Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4717959ybv; Mon, 17 Feb 2020 04:37:43 -0800 (PST) X-Google-Smtp-Source: APXvYqxZaa/JRLoykMTnpxbHx9kHhvpnLr6TSpA7N9etWEyJHvq/qGaKrIINiBThn27UUR0fSmMa X-Received: by 2002:a9d:7ccd:: with SMTP id r13mr11566446otn.56.1581943063245; Mon, 17 Feb 2020 04:37:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581943063; cv=none; d=google.com; s=arc-20160816; b=QYrO+AszsWLgpacekqZQYlzdr2o3u5EPriNqVAOMwbOgmjm8iKcgM3GwLHbH+et0gM BmUQ/YL12CjNoYO8SKQzhGa+91grVi2qYuJ0q5KDtFQvYNbz1fdfDy/SAr1QuIJ0/woC jWpXs7fyu37nzenHF7MGXNZMg/ia6JhhjpaQkcyuVaLXK7RuAKMg5lstm7aA7J6QiXbF MZahqDJLJ/m39f1o6Ju9t1m+SmZfKvM0qYWQoTjytiT4YLH96mKI0jiIy2UoJmy0RMJn +XsARjY/864KyWkzrR2Q88JzuIsurOLZCLc+5lkyVmrrnGS205VZfUMSNjOlKUY+HpLr rUBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=QRFmFOmaNTRD1QIBloTftoDjLg6oNQM+MmQJYi2gh5g=; b=fV6bjeXEr2AXgkfq0IxIkOQmIFsOV5YAehv837CBBfuJRhIF24ttKNqQuKvMpz/3lv N6bP6FkVV0dtbazF+PeTUsSsYFm/YY4K07rHdmbOZLrZkW/IZ1hHP4pkJBN09AeOyANA c5wwJo2jeEzXvpZKzcdNN6uURsv16UqWXGDRvmoYvpGQuef4VyzQOnhuL/1VZ8UuAja4 KzDQL1av0jiA5ZOmilFM439pagRWrw+2RTi2+WFcq6LXhKdY6mYOv7LPm2ul3XtizidJ J59LNPiaNiIZuohUFSBwdWpGUT2gBbGYT5i6OKdf/gmszi0iCqZyEA1iGqdZnrg8i9od Hm3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=NHtd9IgI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a143si6340746oii.179.2020.02.17.04.37.31; Mon, 17 Feb 2020 04:37:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=NHtd9IgI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728766AbgBQLj5 (ORCPT + 99 others); Mon, 17 Feb 2020 06:39:57 -0500 Received: from us-smtp-1.mimecast.com ([205.139.110.61]:52001 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728695AbgBQLj5 (ORCPT ); Mon, 17 Feb 2020 06:39:57 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1581939596; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=QRFmFOmaNTRD1QIBloTftoDjLg6oNQM+MmQJYi2gh5g=; b=NHtd9IgIft2sjFXLaWaqox+eT4qMFT8/6nH7EBBjd9GPnPkitMEE7lKIBxNozdNt4gBpYV mCFtfVDP62lMhpZfC3oL/noIcae/fIrq0hT/AnTpgkLbC55NxeT+NPg7uTMQCD+2txbDt9 iMOiJ1gMUXYjLI4Ej9xSBklm1wC8Kak= Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-256-ScVkbmUePv6MEPIA-4YlaQ-1; Mon, 17 Feb 2020 06:39:54 -0500 X-MC-Unique: ScVkbmUePv6MEPIA-4YlaQ-1 Received: by mail-wm1-f70.google.com with SMTP id n17so6127923wmk.1 for ; Mon, 17 Feb 2020 03:39:54 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=QRFmFOmaNTRD1QIBloTftoDjLg6oNQM+MmQJYi2gh5g=; b=pRrbP63PCwFkorwSAPc34qYDdc9x++RJMP0Fg7LfNaGt6LoOW6qV/5XL3j5yOSApM5 hRBTzNSrChsX2+v3xexWf+jG/vmdLc33ohrZsYbKAUno/ONfIVqvAT+ORQ1chWmSCLDW qQuLeYWRJo5LlUw1dG2c093G2BTLgmy25Zt/lIEKUpwauLNe63hiOF5wNJbGty+nAxQn Jck1CGBqvJ9XlhmbjH8Rt4VMCbwrrM4+g+eIylXCZtGvAPzQ6y/ZcuOkfEjlVV4EjPPC VnXGTnOtBR+y0DBm1izpQeuZuhYDMCpbn4hd8evTPGrI2Mr6+DOP5r2Kdx5hqQSqjacJ P0gA== X-Gm-Message-State: APjAAAXFRj5dw41f3lxH9R+gm2Uj2fIRysTiPa0PQ1Sp00uqzYdW2NGw h1TOsSBLvK836DknE5aCybOekYHD2VQ/qnQzrlTzT7CegRS1ycR4hK3F3Bfd5vANNkjDJgXCsZq xdup1RCyxIPTP1NyUu61stnRp X-Received: by 2002:a5d:4d0a:: with SMTP id z10mr21650608wrt.253.1581939592325; Mon, 17 Feb 2020 03:39:52 -0800 (PST) X-Received: by 2002:a5d:4d0a:: with SMTP id z10mr21650582wrt.253.1581939592064; Mon, 17 Feb 2020 03:39:52 -0800 (PST) Received: from minerva.redhat.com ([2a01:c50f:ab80:6700:527f:85b3:5615:ff0b]) by smtp.gmail.com with ESMTPSA id y6sm620529wrl.17.2020.02.17.03.39.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Feb 2020 03:39:51 -0800 (PST) From: Javier Martinez Canillas To: linux-kernel@vger.kernel.org Cc: linux-efi@vger.kernel.org, Hans de Goede , Javier Martinez Canillas , Eric Richter , James Morris , Michael Ellerman , Mimi Zohar , Nayna Jain , "Serge E. Hallyn" , YueHaibing , linux-security-module@vger.kernel.org Subject: [RESEND PATCH v2] efi: Only print errors about failing to get certs if EFI vars are found Date: Mon, 17 Feb 2020 12:39:47 +0100 Message-Id: <20200217113947.2070436-1-javierm@redhat.com> X-Mailer: git-send-email 2.24.