Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1024343pxk; Fri, 18 Sep 2020 01:34:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwiazznAHJgJCX4zkG7+QYhy8XKffFxQaVJ9nKeaIKenSm1gkwG0zRRMVnkLp3YTDYBnjum X-Received: by 2002:a17:906:a211:: with SMTP id r17mr23194565ejy.444.1600418052779; Fri, 18 Sep 2020 01:34:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600418052; cv=none; d=google.com; s=arc-20160816; b=xndTHe0EC/7XTUFGAAwl/IgwD+3RSrvEnSV4HhV7AbHD7KDj6HR/VMjfB9GuXzMqNC yFsRcxosyIcSMv22clg1zdSF4AW1MM7yP3kO1M8WNw95B6zrDyDTV0T0mqIAh+4iJDYT xRrrKDZUv10g0wkTdNl0J1DxEgWHMxwOnciYJnGmVVfy354J4BoBte6pI4UoyjeabZZM 6ynikJCBd3UeHBfOgCFHAZI0pAkYsGn64kgHH5UD8PKJznTqjA1WAvGCAlDja2Ug8Cj7 Sp3JtTjIexKaj7q4IaofqqLhjnHa44XdqOHusyPjxpnthSJXx0S1xXK42QZhofPdBAd1 TymA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:robot-unsubscribe :robot-id:message-id:mime-version:references:in-reply-to:cc:subject :to:reply-to:from:dkim-signature:dkim-signature:date; bh=xlF8SM7dNhyi8QRCoTByoJJnoWPhdK4YHO/H4BBCE4w=; b=V1rCKz14rhhzpdSgIbJvUMGZjcj9qRHXAvP/FQFEa1GQ35fk30KnZHHqsEE/eTJhIA RbKhovgUlVjgpxMVNLUZhAc0ilmIGutFax11oDpmWnIPnVEj05gqyeTqP0CKfKoNYXgG YQ9wFDOmvFuk9qIuBQRpo2YAjDA9MqHIt/Aj2R2O9wlvdxQRR743lSbntp0qdqp4mqXR rzGEBMTgBTyWic9tHKIrbm3h1lA0WhCeS/Ls7fOcQ0Vf+ihpaDofNToyxZotCw71T/zC lTjEGGL+C3xfcQWb4X6uGcnbttBbTNVFRZT80SxeTfGZzaZQlLudh+E5qlHrp8rwbWMC t0yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@linutronix.de header.s=2020 header.b=qaU3eyM3; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id yd22si2207844ejb.546.2020.09.18.01.33.49; Fri, 18 Sep 2020 01:34:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=fail header.i=@linutronix.de header.s=2020 header.b=qaU3eyM3; dkim=neutral (no key) header.i=@linutronix.de; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726474AbgIRIa6 (ORCPT + 99 others); Fri, 18 Sep 2020 04:30:58 -0400 Received: from Galois.linutronix.de ([193.142.43.55]:32822 "EHLO galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726427AbgIRIa5 (ORCPT ); Fri, 18 Sep 2020 04:30:57 -0400 Date: Fri, 18 Sep 2020 08:30:54 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1600417854; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xlF8SM7dNhyi8QRCoTByoJJnoWPhdK4YHO/H4BBCE4w=; b=qaU3eyM3s5OliJRZpST/IhD8Jx0Mv2Yt9cU2cU4S465wOEEWKQcgtYvYrd5qSTgRep62Y5 KD4HD2Q/NKm/kXRnzeDkxpKhRI81+/nr6aNCL/W2ovFOWU7hCYdXj6nha/ObbZQJsrFNcz wBmiK6BNs4zOJzf/mQjXkeY8W8auymF/sUJpL5p2SeWBWwrNIe+ksewcmqYuOKswDCvKPD 3vCfAeg181QJw/RCp9jhHaG420TKchXbaDG4n5QVinKmXLgy+rzNcVf45q6LqfIGt77oTW 6vzUgSRS7ZYD1QGhH99g5v3SFzTgRjsKLK9GX9vgRccGmaYA46dwvhX+oq5o+A== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1600417854; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=xlF8SM7dNhyi8QRCoTByoJJnoWPhdK4YHO/H4BBCE4w=; b=p7TwpDK5/jZkGvOjKqNovHgpDn5xxUoCxhVj5V/OubSmTCYTDK++Z3azSFcVd1WzsuVqAS 5cF75o63xr1rC4BA== From: "tip-bot2 for Lenny Szubowicz" Reply-to: linux-kernel@vger.kernel.org To: linux-tip-commits@vger.kernel.org Subject: [tip: efi/core] integrity: Move import of MokListRT certs to a separate routine Cc: Lenny Szubowicz , Mimi Zohar , Ard Biesheuvel , x86 , LKML In-Reply-To: <20200905013107.10457-3-lszubowi@redhat.com> References: <20200905013107.10457-3-lszubowi@redhat.com> MIME-Version: 1.0 Message-ID: <160041785420.15536.14745076474618952848.tip-bot2@tip-bot2> Robot-ID: Robot-Unsubscribe: Contact to get blacklisted from these emails Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The following commit has been merged