Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4769039ybv; Mon, 17 Feb 2020 05:38:42 -0800 (PST) X-Google-Smtp-Source: APXvYqy6YuzSSl5QZe8Xfw/u08thzqLwD3oGJSHdtpmERhiIqHkPCBJIcPikzdF2m+/R7oZyTOGI X-Received: by 2002:aca:f517:: with SMTP id t23mr9592292oih.160.1581946722202; Mon, 17 Feb 2020 05:38:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581946722; cv=none; d=google.com; s=arc-20160816; b=B9xrNR9g/QwyD1eESqG+GTqJau6yLZeeinGI700kFop9Ds4+IBE4z6H1Nz2SRNVK+t CpHZ+SGs9NNWyqhXbAaCKvC/bZCL5bpAvMZNGGKwEW1rKxyonR8wblmUEF7mUDUsLZY/ PlWyKm7BFQGhEEIGTRY9DrJemk2CBnurnVknIJ8fAvsSBJVFunYNoWtl85PvVQ1Metyk pLvwFzAq2V4CUqzuvstx9NtrIBgyJcBqQWNFPtALK5XnAwAE2xOFr0ZufN9LedqEZPtv DLeeT8B1nYQ9N3b0eYxZFtfClEnv0pk7V1qBfCeUvbR1SIgPsO8I0ja6KmqESgPVqy6K zpWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=nDiRsEAIhvUGr0lYuEJebsL5PJq7c20YrBjsG0G5asE=; b=DwP5KCuRNeNLqoz1CFGA70EXCj1saQkG4zBnKO/i9nI2Vr9peIDKZVWzRNkE54rFgf Wm3FRiuMBmv/iRjMQgZpNQEJ/R1Ty2xt7Y1e2cabOLrWuqY6ZraZJosueP2Gk1cJnZh4 MTDUBYtr5bSc8fM8rRyiCTqAXEAI7Ar1CI+rBHRb1mD7FO3thDlWjx45T2kzjVDNLZrW c1pllZMpZLqiol3S20g8zw/+VAk7LNCqh6X9+AEljsJNtiLTTKkBsy5lAGEQEKXtMaEk re134iDAfBy3h7vSfrkRDkjhH+Hjqt/2y0gVUW+FG2OD0wWmoQYCGciD96o+jcba+sEZ wEDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=m9Ib4xAI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h125si6001561oia.253.2020.02.17.05.38.29; Mon, 17 Feb 2020 05:38:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=m9Ib4xAI; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727270AbgBQNiJ (ORCPT + 99 others); Mon, 17 Feb 2020 08:38:09 -0500 Received: from mail-wr1-f65.google.com ([209.85.221.65]:44816 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726779AbgBQNiJ (ORCPT ); Mon, 17 Feb 2020 08:38:09 -0500 Received: by mail-wr1-f65.google.com with SMTP id m16so19736968wrx.11 for ; Mon, 17 Feb 2020 05:38:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nDiRsEAIhvUGr0lYuEJebsL5PJq7c20YrBjsG0G5asE=; b=m9Ib4xAIBqaXvlSAko9uT/dWqaqwCVRkGpAodBbksRx3pH28oU8qRSFzow5t4iDqZq 9V9bL9GnITj1pRVR8K3xRsdlCcCvPq80SAnT8nt6B9If3bxb6W4H/xKmfy5Tvrerc1In YTRPyZI/KB1ZLd3VJvDaQxqLZzZhrTf1le7HuQCP19qI0myl2EJzGGF5mPI+hjB8GD/+ 6nG4OtQ4vdUG/Fe0lRcKlSBGRZEdyqQJArih/bfqU91tPSxgywfrYCLKR8jggkmlIx3j xuYmlr3zYjlbPK8p0+EKn/zTRj9yckxcIX5Mmr0VY+8moVN/EL3z7w+It7Ra3dvD1z56 pCew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nDiRsEAIhvUGr0lYuEJebsL5PJq7c20YrBjsG0G5asE=; b=UTqo5bpjV5AJluxV7kykRon3zDyNz7PrJamRE9Lv0hmR/Nm3TNndsJO9N7fBVnkB0b OS23vBa8m7VRLUgeE9ufc1ZYnXhGhbN1Brn7TdPkSAaivBGMUaViF/PtvcFsxuNL872f 9+bHnetxzDlLqnAs/FJZfuwBYZ9HkZLdAbrX09pSWthHGe9xF5fgR92UFU/YuaQv6xp1 BRbbsnh0JvtpFHY7hC381RjdHo71dH/uZ9BtRmGk4eKASzNNej4PjpxDAEDdsFTGOASt oVVqCNzwLvTuZnWVgaY0ByJElcV7wo1dOGN+kgUOEDjQxGESop+rc6kDnn70c8D2cHAw 9kLA== X-Gm-Message-State: APjAAAWB7K/Wag/cC3UNpKFgF3casjrPoTQ+tDf8Pt3xJzNdZx6EnTE4 iuuZdwLTc+DbzJGAPP2yBezgFUZ2OpXBqxUt4cmhnQ== X-Received: by 2002:adf:8564:: with SMTP id 91mr22934838wrh.252.1581946685893; Mon, 17 Feb 2020 05:38:05 -0800 (PST) MIME-Version: 1.0 References: <20200217113947.2070436-1-javierm@redhat.com> In-Reply-To: <20200217113947.2070436-1-javierm@redhat.com> From: Ard Biesheuvel Date: Mon, 17 Feb 2020 14:37:54 +0100 Message-ID: Subject: Re: [RESEND PATCH v2] efi: Only print errors about failing to get certs if EFI vars are found To: Javier Martinez Canillas Cc: Linux Kernel Mailing List , linux-efi , Hans de Goede , Eric Richter , James Morris , Michael Ellerman , Mimi Zohar , Nayna Jain , "Serge E. Hallyn" , YueHaibing , linux-security-module Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 17 Feb 2020 at 12:40, Javier Martinez Canillas wrote: > > If CONFIG_LOAD_UEFI_KEYS is enabled, the kernel attempts to load the certs > from the db, dbx and MokListRT EFI variables into the appropriate keyrings. > > But it just assumes that the variables will be present and prints an error > if the certs can't be loaded, even when is possible that the variables may > not exist. For example the MokListRT variable will only be present if shim > is used. > > So only print an error message about failing