Received: by 10.213.65.68 with SMTP id h4csp263386imn;
        Tue, 13 Mar 2018 03:41:33 -0700 (PDT)
X-Google-Smtp-Source: AG47ELvrdj3THN7aX29AMCj79+M5LzRq2pK28c9KuyF2sogO1e8zudmtJjrmE81OALaeqx/NQVne
X-Received: by 10.98.204.132 with SMTP id j4mr116622pfk.35.1520937693161;
        Tue, 13 Mar 2018 03:41:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1520937693; cv=none;
        d=google.com; s=arc-20160816;
        b=RuVwQdCPKr05jVIOkXPZ89SptaKorB2B6aH0q/fPtE0je1iAy/XimeEhK6CCKzmIeL
         Bvm+dhlRzrZVLfZecxaIP2Bj597K6aO5ua1m3eleFZ345515PIWxAMWdUfC3R/Q7OamP
         02lUvFhYDUnrvBZGU1eQSdsAFn+WPckrpRiYvzps0pqZ0P+KliIzxMfmP0xvzGQ1up91
         MOpf70pidCXQRwimjaEv9Eck1QjejqhVGO3u3TrnkmKB+Z4yNHWa9ut5Utk9nrLSL+tV
         SHz4umaosQ8MxlPwiA3a5xCPj7wmMtmeXLaNFlHPAEeBFyokiyez266vU/nmDDcro5Xt
         LAXQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature:arc-authentication-results;
        bh=WvbFaQCOMqqL5Sga652GdO95+5+fKK3qDUHwQpA+dkY=;
        b=0QcliBnqTVKYfLEG1xZYdmr3+uZdimNoVPRcUSuqA8opi6TBzSks4CJLqAe9eRVXao
         8uEwdG+BFj8cv3de6sHKtAjlQYCteLWRmPj6pJlomNUfzXa+McU2YtIfe1nQ3tlchSWU
         wDs2aUU4j6Ql18l0+Wv9TNgWSovlL5gBbHCIv3GsOaIwdBpQRUnBxG8S9tiWhiHHeHmf
         Uz71us4dNiFpgdjAcMoJWrdx2qNBu4CUA1fWyoeOdRSLk5Wzy62EB/k14cF5FQLUha1Q
         A7EV2mBaNwsmkqA5L5DzCfn0Oyare9mMDipZHCNJP7VC5uZvEyOqBp4zT2gLcar4eJZZ
         P5ow==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PZIo6ckH;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i63si37695pfj.365.2018.03.13.03.41.18;
        Tue, 13 Mar 2018 03:41:33 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PZIo6ckH;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932912AbeCMKiX (ORCPT <rfc822;morganleezd2003@gmail.com>
        + 99 others); Tue, 13 Mar 2018 06:38:23 -0400
Received: from mail-it0-f67.google.com ([209.85.214.67]:37486 "EHLO
        mail-it0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932874AbeCMKiV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 13 Mar 2018 06:38:21 -0400
Received: by mail-it0-f67.google.com with SMTP id k79-v6so15619274ita.2;
        Tue, 13 Mar 2018 03:38:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=WvbFaQCOMqqL5Sga652GdO95+5+fKK3qDUHwQpA+dkY=;
        b=PZIo6ckHHK/kGocXynxTp6O8CZhApKrGFn82BZ5tuCYbQt7vHV5cx7EUAUjuFQ+qyM
         F1iNscOfhySpJ/8xK+p9z1gyP4hlBgtefmJsQxYS4Mi+i8sqzSe1bs7JAcJaVxd7J48q
         stOkGk4DjA9XS0RqxR0CSflYy0TOx7GoOV77lMA+whPgb6pkMpSkYIxDnwrBs+tYhY0/
         fraA/h4RqYvlS21IRQt7EnE4VDP0f/l5HRbQtxhDErf5/RzUVix7qgOtQhltcRTjTnLs
         PY1JpIRHut+uRFio0rkowxVY6Zrii/HWB6wxGrIGIVWYtVwsQviLQUe65Cr030uWN7wS
         k2RA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=WvbFaQCOMqqL5Sga652GdO95+5+fKK3qDUHwQpA+dkY=;
        b=mCNnIzgHnmb/onD/dbpveUecnMQYcFaq7ZaqL1i9S3lt68la1cc2Jetlca5B/4SPSZ
         FKLAcgM519o347+ql7NGz2L7cEHhtfN9rRp8CVxVrzVUGx9AeZhPQ/SP00Hb5GCEjrDv
         CeI4yln4I9Fj2Ehm6FxloOo8dFqKCDa/5NETBpj4zPHaq7xvPitku1JiCQ0jVGy4Sjf2
         hGs2kMpeHms3MC7G/9NUbvGcxrJNP/BAm3EwiYaNokJHK5Xs/3OWIIyWxrWzVXCYHivn
         pCG0BX5jVKxeZxXFhkMrHZKfrX56FjhUDcpUy7lEsMQOiySgDIgBdGRuPWP/NF6XYn2j
         kf0A==
X-Gm-Message-State: AElRT7GaLb5T1+iePnM7SBob/aWlEsNyO3n2SgvUWUB4uUk++xAC7xUm
        6daLNbJBNU7CHcVWfSvQbKo=
X-Received: by 10.36.33.205 with SMTP id e196mr278436ita.49.1520937500473;
        Tue, 13 Mar 2018 03:38:20 -0700 (PDT)
Received: from linux-l9pv.suse ([134.159.103.118])
        by smtp.gmail.com with ESMTPSA id y128sm282657itb.39.2018.03.13.03.38.17
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Tue, 13 Mar 2018 03:38:19 -0700 (PDT)
From:   "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To:     David Howells <dhowells@redhat.com>
Cc:     linux-fs@vger.kernel.org, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org, "Lee, Chun-Yi" <jlee@suse.com>,
        Josh Boyer <jwboyer@fedoraproject.org>,
        James Bottomley <James.Bottomley@HansenPartnership.com>
Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled
Date:   Tue, 13 Mar 2018 18:37:59 +0800
Message-Id: <20180313103803.13388-2-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
In-Reply-To: <20180313103803.13388-1-jlee@suse.com>
References: <20180313103803.13388-1-jlee@suse.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The mok can not be trusted when the secure boot is disabled. Which
means that the kernel embedded certificate is the only trusted key.

