel.h>
#include <linux/sched.h>
@@ -39,7 +40,7 @@ static __init bool uefi_check_ignore_db(void)
* Get a certificate list blob from the named EFI variable.
*/
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
- unsigned long *size)
+ unsigned long *size, const char *source)
{
efi_status_t status;
unsigned long lsize = 4;
@@ -48,23 +49,31 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
if (status != EFI_BUFFER_TOO_SMALL) {
- pr_err("Couldn't get size: 0x%lx\n", status);
- return NULL;
+ if (status == EFI_NOT_FOUND) {
+ pr_debug("%s list was not found\n", source);
+ return NULL;
+ }
+ goto err;
}
db = kmalloc(lsize, GFP_KERNEL);
- if (!db)
- return NULL;
+ if (!db) {
+ status = EFI_OUT_OF_RESOURCES;
+ goto err;
+ }
status = efi.get_variable(name, guid, NULL, &lsize, db);
if (status != EFI_SUCCESS) {
kfree(db);
- pr_err("Error reading db var: 0x%lx\n", status);
- return NULL;
+ goto err;
}
*size = lsize;
return db;
+err:
+ pr_err("Couldn't get %s list: %s (0x%lx)\n",
+ source, efi_status_to_str(status), status);
+ return NULL;
}
/*
@@ -153,10 +162,8 @@ static int __init load_uefi_certs(void)
* an error if we can't get them.
*/
if (!uefi_check_ignore_db()) {
- db = get_cert_list(L"db", &secure_var, &dbsize);
- if (!db) {
- pr_err("MODSIGN: Couldn't get UEFI db list\n");
- } else {
+ db = get_cert_list(L"db", &secure_var, &dbsize, "UEFI:db");
+ if (db) {
rc = parse_efi_signature_list("UEFI:db",
db, dbsize, get_handler_for_db);
if (rc)
@@ -166,10 +173,8 @@ static int __init load_uefi_certs(void)
}
}
- mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
- if (!mok) {
- pr_info("Couldn't get UEFI MokListRT\n");
- } else {
+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize, "UEFI:MokListRT");
+ if (mok) {
rc = parse_efi_signature_list("UEFI:MokListRT",
mok, moksize, get_handler_for_db);
if (rc)
@@ -177,10 +182,8 @@ static int __init load_uefi_certs(void)
kfree(mok);
}
- dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
- if (!dbx) {
- pr_info("Couldn't get UEFI dbx list\n");
- } else {
+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, "UEFI:dbx");
+ if (dbx) {
rc = parse_efi_signature_list("UEFI:dbx",
dbx, dbxsize,
get_handler_for_dbx);
--
2.16.4
On Thu, 12 Dec 2019 at 10:38, Lee, Chun-Yi <[email protected]> wrote:
>
> This function can be used to transfer EFI status code to string
> to improve the readability of debug log.
>
> Signed-off-by: "Lee, Chun-Yi" <[email protected]>
I think I mentioned this the last time you sent this patch: by making
this a static inline, those strings will be copied into each object
file that uses this routine.
Instead, please make it an ordinary function.
> ---
> include/linux/efi.h | 26 ++++++++++++++++++++++++++
> 1 file changed, 26 insertions(+)
>
> diff --git a/include/linux/efi.h b/include/linux/efi.h
> index d87acf62958e..08daf4cdd807 100644
> --- a/include/linux/efi.h
> +++ b/include/linux/efi.h
> @@ -42,6 +42,32 @@
> #define EFI_ABORTED (21 | (1UL << (BITS_PER_LONG-1)))
> #define EFI_SECURITY_VIOLATION (26 | (1UL << (BITS_PER_LONG-1)))
>
> +#define EFI_STATUS_STR(_status) \
> + case EFI_##_status: \
> + return "EFI_" __stringify(_status);
> +
> +static inline char *
> +efi_status_to_str(unsigned long status)
> +{
> + switch (status) {
> + EFI_STATUS_STR(SUCCESS)
> + EFI_STATUS_STR(LOAD_ERROR)
> + EFI_STATUS_STR(INVALID_PARAMETER)
> + EFI_STATUS_STR(UNSUPPORTED)
> + EFI_STATUS_STR(BAD_BUFFER_SIZE)
> + EFI_STATUS_STR(BUFFER_TOO_SMALL)
> + EFI_STATUS_STR(NOT_READY)
> + EFI_STATUS_STR(DEVICE_ERROR)
> + EFI_STATUS_STR(WRITE_PROTECTED)
> + EFI_STATUS_STR(OUT_OF_RESOURCES)
> + EFI_STATUS_STR(NOT_FOUND)
> + EFI_STATUS_STR(ABORTED)
> + EFI_STATUS_STR(SECURITY_VIOLATION)
> + }
> +
> + return "";
> +}
> +
> typedef unsigned long efi_status_t;
> typedef u8 efi_bool_t;
> typedef u16 efi_char16_t; /* UNICODE character */
> --
> 2.16.4
>
Hi Ard,
On Thu, Dec 12, 2019 at 11:20:48AM +0000, Ard Biesheuvel wrote:
> On Thu, 12 Dec 2019 at 10:38, Lee, Chun-Yi <[email protected]> wrote:
> >
> > This function can be used to transfer EFI status code to string
> > to improve the readability of debug log.
> >
> > Signed-off-by: "Lee, Chun-Yi" <[email protected]>
>
> I think I mentioned this the last time you sent this patch: by making
> this a static inline, those strings will be copied into each object
> file that uses this routine.
> Instead, please make it an ordinary function.
>
Sorry for I just sent a old version patch. I will send a new one.
Thanks a lot!
Joey Lee
> > ---
> > include/linux/efi.h | 26 ++++++++++++++++++++++++++
> > 1 file changed, 26 insertions(+)
> >
> > diff --git a/include/linux/efi.h b/include/linux/efi.h
> > index d87acf62958e..08daf4cdd807 100644
> > --- a/include/linux/efi.h
> > +++ b/include/linux/efi.h
> > @@ -42,6 +42,32 @@
> > #define EFI_ABORTED (21 | (1UL << (BITS_PER_LONG-1)))
> > #define EFI_SECURITY_VIOLATION (26 | (1UL << (BITS_PER_LONG-1)))
> >
> > +#define EFI_STATUS_STR(_status) \
> > + case EFI_##_status: \
> > + return "EFI_" __stringify(_status);
> > +
> > +static inline char *
> > +efi_status_to_str(unsigned long status)
> > +{
> > + switch (status) {
> > + EFI_STATUS_STR(SUCCESS)
> > + EFI_STATUS_STR(LOAD_ERROR)
> > + EFI_STATUS_STR(INVALID_PARAMETER)
> > + EFI_STATUS_STR(UNSUPPORTED)
> > + EFI_STATUS_STR(BAD_BUFFER_SIZE)
> > + EFI_STATUS_STR(BUFFER_TOO_SMALL)
> > + EFI_STATUS_STR(NOT_READY)
> > + EFI_STATUS_STR(DEVICE_ERROR)
> > + EFI_STATUS_STR(WRITE_PROTECTED)
> > + EFI_STATUS_STR(OUT_OF_RESOURCES)
> > + EFI_STATUS_STR(NOT_FOUND)
> > + EFI_STATUS_STR(ABORTED)
> > + EFI_STATUS_STR(SECURITY_VIOLATION)
> > + }
> > +
> > + return "";
> > +}
> > +
> > typedef unsigned long efi_status_t;
> > typedef u8 efi_bool_t;
> > typedef u16 efi_char16_t; /* UNICODE character */
> > --
> > 2.16.4
> >