Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754903AbcKUQ0H (ORCPT ); Mon, 21 Nov 2016 11:26:07 -0500 Received: from mail-io0-f194.google.com ([209.85.223.194]:35047 "EHLO mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753067AbcKUQ0F (ORCPT ); Mon, 21 Nov 2016 11:26:05 -0500 MIME-Version: 1.0 In-Reply-To: References: <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> <147931990959.16460.3038875071067540418.stgit@warthog.procyon.org.uk> From: Josh Boyer Date: Mon, 21 Nov 2016 11:26:03 -0500 X-Google-Sender-Auth: oGaDsMytkrE24QT8rmgb6Pl08F0 Message-ID: Subject: Re: [PATCH 9/9] MODSIGN: Allow the "db" UEFI variable to be suppressed To: Ard Biesheuvel Cc: David Howells , keyrings@vger.kernel.org, Matthew Garrett , "linux-efi@vger.kernel.org" , "linux-kernel@vger.kernel.org" , linux-security-module Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4262 Lines: 104 On Mon, Nov 21, 2016 at 11:18 AM, Ard Biesheuvel wrote: > On 16 November 2016 at 18:11, David Howells wrote: >> From: Josh Boyer >> >> If a user tells shim to not use the certs/hashes in the UEFI db variable >> for verification purposes, shim will set a UEFI variable called >> MokIgnoreDB. Have the uefi import code look for this and ignore the db >> variable if it is found. >> > > Similar concern as in the previous patch: it appears to me that you > can DoS a machine by setting MokIgnoreDB if, e.g., its modules are > signed against a cert that resides in db, and shim/mokmanager are not > being used. If shim/mokmanager aren't used, then you can't actually modify MokIgnoreDB. Again, it requires physical access and a reboot into mokmanager to actually take effect. josh >> Signed-off-by: Josh Boyer >> Signed-off-by: David Howells >> --- >> >> certs/load_uefi.c | 44 ++++++++++++++++++++++++++++++++++---------- >> 1 file changed, 34 insertions(+), 10 deletions(-) >> >> diff --git a/certs/load_uefi.c b/certs/load_uefi.c >> index b44e464c3ff4..3d8845986019 100644 >> --- a/certs/load_uefi.c >> +++ b/certs/load_uefi.c >> @@ -13,6 +13,26 @@ static __initdata efi_guid_t efi_cert_x509_sha256_guid = EFI_CERT_X509_SHA256_GU >> static __initdata efi_guid_t efi_cert_sha256_guid = EFI_CERT_SHA256_GUID; >> >> /* >> + * Look to see if a UEFI variable called MokIgnoreDB exists and return true if >> + * it does. >> + * >> + * This UEFI variable is set by the shim if a user tells the shim to not use >> + * the certs/hashes in the UEFI db variable for verification purposes. If it >> + * is set, we should ignore the db variable also and the true return indicates >> + * this. >> + */ >> +static __init bool uefi_check_ignore_db(void) >> +{ >> + efi_status_t status; >> + unsigned int db = 0; >> + unsigned long size = sizeof(db); >> + efi_guid_t guid = EFI_SHIM_LOCK_GUID; >> + >> + status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); >> + return status == EFI_SUCCESS; >> +} >> + >> +/* >> * Get a certificate list blob from the named EFI variable. >> */ >> static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, >> @@ -113,7 +133,9 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty >> } >> >> /* >> - * Load the certs contained in the UEFI databases >> + * Load the certs contained in the UEFI databases into the secondary trusted >> + * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist >> + * keyring. >> */ >> static int __init load_uefi_certs(void) >> { >> @@ -129,15 +151,17 @@ static int __init load_uefi_certs(void) >> /* Get db, MokListRT, and dbx. They might not exist, so it isn't >> * an error if we can't get them. >> */ >> - db = get_cert_list(L"db", &secure_var, &dbsize); >> - if (!db) { >> - pr_err("MODSIGN: Couldn't get UEFI db list\n"); >> - } else { >> - rc = parse_efi_signature_list("UEFI:db", >> - db, dbsize, get_handler_for_db); >> - if (rc) >> - pr_err("Couldn't parse db signatures: %d\n", rc); >> - kfree(db); >> + if (!uefi_check_ignore_db()) { >> + db = get_cert_list(L"db", &secure_var, &dbsize); >> + if (!db) { >> + pr_err("MODSIGN: Couldn't get UEFI db list\n"); >> + } else { >> + rc = parse_efi_signature_list("UEFI:db", >> + db, dbsize, get_handler_for_db); >> + if (rc) >> + pr_err("Couldn't parse db signatures: %d\n", rc); >> + kfree(db); >> + } >> } >> >> mok = get_cert_list(L"MokListRT", &mok_var, &moksize); >> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-efi" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html