2020-09-05 01:32:21

by Lenny Szubowicz

[permalink] [raw]
Subject: [PATCH V2 2/3] integrity: Move import of MokListRT certs to a separate routine

Move the loading of certs from the UEFI MokListRT into a separate
routine to facilitate additional MokList functionality.

There is no visible functional change as a result of this patch.
Although the UEFI dbx certs are now loaded before the MokList certs,
they are loaded onto different key rings. So the order of the keys
on their respective key rings is the same.

Signed-off-by: Lenny Szubowicz <[email protected]>
---
security/integrity/platform_certs/load_uefi.c | 63 +++++++++++++------
1 file changed, 44 insertions(+), 19 deletions(-)

diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 253fb9a7fc98..c1c622b4dc78 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
}

/*
+ * load_moklist_certs() - Load MokList certs
+ *
+ * Load the certs contained in the UEFI MokListRT database into the
+ * platform trusted keyring.
+ *
+ * Return: Status
+ */
+static int __init load_moklist_certs(void)
+{
+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
+ void *mok;
+ unsigned long moksize;
+ efi_status_t status;
+ int rc;
+
+ /* Get MokListRT. It might not exist, so it isn't an error
+ * if we can't get it.
+ */
+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
+ if (mok) {
+ rc = parse_efi_signature_list("UEFI:MokListRT",
+ mok, moksize, get_handler_for_db);
+ kfree(mok);
+ if (rc)
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+ return rc;
+ }
+ if (status == EFI_NOT_FOUND)
+ pr_debug("MokListRT variable wasn't found\n");
+ else
+ pr_info("Couldn't get UEFI MokListRT\n");
+ return 0;
+}
+
+/*
+ * load_uefi_certs() - Load certs from UEFI sources
+ *
* Load the certs contained in the UEFI databases into the platform trusted
* keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
* keyring.
@@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
static int __init load_uefi_certs(void)
{
efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
- efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
- void *db = NULL, *dbx = NULL, *mok = NULL;
- unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+ void *db = NULL, *dbx = NULL;
+ unsigned long dbsize = 0, dbxsize = 0;
efi_status_t status;
int rc = 0;

if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
return false;

- /* Get db, MokListRT, and dbx. They might not exist, so it isn't
- * an error if we can't get them.
+ /* Get db and dbx. They might not exist, so it isn't an error
+ * if we can't get them.
*/
if (!uefi_check_ignore_db()) {
db = get_cert_list(L"db", &secure_var, &dbsize, &status);
@@ -102,20 +138,6 @@ static int __init load_uefi_certs(void)
}
}

- mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
- if (!mok) {
- if (status == EFI_NOT_FOUND)
- pr_debug("MokListRT variable wasn't found\n");
- else
- pr_info("Couldn't get UEFI MokListRT\n");
- } else {
- rc = parse_efi_signature_list("UEFI:MokListRT",
- mok, moksize, get_handler_for_db);
- if (rc)
- pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
- kfree(mok);
- }
-
dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
if (!dbx) {
if (status == EFI_NOT_FOUND)
@@ -131,6 +153,9 @@ static int __init load_uefi_certs(void)
kfree(dbx);
}

+ /* Load the MokListRT certs */
+ rc = load_moklist_certs();
+
return rc;
}
late_initcall(load_uefi_certs);
--
2.27.0


2020-09-11 15:56:48

by Lenny Szubowicz

[permalink] [raw]
Subject: Re: [PATCH V2 2/3] integrity: Move import of MokListRT certs to a separate routine

On 9/11/20 11:02 AM, Ard Biesheuvel wrote:
> On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <[email protected]> wrote:
>>
>> Move the loading of certs from the UEFI MokListRT into a separate
>> routine to facilitate additional MokList functionality.
>>
>> There is no visible functional change as a result of this patch.
>> Although the UEFI dbx certs are now loaded before the MokList certs,
>> they are loaded onto different key rings. So the order of the keys
>> on their respective key rings is the same.
>>
>> Signed-off-by: Lenny Szubowicz <[email protected]>
>
> Why did you drop Mimi's reviewed-by from this patch?

