Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp3370221pxa; Tue, 25 Aug 2020 20:46:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw5TIqCX6RJMkIYYWLfIv5OdoZdZV3m8f5qHzjZYT4rhBJ2FvcU9OIZQ/1H5XGb28L6TLOu X-Received: by 2002:a17:906:813:: with SMTP id e19mr10302432ejd.141.1598413611457; Tue, 25 Aug 2020 20:46:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598413611; cv=none; d=google.com; s=arc-20160816; b=j1QhATJ7cHakhGbwY2+LRSC9Vt4f0FR8uimV/pSXpXnZ2GmU+xLeW5RWPvUWXumRA7 d66uewvtOEv7scsjO4r/mPBbK3Dn7o09+DTmsfNGp692fQu/IRLNJchyuvP2qm06SxTE HjbD2m/M5sKTC+Awp16DTsp2fd8FyPcH8ZI7BrRc3RhIBBWzAb9OMP9skTYuqkC2OSrh TOgoaUVsNs1SmRPUe5/RTJVnMSurU1EMbWWdBR1us0fv675CIoukPdFpAiDTVgKc+Uwk aSD+a/I8IOpdxyUOXSCkDmU0Ofhxoy6/UKhgA9v4dQNe0oIjmc/C9ApTPbx2lLoYAnkl 5AMQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:to:from:dkim-signature; bh=/TBuoGPP1tG+0tOjQSeCl3WzgYge/SObbXxxTWBbxLs=; b=YJX0o2BY7THw6rdv7mnqrO6p8QNvL5DJECJejcyIvOC9og1/lvI6m9uapTQwrqDck2 UNfznInfQGr2sKCzDXRVnWQrZcBewnkZoT1o1emWlPw2xhenPJMUVdnSsAkgSjikYyjD Iq+8GAH6ni1NuXgwPwnx9sc0EiVG0il0MJzKxdaS2tsADUIhyQajL/w9Q2Kh5CQk1nY0 vfdoV2I2aKS6cMI9PfRkVfEQl7vKfwhEw4GkLQbjVUzOnKbaCUrXathkF1DuVGRX2wfB IYzzqArcohLCOJDdbw+5v/61N7YMLSf3jW7i31jwR8+Xci3cu0DHPHi44brnYdeDswSA OfaQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=GOFYaFBY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h25si746572eje.30.2020.08.25.20.46.28; Tue, 25 Aug 2020 20:46:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=GOFYaFBY; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726851AbgHZDpV (ORCPT + 99 others); Tue, 25 Aug 2020 23:45:21 -0400 Received: from us-smtp-delivery-124.mimecast.com ([63.128.21.124]:31053 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726804AbgHZDpN (ORCPT ); Tue, 25 Aug 2020 23:45:13 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1598413511; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:in-reply-to:in-reply-to:references:references; bh=/TBuoGPP1tG+0tOjQSeCl3WzgYge/SObbXxxTWBbxLs=; b=GOFYaFBY26jRYlDbpCnFyhCSluVjqKRMkmbFQmib6yDX8FF6dhMwGullEm6zXOQAxVMyHe 3lm656LjPwQYMa4rDig+ow2v5/VIdyH8PLBU+iQl5jzcNKDrgwnmNzdCs+7a5C94xVuBGQ zEQATHyF7fZL5/XINIOrBH4doDl9IXI= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-288-vD43XxqlMSS7DJst6HmNTA-1; Tue, 25 Aug 2020 23:45:09 -0400 X-MC-Unique: vD43XxqlMSS7DJst6HmNTA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 131BC801AED; Wed, 26 Aug 2020 03:45:08 +0000 (UTC) Received: from lszubowi.redhat.com (unknown [10.10.110.32]) by smtp.corp.redhat.com (Postfix) with ESMTP id BE7E25D9E4; Wed, 26 Aug 2020 03:45:05 +0000 (UTC) From: Lenny Szubowicz To: linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org, platform-driver-x86@vger.kernel.org, linux-security-module@vger.kernel.org, ardb@kernel.org, jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, zohar@linux.ibm.com, bp@alien8.de, pjones@redhat.com, dhowells@redhat.com, prarit@redhat.com Subject: [PATCH 2/3] integrity: Move import of MokListRT certs to a separate routine Date: Tue, 25 Aug 2020 23:44:54 -0400 Message-Id: <20200826034455.28707-3-lszubowi@redhat.com> In-Reply-To: <20200826034455.28707-1-lszubowi@redhat.com> References: <20200826034455.28707-1-lszubowi@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Move the loading of certs from the UEFI MokListRT into a separate routine to facilitate additional MokList functionality. There is no visible functional change as a result of this patch. Although the UEFI dbx certs are now loaded before the MokList certs, they are loaded onto different key rings. So the order of the keys on their respective key rings is the same. Signed-off-by: Lenny Szubowicz --- security/integrity/platform_certs/load_uefi.c | 63 +++++++++++++------ 1 file changed, 44 insertions(+), 19 deletions(-) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 253fb9a7fc98..547410d8ffa5 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, } /* + * load_moklist_certs() - Load MokList certs + * + * Returns: Summary error status + * + * Load the certs contained in the UEFI MokListRT database into the + * platform trusted keyring. + */ +static int __init load_moklist_certs(void) +{ + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *mok = NULL; + unsigned long moksize = 0; + efi_status_t status; + int rc = 0; + + /* Get MokListRT. It might not exist, so it isn't an error + * if we can't get it. + */ + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); + if (!mok) { + if (status == EFI_NOT_FOUND) + pr_debug("MokListRT variable wasn't found\n"); + else + pr_info("Couldn't get UEFI MokListRT\n"); + } else { + rc = parse_efi_signature_list("UEFI:MokListRT", + mok, moksize, get_handler_for_db); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + kfree(mok); + } + return rc; +} + +/* + * load_uefi_certs() - Load certs from UEFI sources + * * Load the certs contained in the UEFI databases into the platform trusted * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist * keyring. @@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; - void *db = NULL, *dbx = NULL, *mok = NULL; - unsigned long dbsize = 0, dbxsize = 0, moksize = 0; + void *db = NULL, *dbx = NULL; + unsigned long dbsize = 0, dbxsize = 0; efi_status_t status; int rc = 0; if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) return false; - /* Get db, MokListRT, and dbx. They might not exist, so it isn't - * an error if we can't get them. + /* Get db and dbx. They might not exist, so it isn't an error + * if we can't get them. */ if (!uefi_check_ignore_db()) { db = get_cert_list(L"db", &secure_var, &dbsize, &status); @@ -102,20 +138,6 @@ static int __init load_uefi_certs(void) } } - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); - if (!mok) { - if (status == EFI_NOT_FOUND) - pr_debug("MokListRT variable wasn't found\n"); - else - pr_info("Couldn't get UEFI MokListRT\n"); - } else { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); - if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); - kfree(mok); - } - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status); if (!dbx) { if (status == EFI_NOT_FOUND) @@ -131,6 +153,9 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* Load the MokListRT certs */ + rc = load_moklist_certs(); + return rc; } late_initcall(load_uefi_certs); -- 2.27.0