Received: by 10.213.65.68 with SMTP id h4csp262468imn;
        Tue, 13 Mar 2018 03:39:20 -0700 (PDT)
X-Google-Smtp-Source: AG47ELuqGMvQkXL5HGv45Eu//P2u3Juyuvo4mSDWS8r0kpbasL1ZdLdaxrRjLf4wXOyIAEGbjhZy
X-Received: by 10.99.191.78 with SMTP id i14mr78921pgo.95.1520937560477;
        Tue, 13 Mar 2018 03:39:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520937560; cv=none;
        d=google.com; s=arc-20160816;
        b=1IbNbqCRfLB5mSTqaOUl+jugNSTN5pK8u02iTWf7QcQEzYi4bJQYlHnGtHLAwQ7lvR
         C2eH/ZMdUaWmg690NBCLtJj/eIzGZg/Mi8olSod/l5R4fo+c/mUGfQfV8TOqxPPlEEnQ
         PkWjFaW1sQR7bzfx+LPiEKqEyHEks78f9htVtnC/lDwI0fS0aoGFQ8yO5FT9okkzqNeA
         ZdlbmTUDDBVhlqo8onLTxqUNXmAMjBwxK+sySrpw7dZ+q9m6IyfsE6HpYSGnTZBRtwRB
         sxbxRxWQewbSs7qXt8xMu6XWOV1RL/1H4Wl22pMpQE/kTaLkza5nW2ouhIK4phzkXlvI
         0NkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=XnrZebibm0PE6yRdeLfWjDRUtp/kaZjPv3DPBB0oMcQ=;
        b=UUdi81wqKXSUkQnR0Eh3PMb/rctlHTIjmihSfM9s2SFrZYf0lIh+bkKL4lCBlQ2l5t
         iTmsa8xd4YhkJ820obQ9Xgv24yQ4PiHDDpmAYu/yeLdh7WIJSnI2EwU8BSPqUnzCIVZ5
         BO+XKMmD42uk+YxwldwCMZXXRKFNXXpgxowKjade9K+jOpefDMAJVffx93pff6PEGsSj
         tQHo1jUNuPncoUllLyBJ3zEPF/pB0NZ0upDNtnO+dAk7/uMJYSazZuCnNZ2VpbES4sp4
         Ia5ADhlSbt6LsZqNxGElUMMUYan50Vl7rm4g7lKsGqYDU8Q1uphNdCQTCZIbSn9jbIAl
         3P+A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e7-v6si12196plo.533.2018.03.13.03.39.06;
        Tue, 13 Mar 2018 03:39:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932872AbeCMKg3 (ORCPT <rfc822;morganleezd2003@gmail.com>
        + 99 others); Tue, 13 Mar 2018 06:36:29 -0400
Received: from prv3-mh.provo.novell.com ([137.65.250.26]:59186 "EHLO
        prv3-mh.provo.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932546AbeCMKgV (ORCPT
        <rfc822;groupwise-linux-kernel@vger.kernel.org:0:0>);
        Tue, 13 Mar 2018 06:36:21 -0400
Received: from linux-l9pv.suse (prv-ext-foundry1int.gns.novell.com [137.65.251.240])
        by prv3-mh.provo.novell.com with ESMTP (NOT encrypted); Tue, 13 Mar 2018 04:36:13 -0600
From:   "Lee, Chun-Yi" <jlee@suse.com>
To:     David Howells <dhowells@redhat.com>
Cc:     linux-fs@vger.kernel.org, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH 0/5 v2] Using the hash in MOKx to blacklist kernel module
Date:   Tue, 13 Mar 2018 18:35:54 +0800
Message-Id: <20180313103559.13032-1-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patch set is base on the efi-lock-down and keys-uefi branchs in
David Howells's linux-fs git tree.
    https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-uefi

The main purpose is using the MOKx to blacklist kernel module.

As the MOK (Machine Owner Key), MOKx is a EFI boot time variable which
is maintained by shim boot loader. We can enroll the hash of blacklisted
kernel module (with or without signature) to MOKx by mokutil. Kernel loads
the hash from MOKx to blacklist keyring when booting. Kernel will prevent
to load the kernel module when its hash be found in blacklist.

This function is useful to revoke a kernel module that it has exploit. Or
revoking a kernel module that it was signed by a unsecure key.

Except MOKx, this patch set fixs another two issues: The MOK/MOKx should
not be loaded when secure boot is disabled. And, modified error message
prints out appropriate status string for reading by human being.

v2:
Chekcikng the attributes of db and mok before loading certificates.

Lee, Chun-Yi (5):
  MODSIGN: do not load mok when secure boot disabled
  MODSIGN: print appropriate status message when getting UEFI
    certificates list
  MODSIGN: load blacklist from MOKx
  MODSIGN: checking the blacklisted hash before loading a kernel module
  MODSIGN: check the attributes of db and mok

 certs/load_uefi.c       | 92 +++++++++++++++++++++++++++++++++++--------------
 include/linux/efi.h     | 25 ++++++++++++++
 kernel/module_signing.c | 62 +++++++++++++++++++++++++++++++--
 3 files changed, 152 insertions(+), 27 deletions(-)

-- 
2.10.2