It was not intentional. I was just not aware that I needed to propagate
Mimi Zohar's reviewed-by from V1 of the patch to V2.

Reviewed-by: Mimi Zohar <[email protected]>

V2 includes changes in that patch to incorporate suggestions from
Andy Shevchenko. My assumption was that the maintainer would
gather up the reviewed-by and add any signed-off-by as appropriate,
but it sounds like my assumption was incorrect. In retrospect, I
could see that having the maintainer dig through prior versions
of a patch set for prior reviewed-by tags could be burdensome.

Advice on the expected handling of this would be appreciated.

-Lenny.

>
>> ---
>> security/integrity/platform_certs/load_uefi.c | 63 +++++++++++++------
>> 1 file changed, 44 insertions(+), 19 deletions(-)
>>
>> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
>> index 253fb9a7fc98..c1c622b4dc78 100644
>> --- a/security/integrity/platform_certs/load_uefi.c
>> +++ b/security/integrity/platform_certs/load_uefi.c
>> @@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
>> }
>>
>> /*
>> + * load_moklist_certs() - Load MokList certs
>> + *
>> + * Load the certs contained in the UEFI MokListRT database into the
>> + * platform trusted keyring.
>> + *
>> + * Return: Status
>> + */
>> +static int __init load_moklist_certs(void)
>> +{
>> + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
>> + void *mok;
>> + unsigned long moksize;
>> + efi_status_t status;
>> + int rc;
>> +
>> + /* Get MokListRT. It might not exist, so it isn't an error
>> + * if we can't get it.
>> + */
>> + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
>> + if (mok) {
>> + rc = parse_efi_signature_list("UEFI:MokListRT",
>> + mok, moksize, get_handler_for_db);
>> + kfree(mok);
>> + if (rc)
>> + pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
>> + return rc;
>> + }
>> + if (status == EFI_NOT_FOUND)
>> + pr_debug("MokListRT variable wasn't found\n");
>> + else
>> + pr_info("Couldn't get UEFI MokListRT\n");
>> + return 0;
>> +}
>> +
>> +/*
>> + * load_uefi_certs() - Load certs from UEFI sources
>> + *
>> * Load the certs contained in the UEFI databases into the platform trusted
>> * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
>> * keyring.
>> @@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
>> static int __init load_uefi_certs(void)
>> {
>> efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
>> - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
>> - void *db = NULL, *dbx = NULL, *mok = NULL;
>> - unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
>> + void *db = NULL, *dbx = NULL;
>> + unsigned long dbsize = 0, dbxsize = 0;
>> efi_status_t status;
>> int rc = 0;
>>
>> if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
>> return false;
>>
>> - /* Get db, MokListRT, and dbx. They might not exist, so it isn't
>> - * an error if we can't get them.
>> + /* Get db and dbx. They might not exist, so it isn't an error
>> + * if we can't get them.
>> */
>> if (!uefi_check_ignore_db()) {
>> db = get_cert_list(L"db", &secure_var, &dbsize, &status);
>> @@ -102,20 +138,6 @@ static int __init load_uefi_certs(void)
>> }
>> }
>>
>> - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
>> - if (!mok) {
>> - if (status == EFI_NOT_FOUND)
>> - pr_debug("MokListRT variable wasn't found\n");
>> - else
>> - pr_info("Couldn't get UEFI MokListRT\n");
>> - } else {
>> - rc = parse_efi_signature_list("UEFI:MokListRT",
>> - mok, moksize, get_handler_for_db);
>> - if (rc)
>> - pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
>> - kfree(mok);
>> - }
>> -
>> dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
>> if (!dbx) {
>> if (status == EFI_NOT_FOUND)
>> @@ -131,6 +153,9 @@ static int __init load_uefi_certs(void)
>> kfree(dbx);
>> }
>>
>> + /* Load the MokListRT certs */
>> + rc = load_moklist_certs();
>> +
>> return rc;
>> }
>> late_initcall(load_uefi_certs);
>> --
>> 2.27.0
>>
>

