Received: by 10.213.65.68 with SMTP id h4csp892058imn;
        Wed, 14 Mar 2018 03:25:40 -0700 (PDT)
X-Google-Smtp-Source: AG47ELtpCDbdTVn15YutV2mCZoQqetZ8h1lTe65aOb33rJV64vTktoh5wOG9zuk5k3lO2SrVppOG
X-Received: by 10.98.91.66 with SMTP id p63mr3729658pfb.163.1521023140373;
        Wed, 14 Mar 2018 03:25:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1521023140; cv=none;
        d=google.com; s=arc-20160816;
        b=f/JDXiyUe4rcieC6XaBjGJ2SHYDxIzvmx7C5qJicNuiE/lvU8S7wkOq1N3KxOC4lTH
         Uo2eKPUfz2Z30yQdspAU3FlzyqfXUL4VyFsdTqTUP0Pr6QncyPqwuc1KbFtKkREnq7Eb
         gkxDLgnXBfFAAsH1zsevgHDFIMk9SJv4P6l8cEyXBuHsjKY5gjTPUkl5EaOoav41Q/n9
         al7lfbPvfHS6bv+jWVTm+g1UaUnaCy/rGC8m5uRkTfq8mySLXy+axj2keVO86sf9m5/1
         cwLGUJF6wRP+uMJeng2i87HDzGamTOVJyrjY/6eVSiertExFZIY9RmL8i5q4wBUi9nSE
         jHew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:arc-authentication-results;
        bh=PxIAWR7F0pupgLS7k74NeSfLJ0dWPNCEXwIp7EYxmmk=;
        b=yqUuv2kWoaW6F5hKFl32OvSfbYqdM2DIojVx8PBnhpuJIZhvG2KltvZ8ekjLUjFjOA
         7Nze5dUZGQBr/98TfFXtZJUw8PY9DUdpH50SBwMYh8o/Eo62SjfSDR+RPCVcVslS5bEv
         9e/Mfa6bm0yGkLUr9tiftEwr87fKQTIQKJw6SiBRi9GuhkhJiqVl5o35F3LnwGNtLB4a
         0gdsNf/o8bKF6axffVHedh+pNkriXO5HqJQHn88FnA9a+90EtGitAZbo5Aqt3TVIHhRB
         u2KZ+ROwUqv87IZRFmRzNPycYq9oV7BTsivawzTitu65YRe4TU3jNQuD/w3A9EcqYKX2
         gzjw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p12-v6si1698375pll.191.2018.03.14.03.25.18;
        Wed, 14 Mar 2018 03:25:40 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751549AbeCNKYH (ORCPT <rfc822;utfcpqpk@gmail.com> + 99 others);
        Wed, 14 Mar 2018 06:24:07 -0400
Received: from smtp.nue.novell.com ([195.135.221.5]:58176 "EHLO
        smtp.nue.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750751AbeCNKYF (ORCPT
        <rfc822;groupwise-linux-kernel@vger.kernel.org:0:0>);
        Wed, 14 Mar 2018 06:24:05 -0400
Received: from linux-l9pv.suse (unknown.telstraglobal.net [134.159.103.118])
        by smtp.nue.novell.com with ESMTP (TLS encrypted); Wed, 14 Mar 2018 11:23:59 +0100
Date:   Wed, 14 Mar 2018 18:23:52 +0800
From:   joeyli <jlee@suse.com>
To:     Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc:     "Lee, Chun-Yi" <joeyli.kernel@gmail.com>,
        David Howells <dhowells@redhat.com>, linux-fs@vger.kernel.org,
        linux-efi@vger.kernel.org,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Josh Boyer <jwboyer@fedoraproject.org>,
        James Bottomley <James.Bottomley@hansenpartnership.com>
Subject: Re: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled
Message-ID: <20180314102352.GG19718@linux-l9pv.suse>
References: <20180313103803.13388-1-jlee@suse.com>
 <20180313103803.13388-2-jlee@suse.com>
 <CAKv+Gu_1+8AOy4Fj_yD6iEJQvjw3hA4KW11agU+ozujxMNQHVA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAKv+Gu_1+8AOy4Fj_yD6iEJQvjw3hA4KW11agU+ozujxMNQHVA@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Ard, 

First! Thanks for your review!

On Tue, Mar 13, 2018 at 05:25:30PM +0000, Ard Biesheuvel wrote:
> On 13 March 2018 at 10:37, Lee, Chun-Yi <joeyli.kernel@gmail.com> wrote:
> > The mok can not be trusted when the secure boot is disabled. Which
> > means that the kernel embedded certificate is the only trusted key.
> >
> > Due to db/dbx are authenticated variables, they needs manufacturer's
> > KEK for update. So db/dbx are secure when secureboot disabled.
> >
> 
> Did you consider the case where secure boot is not implemented? I
> don't think db/dbx are secure in that case, although perhaps it may
> not matter (a bit more information on the purpose of these patches and
> all the shim lingo etc would be appreciated)
> 

The patch 5 in this series checks that the db/dbx must have
EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute. But I agree
with you that kernel should checks the SecureBoot variable must
exist in system. I will add patch to detect it.

> > Cc: David Howells <dhowells@redhat.com>
> > Cc: Josh Boyer <jwboyer@fedoraproject.org>
> > Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
> > Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
> > ---
> >  certs/load_uefi.c | 26 +++++++++++++++-----------
> >  1 file changed, 15 insertions(+), 11 deletions(-)
> >
> > diff --git a/certs/load_uefi.c b/certs/load_uefi.c
> > index 3d88459..d6de4d0 100644
> > --- a/certs/load_uefi.c
> > +++ b/certs/load_uefi.c
> > @@ -164,17 +164,6 @@ static int __init load_uefi_certs(void)
> >                 }
> >         }
> >
> > -       mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
> 
> Which tree does this apply to? My tree doesn't have get_cert_list()
>

This patch set is base on the efi-lock-down and keys-uefi branchs in
David Howells's linux-fs git tree.
    https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-uefi

Thanks a lot!
Joey Lee