Received: by 10.213.65.68 with SMTP id h4csp263386imn; Tue, 13 Mar 2018 03:41:33 -0700 (PDT) X-Google-Smtp-Source: AG47ELvrdj3THN7aX29AMCj79+M5LzRq2pK28c9KuyF2sogO1e8zudmtJjrmE81OALaeqx/NQVne X-Received: by 10.98.204.132 with SMTP id j4mr116622pfk.35.1520937693161; Tue, 13 Mar 2018 03:41:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520937693; cv=none; d=google.com; s=arc-20160816; b=RuVwQdCPKr05jVIOkXPZ89SptaKorB2B6aH0q/fPtE0je1iAy/XimeEhK6CCKzmIeL Bvm+dhlRzrZVLfZecxaIP2Bj597K6aO5ua1m3eleFZ345515PIWxAMWdUfC3R/Q7OamP 02lUvFhYDUnrvBZGU1eQSdsAFn+WPckrpRiYvzps0pqZ0P+KliIzxMfmP0xvzGQ1up91 MOpf70pidCXQRwimjaEv9Eck1QjejqhVGO3u3TrnkmKB+Z4yNHWa9ut5Utk9nrLSL+tV SHz4umaosQ8MxlPwiA3a5xCPj7wmMtmeXLaNFlHPAEeBFyokiyez266vU/nmDDcro5Xt LAXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=WvbFaQCOMqqL5Sga652GdO95+5+fKK3qDUHwQpA+dkY=; b=0QcliBnqTVKYfLEG1xZYdmr3+uZdimNoVPRcUSuqA8opi6TBzSks4CJLqAe9eRVXao 8uEwdG+BFj8cv3de6sHKtAjlQYCteLWRmPj6pJlomNUfzXa+McU2YtIfe1nQ3tlchSWU wDs2aUU4j6Ql18l0+Wv9TNgWSovlL5gBbHCIv3GsOaIwdBpQRUnBxG8S9tiWhiHHeHmf Uz71us4dNiFpgdjAcMoJWrdx2qNBu4CUA1fWyoeOdRSLk5Wzy62EB/k14cF5FQLUha1Q A7EV2mBaNwsmkqA5L5DzCfn0Oyare9mMDipZHCNJP7VC5uZvEyOqBp4zT2gLcar4eJZZ P5ow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PZIo6ckH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i63si37695pfj.365.2018.03.13.03.41.18; Tue, 13 Mar 2018 03:41:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PZIo6ckH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932912AbeCMKiX (ORCPT + 99 others); Tue, 13 Mar 2018 06:38:23 -0400 Received: from mail-it0-f67.google.com ([209.85.214.67]:37486 "EHLO mail-it0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932874AbeCMKiV (ORCPT ); Tue, 13 Mar 2018 06:38:21 -0400 Received: by mail-it0-f67.google.com with SMTP id k79-v6so15619274ita.2; Tue, 13 Mar 2018 03:38:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=WvbFaQCOMqqL5Sga652GdO95+5+fKK3qDUHwQpA+dkY=; b=PZIo6ckHHK/kGocXynxTp6O8CZhApKrGFn82BZ5tuCYbQt7vHV5cx7EUAUjuFQ+qyM F1iNscOfhySpJ/8xK+p9z1gyP4hlBgtefmJsQxYS4Mi+i8sqzSe1bs7JAcJaVxd7J48q stOkGk4DjA9XS0RqxR0CSflYy0TOx7GoOV77lMA+whPgb6pkMpSkYIxDnwrBs+tYhY0/ fraA/h4RqYvlS21IRQt7EnE4VDP0f/l5HRbQtxhDErf5/RzUVix7qgOtQhltcRTjTnLs PY1JpIRHut+uRFio0rkowxVY6Zrii/HWB6wxGrIGIVWYtVwsQviLQUe65Cr030uWN7wS k2RA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=WvbFaQCOMqqL5Sga652GdO95+5+fKK3qDUHwQpA+dkY=; b=mCNnIzgHnmb/onD/dbpveUecnMQYcFaq7ZaqL1i9S3lt68la1cc2Jetlca5B/4SPSZ FKLAcgM519o347+ql7NGz2L7cEHhtfN9rRp8CVxVrzVUGx9AeZhPQ/SP00Hb5GCEjrDv CeI4yln4I9Fj2Ehm6FxloOo8dFqKCDa/5NETBpj4zPHaq7xvPitku1JiCQ0jVGy4Sjf2 hGs2kMpeHms3MC7G/9NUbvGcxrJNP/BAm3EwiYaNokJHK5Xs/3OWIIyWxrWzVXCYHivn pCG0BX5jVKxeZxXFhkMrHZKfrX56FjhUDcpUy7lEsMQOiySgDIgBdGRuPWP/NF6XYn2j kf0A== X-Gm-Message-State: AElRT7GaLb5T1+iePnM7SBob/aWlEsNyO3n2SgvUWUB4uUk++xAC7xUm 6daLNbJBNU7CHcVWfSvQbKo= X-Received: by 10.36.33.205 with SMTP id e196mr278436ita.49.1520937500473; Tue, 13 Mar 2018 03:38:20 -0700 (PDT) Received: from linux-l9pv.suse ([134.159.103.118]) by smtp.gmail.com with ESMTPSA id y128sm282657itb.39.2018.03.13.03.38.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 13 Mar 2018 03:38:19 -0700 (PDT) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: linux-fs@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" , Josh Boyer , James Bottomley Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled Date: Tue, 13 Mar 2018 18:37:59 +0800 Message-Id: <20180313103803.13388-2-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20180313103803.13388-1-jlee@suse.com> References: <20180313103803.13388-1-jlee@suse.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The mok can not be trusted when the secure boot is disabled. Which means that the kernel embedded certificate is the only trusted key. Due to db/dbx are authenticated variables, they needs manufacturer's KEK for update. So db/dbx are secure when secureboot disabled. Cc: David Howells Cc: Josh Boyer Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" --- certs/load_uefi.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/certs/load_uefi.c b/certs/load_uefi.c index 3d88459..d6de4d0 100644 --- a/certs/load_uefi.c +++ b/certs/load_uefi.c @@ -164,17 +164,6 @@ static int __init load_uefi_certs(void) } } - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); - if (!mok) { - pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); - } else { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); - if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); - kfree(mok); - } - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); if (!dbx) { pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); @@ -187,6 +176,21 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* the MOK can not be trusted when secure boot is disabled */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + + mok = get_cert_list(L"MokListRT", &mok_var, &moksize); + if (!mok) { + pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); + } else { + rc = parse_efi_signature_list("UEFI:MokListRT", + mok, moksize, get_handler_for_db); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + kfree(mok); + } + return rc; } late_initcall(load_uefi_certs); -- 2.10.2