Due to db/dbx are authenticated variables, they needs manufacturer's
KEK for update. So db/dbx are secure when secureboot disabled.

Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 certs/load_uefi.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/certs/load_uefi.c b/certs/load_uefi.c
index 3d88459..d6de4d0 100644
--- a/certs/load_uefi.c
+++ b/certs/load_uefi.c
@@ -164,17 +164,6 @@ static int __init load_uefi_certs(void)
 		}
 	}
 
-	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
-	if (!mok) {
-		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
-	} else {
-		rc = parse_efi_signature_list("UEFI:MokListRT",
-					      mok, moksize, get_handler_for_db);
-		if (rc)
-			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
-		kfree(mok);
-	}
-
 	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
 	if (!dbx) {
 		pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
@@ -187,6 +176,21 @@ static int __init load_uefi_certs(void)
 		kfree(dbx);
 	}
 
+	/* the MOK can not be trusted when secure boot is disabled */
+	if (!efi_enabled(EFI_SECURE_BOOT))
+		return 0;
+
+	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+	if (!mok) {
+		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
+	} else {
+		rc = parse_efi_signature_list("UEFI:MokListRT",
+					      mok, moksize, get_handler_for_db);
+		if (rc)
+			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+		kfree(mok);
+	}
+
 	return rc;
 }
 late_initcall(load_uefi_certs);
-- 
2.10.2