Received: by 10.213.65.68 with SMTP id h4csp482609imn; Tue, 13 Mar 2018 10:26:44 -0700 (PDT) X-Google-Smtp-Source: AG47ELupbktnfWbyyc/SZSxSpW4hlYHC/ik00Z7/ou1zsuBSC6+VJ9W8sF+Y+L6TZ/2Qe8AIG7c+ X-Received: by 2002:a17:902:8302:: with SMTP id bd2-v6mr1239864plb.322.1520962004410; Tue, 13 Mar 2018 10:26:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1520962004; cv=none; d=google.com; s=arc-20160816; b=XyzZI5KfCv07Bc56tJASNoO0G20ytjA/zT+si/zl2EeqVufpccp4eR8PB9UD7a9vKV GiY/9h9RquFnZb4tjfP2lK4Ikq7Wcj5wxiUXkOtrfcjRXYP2M4L8oG/GIHHftw4Tt6v6 +4P7qGjr+EULc6sVnAZj594onegGX62m9D0/NcKikuKCfrW9AmgvDAPHVlvMnRfKprVg mucdobGQX3cBrLkR/ugO/t6YiNGXrFKVNqPe0/i22aNOZ1At2wWgfnnPEHVPa555aIS3 BzO8bGEqzLyNTNcZROrL7DwUl62C06npQIPJD09HLMLwUUm19cxXZJ8kQDt+6TLuYal+ R59Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=gHBc7Hbj4ZnZdpw8c5MasB1AuEDHsaPL78h2jkJh6NU=; b=VXRcR/peSB3s3Ae7k+de7n4EMyfKTq9R1QgUZhsDzx89Z+V4NiGvIxUlJ4vSrX2NXR Zq8MxGP+HZWyFelSfgSQ7nQf+1rg1JXq9Nh4b5/beNDLg9gcOd/RV5Nr9/eeQKAZwvdj n+zRnrunw6UoAe6T3WuggNXymOUJM6zMPagkyNEBn8lebcLjPtBNkh4pYPNnCS11B7QY Yj1EvuHQIN11RT2qJKLkRfldf3iIt3EZPJr223uqvobYXlD76/PZMt3WEn0H0B2y/PBw j79jy6aV7+Zs05EDXslseVCZfjRye5+i34rvU9bQaM5AISiNxQW6OutIFCGUZXgohHPN Narw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YkvKKgWY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f1-v6si448037plb.73.2018.03.13.10.26.30; Tue, 13 Mar 2018 10:26:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YkvKKgWY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932427AbeCMRZd (ORCPT + 99 others); Tue, 13 Mar 2018 13:25:33 -0400 Received: from mail-it0-f68.google.com ([209.85.214.68]:55902 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751959AbeCMRZb (ORCPT ); Tue, 13 Mar 2018 13:25:31 -0400 Received: by mail-it0-f68.google.com with SMTP id n136-v6so1056898itg.5 for ; Tue, 13 Mar 2018 10:25:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=gHBc7Hbj4ZnZdpw8c5MasB1AuEDHsaPL78h2jkJh6NU=; b=YkvKKgWYYvWgo0tYCXKZF4mUaxhMpDi3sIrp6gB6Ow9k9Z9W1wDdRiFvuemiPBcG3Z lzg6ZtGdPaIhb4vmSNdCF17JAOX1zZpA3qvH47rQtMD4CVvMoEqrC6GSvuLBtlrY9+yI D+AQ2h+l84YZczCe94tqPqjgAD53c4YB1LQv4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=gHBc7Hbj4ZnZdpw8c5MasB1AuEDHsaPL78h2jkJh6NU=; b=BkijxbRzz7JzqgoFTScpzKj4cHANva1AG9XUUoKKcUjfzkbf1Xlza7d7wWmBENvDTg WNIpz7ENT3PDff+7hiendNq/xHzzUo9GwjIyQRO52Jq0jkI9Hi2keNXFtG2h9S4/Ygfz 2RI+4nQ+jZ64S2iV/lnJwipE5FYjo02F3mFuyY83MBkwel6QBcBee+kN8CTK8jUkqHow 1pJpV1gnPl9HTeTCJpy0XKFBLyuTMQRz8WrDikFqMi6uHO1Mzsx4VqG9SvyRYWzHcaWU Huxe3BMdnKxXSY0DENurr29fxe7NJi8vqKDo0E9CQPwpu019681Ph+y3HS7RAkhM20Bs wrfg== X-Gm-Message-State: AElRT7EzgQg84kV1W3m41O2f6TmkfLlt4AKMrJBz7Kvd9hJH0DCFEmf4 LIHc06rL67zjPlgniafT8ylynQk5TtzEUGTQ9d1kzw== X-Received: by 10.36.230.69 with SMTP id e66mr1825012ith.42.1520961931323; Tue, 13 Mar 2018 10:25:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.138.209 with HTTP; Tue, 13 Mar 2018 10:25:30 -0700 (PDT) In-Reply-To: <20180313103803.13388-2-jlee@suse.com> References: <20180313103803.13388-1-jlee@suse.com> <20180313103803.13388-2-jlee@suse.com> From: Ard Biesheuvel Date: Tue, 13 Mar 2018 17:25:30 +0000 Message-ID: Subject: Re: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled To: "Lee, Chun-Yi" Cc: David Howells , linux-fs@vger.kernel.org, linux-efi@vger.kernel.org, Linux Kernel Mailing List , "Lee, Chun-Yi" , Josh Boyer , James Bottomley Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 13 March 2018 at 10:37, Lee, Chun-Yi wrote: > The mok can not be trusted when the secure boot is disabled. Which > means that the kernel embedded certificate is the only trusted key. > > Due to db/dbx are authenticated variables, they needs manufacturer's > KEK for update. So db/dbx are secure when secureboot disabled. > Did you consider the case where secure boot is not implemented? I don't think db/dbx are secure in that case, although perhaps it may not matter (a bit more information on the purpose of these patches and all the shim lingo etc would be appreciated) > Cc: David Howells > Cc: Josh Boyer > Cc: James Bottomley > Signed-off-by: "Lee, Chun-Yi" > --- > certs/load_uefi.c | 26 +++++++++++++++----------- > 1 file changed, 15 insertions(+), 11 deletions(-) > > diff --git a/certs/load_uefi.c b/certs/load_uefi.c > index 3d88459..d6de4d0 100644 > --- a/certs/load_uefi.c > +++ b/certs/load_uefi.c > @@ -164,17 +164,6 @@ static int __init load_uefi_certs(void) > } > } > > - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); Which tree does this apply to? My tree doesn't have get_cert_list() > - if (!mok) { > - pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); > - } else { > - rc = parse_efi_signature_list("UEFI:MokListRT", > - mok, moksize, get_handler_for_db); > - if (rc) > - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); > - kfree(mok); > - } > - > dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); > if (!dbx) { > pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); > @@ -187,6 +176,21 @@ static int __init load_uefi_certs(void) > kfree(dbx); > } > > + /* the MOK can not be trusted when secure boot is disabled */ > + if (!efi_enabled(EFI_SECURE_BOOT)) > + return 0; > + > + mok = get_cert_list(L"MokListRT", &mok_var, &moksize); > + if (!mok) { > + pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); > + } else { > + rc = parse_efi_signature_list("UEFI:MokListRT", > + mok, moksize, get_handler_for_db); > + if (rc) > + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); > + kfree(mok); > + } > + > return rc; > } > late_initcall(load_uefi_certs); > -- > 2.10.2 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-efi" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html