Received: by 10.213.65.68 with SMTP id h4csp892058imn; Wed, 14 Mar 2018 03:25:40 -0700 (PDT) X-Google-Smtp-Source: AG47ELtpCDbdTVn15YutV2mCZoQqetZ8h1lTe65aOb33rJV64vTktoh5wOG9zuk5k3lO2SrVppOG X-Received: by 10.98.91.66 with SMTP id p63mr3729658pfb.163.1521023140373; Wed, 14 Mar 2018 03:25:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1521023140; cv=none; d=google.com; s=arc-20160816; b=f/JDXiyUe4rcieC6XaBjGJ2SHYDxIzvmx7C5qJicNuiE/lvU8S7wkOq1N3KxOC4lTH Uo2eKPUfz2Z30yQdspAU3FlzyqfXUL4VyFsdTqTUP0Pr6QncyPqwuc1KbFtKkREnq7Eb gkxDLgnXBfFAAsH1zsevgHDFIMk9SJv4P6l8cEyXBuHsjKY5gjTPUkl5EaOoav41Q/n9 al7lfbPvfHS6bv+jWVTm+g1UaUnaCy/rGC8m5uRkTfq8mySLXy+axj2keVO86sf9m5/1 cwLGUJF6wRP+uMJeng2i87HDzGamTOVJyrjY/6eVSiertExFZIY9RmL8i5q4wBUi9nSE jHew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=PxIAWR7F0pupgLS7k74NeSfLJ0dWPNCEXwIp7EYxmmk=; b=yqUuv2kWoaW6F5hKFl32OvSfbYqdM2DIojVx8PBnhpuJIZhvG2KltvZ8ekjLUjFjOA 7Nze5dUZGQBr/98TfFXtZJUw8PY9DUdpH50SBwMYh8o/Eo62SjfSDR+RPCVcVslS5bEv 9e/Mfa6bm0yGkLUr9tiftEwr87fKQTIQKJw6SiBRi9GuhkhJiqVl5o35F3LnwGNtLB4a 0gdsNf/o8bKF6axffVHedh+pNkriXO5HqJQHn88FnA9a+90EtGitAZbo5Aqt3TVIHhRB u2KZ+ROwUqv87IZRFmRzNPycYq9oV7BTsivawzTitu65YRe4TU3jNQuD/w3A9EcqYKX2 gzjw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p12-v6si1698375pll.191.2018.03.14.03.25.18; Wed, 14 Mar 2018 03:25:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751549AbeCNKYH (ORCPT + 99 others); Wed, 14 Mar 2018 06:24:07 -0400 Received: from smtp.nue.novell.com ([195.135.221.5]:58176 "EHLO smtp.nue.novell.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750751AbeCNKYF (ORCPT ); Wed, 14 Mar 2018 06:24:05 -0400 Received: from linux-l9pv.suse (unknown.telstraglobal.net [134.159.103.118]) by smtp.nue.novell.com with ESMTP (TLS encrypted); Wed, 14 Mar 2018 11:23:59 +0100 Date: Wed, 14 Mar 2018 18:23:52 +0800 From: joeyli To: Ard Biesheuvel Cc: "Lee, Chun-Yi" , David Howells , linux-fs@vger.kernel.org, linux-efi@vger.kernel.org, Linux Kernel Mailing List , Josh Boyer , James Bottomley Subject: Re: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled Message-ID: <20180314102352.GG19718@linux-l9pv.suse> References: <20180313103803.13388-1-jlee@suse.com> <20180313103803.13388-2-jlee@suse.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Ard, First! Thanks for your review! On Tue, Mar 13, 2018 at 05:25:30PM +0000, Ard Biesheuvel wrote: > On 13 March 2018 at 10:37, Lee, Chun-Yi wrote: > > The mok can not be trusted when the secure boot is disabled. Which > > means that the kernel embedded certificate is the only trusted key. > > > > Due to db/dbx are authenticated variables, they needs manufacturer's > > KEK for update. So db/dbx are secure when secureboot disabled. > > > > Did you consider the case where secure boot is not implemented? I > don't think db/dbx are secure in that case, although perhaps it may > not matter (a bit more information on the purpose of these patches and > all the shim lingo etc would be appreciated) > The patch 5 in this series checks that the db/dbx must have EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute. But I agree with you that kernel should checks the SecureBoot variable must exist in system. I will add patch to detect it. > > Cc: David Howells > > Cc: Josh Boyer > > Cc: James Bottomley > > Signed-off-by: "Lee, Chun-Yi" > > --- > > certs/load_uefi.c | 26 +++++++++++++++----------- > > 1 file changed, 15 insertions(+), 11 deletions(-) > > > > diff --git a/certs/load_uefi.c b/certs/load_uefi.c > > index 3d88459..d6de4d0 100644 > > --- a/certs/load_uefi.c > > +++ b/certs/load_uefi.c > > @@ -164,17 +164,6 @@ static int __init load_uefi_certs(void) > > } > > } > > > > - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); > > Which tree does this apply to? My tree doesn't have get_cert_list() > This patch set is base on the efi-lock-down and keys-uefi branchs in David Howells's linux-fs git tree. https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-uefi Thanks a lot! Joey Lee