2020-09-11 16:03:46

by Mimi Zohar

[permalink] [raw]
Subject: Re: [PATCH V2 2/3] integrity: Move import of MokListRT certs to a separate routine

On Fri, 2020-09-11 at 11:54 -0400, Lenny Szubowicz wrote:
> On 9/11/20 11:02 AM, Ard Biesheuvel wrote:
> > On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <[email protected]> wrote:
> >>
> >> Move the loading of certs from the UEFI MokListRT into a separate
> >> routine to facilitate additional MokList functionality.
> >>
> >> There is no visible functional change as a result of this patch.
> >> Although the UEFI dbx certs are now loaded before the MokList certs,
> >> they are loaded onto different key rings. So the order of the keys
> >> on their respective key rings is the same.
> >>
> >> Signed-off-by: Lenny Szubowicz <[email protected]>
> >
> > Why did you drop Mimi's reviewed-by from this patch?
>
> It was not intentional. I was just not aware that I needed to propagate
> Mimi Zohar's reviewed-by from V1 of the patch to V2.
>
> Reviewed-by: Mimi Zohar <[email protected]>
>
> V2 includes changes in that patch to incorporate suggestions from
> Andy Shevchenko. My assumption was that the maintainer would
> gather up the reviewed-by and add any signed-off-by as appropriate,
> but it sounds like my assumption was incorrect. In retrospect, I
> could see that having the maintainer dig through prior versions
> of a patch set for prior reviewed-by tags could be burdensome.

As much as possible moving code should be done without making changes,
simpler for code review. Then as a separate patch you make changes.
That way you could also have retained my Reviewed-by.

Mimi

>
> Advice on the expected handling of this would be appreciated.


2020-09-11 17:00:00

by Ard Biesheuvel

[permalink] [raw]
Subject: Re: [PATCH V2 2/3] integrity: Move import of MokListRT certs to a separate routine

On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <[email protected]> wrote:
>
> Move the loading of certs from the UEFI MokListRT into a separate
> routine to facilitate additional MokList functionality.
>
> There is no visible functional change as a result of this patch.
> Although the UEFI dbx certs are now loaded before the MokList certs,
> they are loaded onto different key rings. So the order of the keys
> on their respective key rings is the same.
>
> Signed-off-by: Lenny Szubowicz <[email protected]>

Why did you drop Mimi's reviewed-by from this patch?