to get the certs list from an > EFI variable if this is found. Otherwise these printed errors just pollute > the kernel log ring buffer with confusing messages like the following: > > [ 5.427251] Couldn't get size: 0x800000000000000e > [ 5.427261] MODSIGN: Couldn't get UEFI db list > [ 5.428012] Couldn't get size: 0x800000000000000e > [ 5.428023] Couldn't get UEFI MokListRT > > Reported-by: Hans de Goede > Signed-off-by: Javier Martinez Canillas > Tested-by: Hans de Goede Acked-by: Ard Biesheuvel > > --- > > Changes in v2: > - Fix flaws in the logic, that caused the signature list was parsed if > the return code was EFI_NOT_FOUND that pointed out Hans de Goede. > - Print debug messages if the variables are not found. > > security/integrity/platform_certs/load_uefi.c | 40 ++++++++++++------- > 1 file changed, 26 insertions(+), 14 deletions(-) > > diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c > index 111898aad56..f0c90824196 100644 > --- a/security/integrity/platform_certs/load_uefi.c > +++ b/security/integrity/platform_certs/load_uefi.c > @@ -35,16 +35,18 @@ static __init bool uefi_check_ignore_db(void) > * Get a certificate list blob from the named EFI variable. > */ > static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, > - unsigned long *size) > + unsigned long *size, efi_status_t *status) > { > - efi_status_t status; > unsigned long lsize = 4; > unsigned long tmpdb[4]; > void *db; > > - status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); > - if (status != EFI_BUFFER_TOO_SMALL) { > - pr_err("Couldn't get size: 0x%lx\n", status); > + *status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); > + if (*status == EFI_NOT_FOUND) > + return NULL; > + > + if (*status != EFI_BUFFER_TOO_SMALL) { > + pr_err("Couldn't get size: 0x%lx\n", *status); > return NULL; > } > > @@ -52,10 +54,10 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, > if (!db) > return NULL; > > - status = efi.get_variable(name, guid, NULL, &lsize, db); > - if (status != EFI_SUCCESS) { > + *status = efi.get_variable(name, guid, NULL, &lsize, db); > + if (*status != EFI_SUCCESS) { > kfree(db); > - pr_err("Error reading db var: 0x%lx\n", status); > + pr_err("Error reading db var: 0x%lx\n", *status); > return NULL; > } > > @@ -74,6 +76,7 @@ static int __init load_uefi_certs(void) > efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; > void *db = NULL, *dbx = NULL, *mok = NULL; > unsigned long dbsize = 0, dbxsize = 0, moksize = 0; > + efi_status_t status; > int rc = 0; > > if (!efi.get_variable) > @@ -83,9 +86,12 @@ static int __init load_uefi_certs(void) > * an error if we can't get them. > */ > if (!uefi_check_ignore_db()) { > - db = get_cert_list(L"db", &secure_var, &dbsize); > + db = get_cert_list(L"db", &secure_var, &dbsize, &status); > if (!db) { > - pr_err("MODSIGN: Couldn't get UEFI db list\n"); > + if (status == EFI_NOT_FOUND) > + pr_debug("MODSIGN: db variable wasn't found\n"); > + else > + pr_err("MODSIGN: Couldn't get UEFI db list\n"); > } else { > rc = parse_efi_signature_list("UEFI:db", > db, dbsize, get_handler_for_db); > @@ -96,9 +102,12 @@ static int __init load_uefi_certs(void) > } > } > > - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); > + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); > if (!mok) { > - pr_info("Couldn't get UEFI MokListRT\n"); > + if (status == EFI_NOT_FOUND) > + pr_debug("MokListRT variable wasn't found\n"); > + else > + pr_info("Couldn't get UEFI MokListRT\n"); > } else { > rc = parse_efi_signature_list("UEFI:MokListRT", > mok, moksize, get_handler_for_db); > @@ -107,9 +116,12 @@ static int __init load_uefi_certs(void) > kfree(mok); > } > > - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); > + dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status); > if (!dbx) { > - pr_info("Couldn't get UEFI dbx list\n"); > + if (status == EFI_NOT_FOUND) > + pr_debug("dbx variable wasn't found\n"); > + else > + pr_info("Couldn't get UEFI dbx list\n"); > } else { > rc = parse_efi_signature_list("UEFI:dbx", > dbx, dbxsize, > -- > 2.24.1 >