Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp587993ybl; Fri, 13 Dec 2019 01:11:29 -0800 (PST) X-Google-Smtp-Source: APXvYqxpwqCrBQo5wA4mdXyKPRGbcVI2lguke7lbv2H8uIsROi0/T/M+yeBGDqmjIFNqE5hG+A1I X-Received: by 2002:a9d:6181:: with SMTP id g1mr13936458otk.104.1576228289694; Fri, 13 Dec 2019 01:11:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576228289; cv=none; d=google.com; s=arc-20160816; b=FaJi2RhSTCa00lpfXFAKNCMzsdW6PvY0EGyprxF0+9VJRRffVgMbvLQKuqEUG7u2ND zSWRS4CPT73eUoU86d1gye3Eb1fBoQWB3m76EzD4qmPCH4rwA114lpHHMkGr99LEiPk6 g+AgKRmF0JxzZq+5YPSKOrHvsYYwFbsJbJoOzzjd5Ql9GvM2nPk0ih3FrvVmcXWBu/dw QDfMV+eXFP+EVsn+fCApi8/7N0sAGKJBl6b0NQnbdOD4ameK7OxS4F1T9Sesh10kSFoT 7xosllzWI+SxsFnJ+K2cTstNUAJIudL6FIDvMrKb/uZTxquyH969wlgwLwOJ4MeWV0Bz p1PQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=XLXDj2tCALFNbZtKdVocDQPJ7xc4HP2wet22NTHx+Ww=; b=I2ZUimVi4/zT6iBImrcWKuyHJlVNEiDIxNkXeBpuaTk8hQ9pMPagmx/dDDWUoJU39L jz9KqQtBomo3WJiRz4KCz7YEQ6u60vNTG4KeZxjAW3XtUf73t0pTGW+bobx75Z/acOtT vVSjYNkAyRwbnc8z4j11fqoyViyTNv0yepAA+KNEdJtXx1wpWmtY6C9f92rxv+gVeOf3 rQirggSipdGDfVDjkYtE4WKG6Uzizcw/ZpCNQI8S4Va0Phx582OKF/jO/l0swAQiYTS6 4+9BGwzOFcJyJQZ8kSk6Y+GmSed7AlUSSqXvcEiPLvF9CvmQ6cw7p/rDFC1aYT077jlc GaSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=qNDTfWna; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3si4931981oir.132.2019.12.13.01.11.17; Fri, 13 Dec 2019 01:11:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=qNDTfWna; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726678AbfLMJKT (ORCPT + 99 others); Fri, 13 Dec 2019 04:10:19 -0500 Received: from mail-wm1-f65.google.com ([209.85.128.65]:35612 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725946AbfLMJKR (ORCPT ); Fri, 13 Dec 2019 04:10:17 -0500 Received: by mail-wm1-f65.google.com with SMTP id p17so5725357wmb.0 for ; Fri, 13 Dec 2019 01:10:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XLXDj2tCALFNbZtKdVocDQPJ7xc4HP2wet22NTHx+Ww=; b=qNDTfWna4aa7E+3NoI36Qj5lmh3cY5n6y6XU6YD4I+jJqqbYEs2UkPW2OLI3WymCaw b3JDttDHmrkWaITnq8po+rwsCUs9ZhuPjWF3ZVTQE3qI++VFJW46sR0BYLM3jNy8/+ZJ zWuD9MyfiRwXvoRUHpwr2oQZufVxqp+AzGiNAxvav8NA0/BDDU2zI9pGi0OWh5+D4QR7 HOSZJ/Aiuq6U1lR5jltUWBSOaN1ay8aYzUaBmR/V3ecK7ydZ46R4p45MikenQnlUduWZ oDmnwR+Ij+fOLCZZhlOG/cFpgps0fWhHuIpRDosnJQorFW22tU9C/3hGKeFUZoCrlEGP aNaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XLXDj2tCALFNbZtKdVocDQPJ7xc4HP2wet22NTHx+Ww=; b=Jgr3g0BN2SIUvQqRmVXNsp5z675PgmRUfFTEPYBOclqwjEyhmA126PXFQXClvOv+uJ K3qRpZeazVnjzC9ICqNm3y6LdLceEIqEEdjrio9y0vd+YduWxaNUKioh227BuG3Y4Uam BqgSsUhmcTsuRJAjLWRGIy5dDrSwoy2pvHM43Rk9vrLnfEUhzQgr7HZK8dSDGKxMso6I Ba5gSfo05ebhXWl6weoEcmwCXNmCXMST3t6e/JL1Ih5/0+SAi+nOasZV4v/akArNVox7 wLtaefK/QD4uWFx98rvis2Vew71E+yABNWY23wSb8DgXkab6MswUpJzRzXURbIYWzjR8 UTPA== X-Gm-Message-State: APjAAAUGLmRwrVEM63dfN8dOr5NUNRQk6VuvivgyuWD06WCyOtn2PX5f EAMhGoWO8VVFeN4Wli54BHsS254uLUJLT0EGhKK7Iw== X-Received: by 2002:a1c:7205:: with SMTP id n5mr12443468wmc.9.1576228214657; Fri, 13 Dec 2019 01:10:14 -0800 (PST) MIME-Version: 1.0 References: <20191213090646.12329-1-jlee@suse.com> <20191213090646.12329-3-jlee@suse.com> In-Reply-To: <20191213090646.12329-3-jlee@suse.com> From: Ard Biesheuvel Date: Fri, 13 Dec 2019 09:10:12 +0000 Message-ID: Subject: Re: [PATCH 2/2] efi: show error messages only when loading certificates is failed To: "Lee, Chun-Yi" Cc: James Morris , "Serge E . Hallyn" , David Howells , Josh Boyer , Nayna Jain , Mimi Zohar , linux-efi , linux-security-module , Linux Kernel Mailing List , "Lee, Chun-Yi" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 