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org If CONFIG_LOAD_UEFI_KEYS is enabled, the kernel attempts to load the certs from the db, dbx and MokListRT EFI variables into the appropriate keyrings. But it just assumes that the variables will be present and prints an error if the certs can't be loaded, even when is possible that the variables may not exist. For example the MokListRT variable will only be present if shim is used. So only print an error message about failing to get the certs list from an EFI variable if this is found. Otherwise these printed errors just pollute the kernel log ring buffer with confusing messages like the following: [ 5.427251] Couldn't get size: 0x800000000000000e [ 5.427261] MODSIGN: Couldn't get UEFI db list [ 5.428012] Couldn't get size: 0x800000000000000e [ 5.428023] Couldn't get UEFI MokListRT Reported-by: Hans de Goede Signed-off-by: Javier Martinez Canillas Tested-by: Hans de Goede --- Changes in v2: - Fix flaws in the logic, that caused the signature list was parsed if the return code was EFI_NOT_FOUND that pointed out Hans de Goede. - Print debug messages if the variables are not found. security/integrity/platform_certs/load_uefi.c | 40 ++++++++++++------- 1 file changed, 26 insertions(+), 14 deletions(-) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 111898aad56..f0c90824196 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -35,16 +35,18 @@ static __init bool uefi_check_ignore_db(void) * Get a certificate list blob from the named EFI variable. */ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, - unsigned long *size) + unsigned long *size, efi_status_t *status) { - efi_status_t status; unsigned long lsize = 4; unsigned long tmpdb[4]; void *db; - status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); - if (status != EFI_BUFFER_TOO_SMALL) { - pr_err("Couldn't get size: 0x%lx\n", status); + *status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); + if (*status == EFI_NOT_FOUND) + return NULL; + + if (*status != EFI_BUFFER_TOO_SMALL) { + pr_err("Couldn't get size: 0x%lx\n", *status); return NULL; } @@ -52,10 +54,10 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, if (!db) return NULL; - status = efi.get_variable(name, guid, NULL, &lsize, db); - if (status != EFI_SUCCESS) { + *status = efi.get_variable(name, guid, NULL, &lsize, db); + if (*status != EFI_SUCCESS) { kfree(db); - pr_err("Error reading db var: 0x%lx\n", status); + pr_err("Error reading db var: 0x%lx\n", *status); return NULL; } @@ -74,6 +76,7 @@ static int __init load_uefi_certs(void) efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; void *db = NULL, *dbx = NULL, *mok = NULL; unsigned long dbsize = 0, dbxsize = 0, moksize = 0; + efi_status_t status; int rc = 0; if (!efi.get_variable) @@ -83,9 +86,12 @@ static int __init load_uefi_certs(void) * an error if we can't get them. */ if (!uefi_check_ignore_db()) { - db = get_cert_list(L"db", &secure_var, &dbsize); + db = get_cert_list(L"db", &secure_var, &dbsize, &status); if (!db) { - pr_err("MODSIGN: Couldn't get UEFI db list\n"); + if (status == EFI_NOT_FOUND) + pr_debug("MODSIGN: db variable wasn't found\n"); + else + pr_err("MODSIGN: Couldn't get UEFI db list\n"); } else { rc = parse_efi_signature_list("UEFI:db", db, dbsize, get_handler_for_db); @@ -96,9 +102,12 @@ static int __init load_uefi_certs(void) } } - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); if (!mok) { - pr_info("Couldn't get UEFI MokListRT\n"); + if (status == EFI_NOT_FOUND) + pr_debug("MokListRT variable wasn't found\n"); + else + pr_info("Couldn't get UEFI MokListRT\n"); } else { rc = parse_efi_signature_list("UEFI:MokListRT", mok, moksize, get_handler_for_db); @@ -107,9 +116,12 @@ static int __init load_uefi_certs(void) kfree(mok); } - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); + dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status); if (!dbx) { - pr_info("Couldn't get UEFI dbx list\n"); + if (status == EFI_NOT_FOUND) + pr_debug("dbx variable wasn't found\n"); + else + pr_info("Couldn't get UEFI dbx list\n"); } else { rc = parse_efi_signature_list("UEFI:dbx", dbx, dbxsize, -- 2.24.1