> ---
> security/integrity/platform_certs/load_uefi.c | 63 +++++++++++++------
> 1 file changed, 44 insertions(+), 19 deletions(-)
>
> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
> index 253fb9a7fc98..c1c622b4dc78 100644
> --- a/security/integrity/platform_certs/load_uefi.c
> +++ b/security/integrity/platform_certs/load_uefi.c
> @@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
> }
>
> /*
> + * load_moklist_certs() - Load MokList certs
> + *
> + * Load the certs contained in the UEFI MokListRT database into the
> + * platform trusted keyring.
> + *
> + * Return: Status
> + */
> +static int __init load_moklist_certs(void)
> +{
> + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
> + void *mok;
> + unsigned long moksize;
> + efi_status_t status;
> + int rc;
> +
> + /* Get MokListRT. It might not exist, so it isn't an error
> + * if we can't get it.
> + */
> + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
> + if (mok) {
> + rc = parse_efi_signature_list("UEFI:MokListRT",
> + mok, moksize, get_handler_for_db);
> + kfree(mok);
> + if (rc)
> + pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
> + return rc;
> + }
> + if (status == EFI_NOT_FOUND)
> + pr_debug("MokListRT variable wasn't found\n");
> + else
> + pr_info("Couldn't get UEFI MokListRT\n");
> + return 0;
> +}
> +
> +/*
> + * load_uefi_certs() - Load certs from UEFI sources
> + *
> * Load the certs contained in the UEFI databases into the platform trusted
> * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
> * keyring.
> @@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
> static int __init load_uefi_certs(void)
> {
> efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
> - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
> - void *db = NULL, *dbx = NULL, *mok = NULL;
> - unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
> + void *db = NULL, *dbx = NULL;
> + unsigned long dbsize = 0, dbxsize = 0;
> efi_status_t status;
> int rc = 0;
>
> if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
> return false;
>
> - /* Get db, MokListRT, and dbx. They might not exist, so it isn't
> - * an error if we can't get them.
> + /* Get db and dbx. They might not exist, so it isn't an error
> + * if we can't get them.
> */
> if (!uefi_check_ignore_db()) {
> db = get_cert_list(L"db", &secure_var, &dbsize, &status);
> @@ -102,20 +138,6 @@ static int __init load_uefi_certs(void)
> }
> }
>
> - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
> - if (!mok) {
> - if (status == EFI_NOT_FOUND)
> - pr_debug("MokListRT variable wasn't found\n");
> - else
> - pr_info("Couldn't get UEFI MokListRT\n");
> - } else {
> - rc = parse_efi_signature_list("UEFI:MokListRT",
> - mok, moksize, get_handler_for_db);
> - if (rc)
> - pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
> - kfree(mok);
> - }
> -
> dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
> if (!dbx) {
> if (status == EFI_NOT_FOUND)
> @@ -131,6 +153,9 @@ static int __init load_uefi_certs(void)
> kfree(dbx);
> }
>
> + /* Load the MokListRT certs */
> + rc = load_moklist_certs();
> +
> return rc;
> }
> late_initcall(load_uefi_certs);
> --
> 2.27.0
>

2020-09-11 17:20:09

by Lenny Szubowicz

[permalink] [raw]
Subject: Re: [PATCH V2 2/3] integrity: Move import of MokListRT certs to a separate routine

On 9/11/20 11:59 AM, Mimi Zohar wrote:
> On Fri, 2020-09-11 at 11:54 -0400, Lenny Szubowicz wrote:
>> On 9/11/20 11:02 AM, Ard Biesheuvel wrote:
>>> On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <[email protected]> wrote:
>>>>
>>>> Move the loading of certs from the UEFI MokListRT into a separate
>>>> routine to facilitate additional MokList functionality.
>>>>
>>>> There is no visible functional change as a result of this patch.
>>>> Although the UEFI dbx certs are now loaded before the MokList certs,
>>>> they are loaded onto different key rings. So the order of the keys
>>>> on their respective key rings is the same.
>>>>
>>>> Signed-off-by: Lenny Szubowicz <[email protected]>
>>>
>>> Why did you drop Mimi's reviewed-by from this patch?
>>
>> It was not intentional. I was just not aware that I needed to propagate
>> Mimi Zohar's reviewed-by from V1 of the patch to V2.
>>
>> Reviewed-by: Mimi Zohar <[email protected]>
>>
>> V2 includes changes in that patch to incorporate suggestions from
>> Andy Shevchenko. My assumption was that the maintainer would
>> gather up the reviewed-by and add any signed-off-by as appropriate,
>> but it sounds like my assumption was incorrect. In retrospect, I
>> could see that having the maintainer dig through prior versions
>> of a patch set for prior reviewed-by tags could be burdensome.
>
> As much as possible moving code should be done without making changes,
> simpler for code review. Then as a separate patch you make changes.
> That way you could also have retained my Reviewed-by.
>
> Mimi

If you or Ard think I should, I can do a V3 with:

Patch V3 01: Unchanged from V2
Patch V3 02: Goes back to V1 of patch 02 that Mimi reviewed
Patch V3 03: New. Has Andy's cleanup suggestions separated from patch 02
Patch V3 04: This would most probably just be the V2 of patch 03 with no changes

-Lenny.