into the efi/core branch of tip: Commit-ID: 38a1f03aa24094b4a8de846700cb6cb21cc06468 Gitweb: https://git.kernel.org/tip/38a1f03aa24094b4a8de846700cb6cb21cc06468 Author: Lenny Szubowicz AuthorDate: Fri, 04 Sep 2020 21:31:06 -04:00 Committer: Ard Biesheuvel CommitterDate: Wed, 16 Sep 2020 18:53:42 +03:00 integrity: Move import of MokListRT certs to a separate routine Move the loading of certs from the UEFI MokListRT into a separate routine to facilitate additional MokList functionality. There is no visible functional change as a result of this patch. Although the UEFI dbx certs are now loaded before the MokList certs, they are loaded onto different key rings. So the order of the keys on their respective key rings is the same. Signed-off-by: Lenny Szubowicz Reviewed-by: Mimi Zohar Link: https://lore.kernel.org/r/20200905013107.10457-3-lszubowi@redhat.com Signed-off-by: Ard Biesheuvel --- security/integrity/platform_certs/load_uefi.c | 63 ++++++++++++------ 1 file changed, 44 insertions(+), 19 deletions(-) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 253fb9a..c1c622b 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, } /* + * load_moklist_certs() - Load MokList certs + * + * Load the certs contained in the UEFI MokListRT database into the + * platform trusted keyring. + * + * Return: Status + */ +static int __init load_moklist_certs(void) +{ + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *mok; + unsigned long moksize; + efi_status_t status; + int rc; + + /* Get MokListRT. It might not exist, so it isn't an error + * if we can't get it. + */ + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); + if (mok) { + rc = parse_efi_signature_list("UEFI:MokListRT", + mok, moksize, get_handler_for_db); + kfree(mok); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + return rc; + } + if (status == EFI_NOT_FOUND) + pr_debug("MokListRT variable wasn't found\n"); + else + pr_info("Couldn't get UEFI MokListRT\n"); + return 0; +} + +/* + * load_uefi_certs() - Load certs from UEFI sources + * * Load the certs contained in the UEFI databases into the platform trusted * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist * keyring. @@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; - void *db = NULL, *dbx = NULL, *mok = NULL; - unsigned long dbsize = 0, dbxsize = 0, moksize = 0; + void *db = NULL, *dbx = NULL; + unsigned long dbsize = 0, dbxsize = 0; efi_status_t status; int rc = 0; if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) return false; - /* Get db, MokListRT, and dbx. They might not exist, so it isn't - * an error if we can't get them. + /* Get db and dbx. They might not exist, so it isn't an error + * if we can't get them. */ if (!uefi_check_ignore_db()) { db = get_cert_list(L"db", &secure_var, &dbsize, &status); @@ -102,20 +138,6 @@ static int __init load_uefi_certs(void) } } - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); - if (!mok) { - if (status == EFI_NOT_FOUND) - pr_debug("MokListRT variable wasn't found\n"); - else - pr_info("Couldn't get UEFI MokListRT\n"); - } else { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); - if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); - kfree(mok); - } - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status); if (!dbx) { if (status == EFI_NOT_FOUND) @@ -131,6 +153,9 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* Load the MokListRT certs */ + rc = load_moklist_certs(); + return rc; } late_initcall(load_uefi_certs);