Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp3369961pxa; Tue, 25 Aug 2020 20:46:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzjeAuEbCPuo60X+UrMxoEiOEbNfmdqdpgHD74a4RtGLlYurk50KelMbjQsCeVw8PMD+ov3 X-Received: by 2002:a17:906:eda2:: with SMTP id sa2mr14454178ejb.166.1598413569847; Tue, 25 Aug 2020 20:46:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598413569; cv=none; d=google.com; s=arc-20160816; b=wpOqI4CQaHawnw1a+30+cjPqPHemjJIk5h2/NLYz4dlKXrz0uBwsb3xW5JCn07PBKV SzMyfui9VeAk6onXR+jBUFJePtcZWB5c/ox4bJyL0apcUKjX/j4oBO6VawPuBpt8trrH 6n4X8cYqJisneEnp1q2wC4aTT5Nub6cMToR+faHz+z77xxpnu0TQBbfib0KiJSyFkIB/ SiwDHrTjLegdeh6MEXpNR4/CVQdzissjInOTT1aibRaJqzui+lykygLBG7L+Ve/Becp/ 52QoaLZppN9xFYPVj0Bx1uNtPGp+/24knHTa5DteccihHMO3eJLAGLBY6/o1ZC50PVRS 646A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:to:from :dkim-signature; bh=LT6POVV8HSmICCQ9Cr0CByMFS3SYARiZwXUJRkcEo+U=; b=w56WnpLWJ/GkpXIrdEdjyZvm4UzOxVgfRtGq9k9jXWvoTyZjVxWxCKEJ0sWLwIUnT0 Oz1kGs2oshBOahojZ4WQ/bAplBTguo95Irv7zyEE8Zd99Pr11/nVGRuw4oR4eDsNRzEA M4kMtTyZveCIFjP2J5E1rjeB98PmJIANdluf5oweeeF/sfQwHWczZcA2/PAQ79JvHF+G LgeSoKijPmDk9d58vseTWGgAMuxzqHt81UxJmeGazP0L7dF1iToa6iXsx3bZyySPk7fQ 4Pw5xN4dp/9e/6wbga64i57RN9Oe2l68pxRkFCq2duXaeTnAQVYIZS6JSCALp3Gqd6Ze vPfw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=efmbh3bc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b9si608888edn.357.2020.08.25.20.45.47; Tue, 25 Aug 2020 20:46:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=efmbh3bc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726777AbgHZDpG (ORCPT + 99 others); Tue, 25 Aug 2020 23:45:06 -0400 Received: from us-smtp-2.mimecast.com ([207.211.31.81]:41759 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726763AbgHZDpG (ORCPT ); Tue, 25 Aug 2020 23:45:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1598413505; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc; bh=LT6POVV8HSmICCQ9Cr0CByMFS3SYARiZwXUJRkcEo+U=; b=efmbh3bcZVcfnEoG96S2vyrJSM+aqAF1O6DKiEZTgSHo+t0LdE4KL5euB8iO2+wwCMhZ71 I62aFeCRPSlnEcDb34NXqm1rR7wP9/spXVAwKvEF6jW2vYR7kA87lIjOdnsjMOgEhZNtU2 aKdqJbVnrOjz0a4sAjwlGfRGfLhw2EQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-87-naIzhBe0MFmexAJKAilz9A-1; Tue, 25 Aug 2020 23:45:01 -0400 X-MC-Unique: naIzhBe0MFmexAJKAilz9A-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DE3FA1005E5B; Wed, 26 Aug 2020 03:44:59 +0000 (UTC) Received: from lszubowi.redhat.com (unknown [10.10.110.32]) by smtp.corp.redhat.com (Postfix) with ESMTP id B1C7A5D9E4; Wed, 26 Aug 2020 03:44:56 +0000 (UTC) From: Lenny Szubowicz To: linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org, platform-driver-x86@vger.kernel.org, linux-security-module@vger.kernel.org, ardb@kernel.org, jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, zohar@linux.ibm.com, bp@alien8.de, pjones@redhat.com, dhowells@redhat.com, prarit@redhat.com Subject: [PATCH 0/3] integrity: Load certs from EFI MOK config table Date: Tue, 25 Aug 2020 23:44:52 -0400 Message-Id: <20200826034455.28707-1-lszubowi@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Because of system-specific EFI firmware limitations, EFI volatile variables may not be capable of holding the required contents of the Machine Owner Key (MOK) certificate store. Therefore, an EFI boot loader may pass the MOK certs via a EFI configuration table created specifically for this purpose to avoid this firmware limitation. An EFI configuration table is a simpler and more robust mechanism compared to EFI variables and is well suited for one-way passage of static information from a pre-OS environment to the kernel. This patch set does not remove the support for loading certs from the EFI MOK variables into the platform key ring. However, if both the EFI MOK config table and corresponding EFI MOK variables are present, the MOK table is used as the source of MOK certs. The contents of the individual named MOK config table entries are made available to user space via read-only sysfs binary files under: /sys/firmware/efi/mok-variables/ Lenny Szubowicz (3): efi: Support for MOK variable config table integrity: Move import of MokListRT certs to a separate routine integrity: Load certs from the EFI MOK config table arch/x86/kernel/setup.c | 1 + arch/x86/platform/efi/efi.c | 3 + drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/arm-init.c | 1 + drivers/firmware/efi/efi.c | 6 + drivers/firmware/efi/mokvar-table.c | 360 ++++++++++++++++++ include/linux/efi.h | 34 ++ security/integrity/platform_certs/load_uefi.c | 85 ++++- 8 files changed, 472 insertions(+), 19 deletions(-) create mode 100644 drivers/firmware/efi/mokvar-table.c -- 2.27.0