>
>>
>> Advice on the expected handling of this would be appreciated.
>
>

2020-09-11 18:18:21

by Ard Biesheuvel

[permalink] [raw]
Subject: Re: [PATCH V2 2/3] integrity: Move import of MokListRT certs to a separate routine

On Fri, 11 Sep 2020 at 20:18, Lenny Szubowicz <[email protected]> wrote:
>
> On 9/11/20 11:59 AM, Mimi Zohar wrote:
> > On Fri, 2020-09-11 at 11:54 -0400, Lenny Szubowicz wrote:
> >> On 9/11/20 11:02 AM, Ard Biesheuvel wrote:
> >>> On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <[email protected]> wrote:
> >>>>
> >>>> Move the loading of certs from the UEFI MokListRT into a separate
> >>>> routine to facilitate additional MokList functionality.
> >>>>
> >>>> There is no visible functional change as a result of this patch.
> >>>> Although the UEFI dbx certs are now loaded before the MokList certs,
> >>>> they are loaded onto different key rings. So the order of the keys
> >>>> on their respective key rings is the same.
> >>>>
> >>>> Signed-off-by: Lenny Szubowicz <[email protected]>
> >>>
> >>> Why did you drop Mimi's reviewed-by from this patch?
> >>
> >> It was not intentional. I was just not aware that I needed to propagate
> >> Mimi Zohar's reviewed-by from V1 of the patch to V2.
> >>
> >> Reviewed-by: Mimi Zohar <[email protected]>
> >>
> >> V2 includes changes in that patch to incorporate suggestions from
> >> Andy Shevchenko. My assumption was that the maintainer would
> >> gather up the reviewed-by and add any signed-off-by as appropriate,
> >> but it sounds like my assumption was incorrect. In retrospect, I
> >> could see that having the maintainer dig through prior versions
> >> of a patch set for prior reviewed-by tags could be burdensome.
> >
> > As much as possible moving code should be done without making changes,
> > simpler for code review. Then as a separate patch you make changes.
> > That way you could also have retained my Reviewed-by.
> >
> > Mimi
>
> If you or Ard think I should, I can do a V3 with:
>
> Patch V3 01: Unchanged from V2
> Patch V3 02: Goes back to V1 of patch 02 that Mimi reviewed
> Patch V3 03: New. Has Andy's cleanup suggestions separated from patch 02
> Patch V3 04: This would most probably just be the V2 of patch 03 with no changes
>

I think we can just merge the patches as they are, with Mimi's R-b carried over.

2020-09-11 19:11:48

by Mimi Zohar

[permalink] [raw]
Subject: Re: [PATCH V2 2/3] integrity: Move import of MokListRT certs to a separate routine

On Fri, 2020-09-11 at 21:16 +0300, Ard Biesheuvel wrote:
> I think we can just merge the patches as they are, with Mimi's R-b carried over.

Other than the comments beginning on the "/*" line as opposed to the
subsequent line, the updated 2/2 and 3/3 patches look fine.

thanks,

Mimi

2020-09-11 19:51:38

by Lenny Szubowicz

[permalink] [raw]
Subject: Re: [PATCH V2 2/3] integrity: Move import of MokListRT certs to a separate routine

On 9/11/20 3:08 PM, Mimi Zohar wrote:
> On Fri, 2020-09-11 at 21:16 +0300, Ard Biesheuvel wrote:
>> I think we can just merge the patches as they are, with Mimi's R-b carried over.
>
> Other than the comments beginning on the "/*" line as opposed to the
> subsequent line, the updated 2/2 and 3/3 patches look fine.
>
> thanks,
>
> Mimi
>

I also prefer the block comment style that you are suggesting. However, I
kept to the style used by the load_uefi.c source file. If checkpatch.pl
considers it acceptable, I deferred to consistency within the source module.