13 Dec 2019 at 10:07, Lee, Chun-Yi wrote: > > When loading certificates list from EFI variables, the error > message and efi status code always be emitted to dmesg. It looks > ugly: > > [ 2.335031] Couldn't get size: 0x800000000000000e > [ 2.335032] Couldn't get UEFI MokListRT > [ 2.339985] Couldn't get size: 0x800000000000000e > [ 2.339987] Couldn't get UEFI dbx list > > This cosmetic patch moved the messages to the error handling code > path. And, it also shows the corresponding status string of status > code. > So what output do we get after applying this patch when those variables don't exist? > Signed-off-by: "Lee, Chun-Yi" > --- > security/integrity/platform_certs/load_uefi.c | 40 ++++++++++++++------------- > 1 file changed, 21 insertions(+), 19 deletions(-) > > diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c > index 81b19c52832b..b6c60fb3fb6c 100644 > --- a/security/integrity/platform_certs/load_uefi.c > +++ b/security/integrity/platform_certs/load_uefi.c > @@ -1,4 +1,5 @@ > // SPDX-License-Identifier: GPL-2.0 > +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt > > #include > #include > @@ -39,7 +40,7 @@ static __init bool uefi_check_ignore_db(void) > * Get a certificate list blob from the named EFI variable. > */ > static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, > - unsigned long *size) > + unsigned long *size, const char *source) > { > efi_status_t status; > unsigned long lsize = 4; > @@ -48,23 +49,30 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, > > status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); > if (status != EFI_BUFFER_TOO_SMALL) { > - pr_err("Couldn't get size: 0x%lx\n", status); > - return NULL; > + if (status == EFI_NOT_FOUND) { > + pr_debug("%s list was not found\n", source); > + return NULL; > + } > + goto err; > } > > db = kmalloc(lsize, GFP_KERNEL); > - if (!db) > - return NULL; > + if (!db) { > + status = EFI_OUT_OF_RESOURCES; > + goto err; > + } > > status = efi.get_variable(name, guid, NULL, &lsize, db); > if (status != EFI_SUCCESS) { > kfree(db); > - pr_err("Error reading db var: 0x%lx\n", status); > - return NULL; > + goto err; > } > > *size = lsize; > return db; > +err: > + pr_err("Couldn't get %s list: %s\n", source, efi_status_to_str(status)); > + return NULL; > } > > /* > @@ -153,10 +161,8 @@ static int __init load_uefi_certs(void) > * an error if we can't get them. > */ > if (!uefi_check_ignore_db()) { > - db = get_cert_list(L"db", &secure_var, &dbsize); > - if (!db) { > - pr_err("MODSIGN: Couldn't get UEFI db list\n"); > - } else { > + db = get_cert_list(L"db", &secure_var, &dbsize, "UEFI:db"); > + if (db) { > rc = parse_efi_signature_list("UEFI:db", > db, dbsize, get_handler_for_db); > if (rc) > @@ -166,10 +172,8 @@ static int __init load_uefi_certs(void) > } > } > > - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); > - if (!mok) { > - pr_info("Couldn't get UEFI MokListRT\n"); > - } else { > + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, "UEFI:MokListRT"); > + if (mok) { > rc = parse_efi_signature_list("UEFI:MokListRT", > mok, moksize, get_handler_for_db); > if (rc) > @@ -177,10 +181,8 @@ static int __init load_uefi_certs(void) > kfree(mok); > } > > - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); > - if (!dbx) { > - pr_info("Couldn't get UEFI dbx list\n"); > - } else { > + dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, "UEFI:dbx"); > + if (dbx) { > rc = parse_efi_signature_list("UEFI:dbx", > dbx, dbxsize, > get_handler_for_dbx); > -- > 2.16.4 >