Received: by 10.213.65.68 with SMTP id h4csp263291imn;
        Tue, 13 Mar 2018 03:41:19 -0700 (PDT)
X-Google-Smtp-Source: AG47ELssYDPQeUCiSH7A0e/bUN5tdNV1gPjCMQNm9FAtbaEG3aJlIq5Lpwoz7PnTawILWMA/Vak1
X-Received: by 10.99.119.79 with SMTP id s76mr71354pgc.291.1520937679668;
        Tue, 13 Mar 2018 03:41:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520937679; cv=none;
        d=google.com; s=arc-20160816;
        b=L1QuR4DR+Rd6cSBnaIGt722vFKsEDtR+Qa/3EaWId/9FnT5lxRT/4tWdU/iNWhnmnt
         lh57PeChq0rW/UiWdT2wqwFKQJF/Pb8HC9Zu3KcKiK2e5mukOwGI4PHO2nF+wEvsoBXq
         eXGPPRQWX9keecZ9Cuw43WKutaMRp23MHBS2sHOqemDOAbg1cRFL2koXFPVCzYj6s2HY
         hj/qfAOZKdB6XCVFuDj1pdFV3M6m9olaQMdbSS6oI8cE2mhxiYXyS+b9cnkQw+Mohz5t
         N6cUivIQ0BNXUpTDrQDHLk60Czu9Ck2cIsxmQut30rwkSPaOwp5/h2Tgb0KfztZQ851K
         7SRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature:arc-authentication-results;
        bh=UkYo5YHiAJkZhw2lvex9+BXfpwoVeGxj8wLUJexJgr0=;
        b=IIgUKTUiyXp5BMtLZiR1Y0UTCrGHcCjUQMyoR5aN4LAdZIKOdQsm4Shqh7LqDtol3w
         CBkSGq1UDiASI2gfJLxk9OD2ZOj9cgjX8BqSiVDdunhsTtNFS5UMv9yZ493JOg/u2Cr1
         jRB3uN+VQjrZTXb/9NOcq7jofHpIHviiS52BToHb9CcG7Q0kh6i1bDzn0qP0FMHxFduH
         t0828jMwTu93y+vKmN60luiIp57D7hH0obKpioykMyhp9N2cza+ST5NnHe/i3udveTVP
         8J/ORfNuQDqsuFVlPl226E4Q/HRuN6q6AV/XJ5ouNOLdcQNQDFr8X7H4LE/pIU1IAyJy
         YPDA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PAueiDmF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p1si47084pfi.258.2018.03.13.03.41.05;
        Tue, 13 Mar 2018 03:41:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PAueiDmF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932751AbeCMKjU (ORCPT <rfc822;morganleezd2003@gmail.com>
        + 99 others); Tue, 13 Mar 2018 06:39:20 -0400
Received: from mail-io0-f193.google.com ([209.85.223.193]:34526 "EHLO
        mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932874AbeCMKi0 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Mar 2018 06:38:26 -0400
Received: by mail-io0-f193.google.com with SMTP id e7so15165235ioj.1;
        Tue, 13 Mar 2018 03:38:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=UkYo5YHiAJkZhw2lvex9+BXfpwoVeGxj8wLUJexJgr0=;
        b=PAueiDmFiWT8vAZpYRE+yItVY1Yc2Td56qPqdNSd8nu184qpbOG6WIPMTG9mmJCwoB
         r4dd31Gy+75o4Da+Z2kKXPNz1i0aOrotn9Jxkx3DpQjuk2gfl1zjtJnB4U8K6lY7mZdC
         uIZjITeWSCldRs0dxG0cvV7cE6/QgWBaJTV8vs/M7F+paxzBo6J/fgjm8KvEmtK3wEfo
         peDownwC4bfB8S3Wqj4elxVL1RvhngOYOqdiT5E4bsQhA4+FNLoy4mpmDNOnPm3Cgskj
         N32JTlPXUveFzWiBNZDkFTWiQpnwihoxhFcT6M1Zuhej+y75jcZfOGEVUHYKDI0LJCoK
         hdQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=UkYo5YHiAJkZhw2lvex9+BXfpwoVeGxj8wLUJexJgr0=;
        b=hKaxqlu30/RxiFrv3150ZdJx3+HC6RhGTXvMc++JmonZiEK7/7iX8WGOWUIXcRxA1c
         Z/WRCE0owqhbuu22M/GnbGjKOv+H2RG1uLUiBxq3pnZR6c5hlELxKHp5viU29hz+kTrh
         C2jfnUNNia35ZvAZcrcXzmMFd86UdWJOgHZmagG2GrYl0Z1PEdJA4vmUFA+qapMyvDdM
         P0sQgvNKMWGz/LAOJYy3N5dS0hwEETChabj4OGgUGRoGSXnTzz1sKDAXjBuOhXSE7KTh
         JfXA+UZFi5mj6VV95KfXLdjSnzAjOSCBDvb+d1bVuyD7N78EqpiX20gXo2Kcl8nLX8MA
         WjcA==
X-Gm-Message-State: AElRT7GLWeqpjUT6mHto2nEmbRNDKliu7r402/B6ZqQ+2BvEfnkPIScO
        r7JxvA7QJsI281NHN8VnVj4=
X-Received: by 10.107.189.199 with SMTP id n190mr131852iof.64.1520937506062;
        Tue, 13 Mar 2018 03:38:26 -0700 (PDT)
Received: from linux-l9pv.suse ([134.159.103.118])
        by smtp.gmail.com with ESMTPSA id y128sm282657itb.39.2018.03.13.03.38.23
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 13 Mar 2018 03:38:25 -0700 (PDT)
From:   "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To:     David Howells <dhowells@redhat.com>
Cc:     linux-fs@vger.kernel.org, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org, "Lee, Chun-Yi" <jlee@suse.com>,
        Josh Boyer <jwboyer@fedoraproject.org>,
        James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: [PATCH 3/5] MODSIGN: load blacklist from MOKx
Date:   Tue, 13 Mar 2018 18:38:01 +0800
Message-Id: <20180313103803.13388-4-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
In-Reply-To: <20180313103803.13388-1-jlee@suse.com>
References: <20180313103803.13388-1-jlee@suse.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patch adds the logic to load the blacklisted hash and
certificates from MOKx which is maintained by shim bootloader.

Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 certs/load_uefi.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/certs/load_uefi.c b/certs/load_uefi.c
index f2f372b..dc66a79 100644
--- a/certs/load_uefi.c
+++ b/certs/load_uefi.c
@@ -164,8 +164,8 @@ static int __init load_uefi_certs(void)
 {
 	efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
 	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
-	void *db = NULL, *dbx = NULL, *mok = NULL;
-	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+	void *db = NULL, *dbx = NULL, *mok = NULL, *mokx = NULL;
+	unsigned long dbsize = 0, dbxsize = 0, moksize = 0, mokxsize = 0;
 	int rc = 0;
 
 	if (!efi.get_variable)
@@ -195,7 +195,7 @@ static int __init load_uefi_certs(void)
 		kfree(dbx);
 	}
 
-	/* the MOK can not be trusted when secure boot is disabled */
+	/* the MOK and MOKx can not be trusted when secure boot is disabled */
 	if (!efi_enabled(EFI_SECURE_BOOT))
 		return 0;
 
@@ -208,6 +208,16 @@ static int __init load_uefi_certs(void)
 		kfree(mok);
 	}
 
+	mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize);
+	if (mokx) {
+		rc = parse_efi_signature_list("UEFI:mokx",
+					      mokx, mokxsize,
+					      get_handler_for_dbx);
+		if (rc)
+			pr_err("Couldn't parse MokListXRT signatures: %d\n", rc);
+		kfree(mokx);
+	}
+
 	return rc;
 }
 late_initcall(load_uefi_certs);
-- 
2.10.2