-Lenny.

Subject: [tip: efi/core] integrity: Move import of MokListRT certs to a separate routine

The following commit has been merged into the efi/core branch of tip:

Commit-ID: 38a1f03aa24094b4a8de846700cb6cb21cc06468
Gitweb: https://git.kernel.org/tip/38a1f03aa24094b4a8de846700cb6cb21cc06468
Author: Lenny Szubowicz <[email protected]>
AuthorDate: Fri, 04 Sep 2020 21:31:06 -04:00
Committer: Ard Biesheuvel <[email protected]>
CommitterDate: Wed, 16 Sep 2020 18:53:42 +03:00

integrity: Move import of MokListRT certs to a separate routine

Move the loading of certs from the UEFI MokListRT into a separate
routine to facilitate additional MokList functionality.

There is no visible functional change as a result of this patch.
Although the UEFI dbx certs are now loaded before the MokList certs,
they are loaded onto different key rings. So the order of the keys
on their respective key rings is the same.

Signed-off-by: Lenny Szubowicz <[email protected]>
Reviewed-by: Mimi Zohar <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Ard Biesheuvel <[email protected]>
---
security/integrity/platform_certs/load_uefi.c | 63 ++++++++++++------
1 file changed, 44 insertions(+), 19 deletions(-)

diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 253fb9a..c1c622b 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
}

/*
+ * load_moklist_certs() - Load MokList certs
+ *
+ * Load the certs contained in the UEFI MokListRT database into the
+ * platform trusted keyring.
+ *
+ * Return: Status
+ */
+static int __init load_moklist_certs(void)
+{
+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
+ void *mok;
+ unsigned long moksize;
+ efi_status_t status;
+ int rc;
+
+ /* Get MokListRT. It might not exist, so it isn't an error
+ * if we can't get it.
+ */
+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
+ if (mok) {
+ rc = parse_efi_signature_list("UEFI:MokListRT",
+ mok, moksize, get_handler_for_db);
+ kfree(mok);
+ if (rc)
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+ return rc;
+ }
+ if (status == EFI_NOT_FOUND)
+ pr_debug("MokListRT variable wasn't found\n");
+ else
+ pr_info("Couldn't get UEFI MokListRT\n");
+ return 0;
+}
+
+/*
+ * load_uefi_certs() - Load certs from UEFI sources
+ *
* Load the certs contained in the UEFI databases into the platform trusted
* keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
* keyring.
@@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
static int __init load_uefi_certs(void)
{
efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
- efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
- void *db = NULL, *dbx = NULL, *mok = NULL;
- unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+ void *db = NULL, *dbx = NULL;
+ unsigned long dbsize = 0, dbxsize = 0;
efi_status_t status;
int rc = 0;

if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
return false;

- /* Get db, MokListRT, and dbx. They might not exist, so it isn't
- * an error if we can't get them.
+ /* Get db and dbx. They might not exist, so it isn't an error
+ * if we can't get them.
*/
if (!uefi_check_ignore_db()) {
db = get_cert_list(L"db", &secure_var, &dbsize, &status);
@@ -102,20 +138,6 @@ static int __init load_uefi_certs(void)
}
}

- mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
- if (!mok) {
- if (status == EFI_NOT_FOUND)
- pr_debug("MokListRT variable wasn't found\n");
- else
- pr_info("Couldn't get UEFI MokListRT\n");
- } else {
- rc = parse_efi_signature_list("UEFI:MokListRT",
- mok, moksize, get_handler_for_db);
- if (rc)
- pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
- kfree(mok);
- }
-
dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
if (!dbx) {
if (status == EFI_NOT_FOUND)
@@ -131,6 +153,9 @@ static int __init load_uefi_certs(void)
kfree(dbx);
}

+ /* Load the MokListRT certs */
+ rc = load_moklist_certs();
+
return rc;
}
late_initcall(load_uefi_certs);