Received: by 2002:a05:6a10:6744:0:0:0:0 with SMTP id w4csp598296pxu; Wed, 14 Oct 2020 08:59:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzSoUWTSAZjQRAcWekoFX+10lavnjjZ4+zEaC/nPdfUz/CVO5Pi5CROgxtjfKpmVp12+Tc8 X-Received: by 2002:a17:906:cc83:: with SMTP id oq3mr6239471ejb.71.1602691147887; Wed, 14 Oct 2020 08:59:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1602691147; cv=none; d=google.com; s=arc-20160816; b=kocEKZP9mzk+GLJVzbM37UK4SJwaCDSLcAy3Ltn2e6Nz3+CvonKh0/GlP7bG25OQ3G SCNywW6ftWK5kUggFPK2D30FmAx/ipEZZco/dPVVJ9lZ/I5Ob9Vw8O90zI5Bt4O5xRHW xV+Ko3KoMVBmAX88FLKwSW2BTNgBVADAq9hD60XloEWbPkCqLYs8jTLuVCwztpo0FsCB AtwsxhltfoPGjfNub7ptm47QaILPnCVRUMkf8oxUO/aNO2jKLDARZLJ5A+T0u6pc93sH LDF+3/xt9UBX0ZVG7go/EEafAYB7jD+hBe7+DcN73wugFQYkwJ93qkPOL8MMTlHm+qdm 3s1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=s0lpYPpvmXEKfWl+SEQySK7GFJXTIjCY2Pe9ZOGmSC4=; b=ss1ZjtIuyWQG8FeHJC+tM0PCr6zTIRh1DfLb2HpUipw7Qv3r/TV6d2U5dNwCUmlA/7 zfIf4YyFFZfBmxTckGJ60SR3VsVA9wBsJEynOzROrLBUrLnHl40BJQKiJtasD7nDezM2 jRvrikikhbkPAR4VtHknkpDysqq4e/VoUUi1Qj5AqkI1+Y0o3H4vZcha2eaDt+CN/Y7k dNxd4LSpdgtn93espvFYGAOPmUFaS4xdJNJyjKhdNl7WQYwjwL1ahpnM+1yrR6X/UM1q 6bB2KlkWA7VFriPHOcmZq5FBq5BY5PURxHFZDHwjyOKbTYBczqFSQDr1l8demr1q0mQe eXig== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZiZdJhHA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 92si2489193edp.262.2020.10.14.08.58.44; Wed, 14 Oct 2020 08:59:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZiZdJhHA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729270AbgJNLA6 (ORCPT + 99 others); Wed, 14 Oct 2020 07:00:58 -0400 Received: from mail.kernel.org ([198.145.29.99]:51910 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728925AbgJNLA6 (ORCPT ); Wed, 14 Oct 2020 07:00:58 -0400 Received: from mail-oo1-f52.google.com (mail-oo1-f52.google.com [209.85.161.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D46972222F; Wed, 14 Oct 2020 11:00:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1602673257; bh=UAicbC8Manxoolo8W7mfy4Wt2NU3mR6k0HSvVzJy6Wg=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=ZiZdJhHA1gDKsRqfL0nlW9VmDSBlJoG3F3XN9VysGizmH+pgYTylleus6H/UDdfLe B/KZpmkRyv6Q1CJ0Q1dM9khOrRM6T2y5mSusEaxxK33AQRr6hfAzz5SFEwL6gcaFZM hXKkpNGoEFjX3pI5GnVNYglVeJoVhRcl1UoMv/Rw= Received: by mail-oo1-f52.google.com with SMTP id w7so669555oow.7; Wed, 14 Oct 2020 04:00:56 -0700 (PDT) X-Gm-Message-State: AOAM533zsQP26UTWEmEgTxQjuyZHP0j85WQPhEVNJZYlKruOtZqg9XGB ra293c30FPwkRbkeg6dYg3Ygv4hcrDwM7Xc+slI= X-Received: by 2002:a4a:b443:: with SMTP id h3mr2947134ooo.45.1602673255841; Wed, 14 Oct 2020 04:00:55 -0700 (PDT) MIME-Version: 1.0 References: <20201014104032.9776-1-clin@suse.com> <20201014104032.9776-2-clin@suse.com> In-Reply-To: <20201014104032.9776-2-clin@suse.com> From: Ard Biesheuvel Date: Wed, 14 Oct 2020 13:00:44 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2 1/2] efi: add secure boot get helper To: Chester Lin Cc: Mimi Zohar , Catalin Marinas , Will Deacon , Thomas Gleixner , Ingo Molnar , Borislav Petkov , "H. Peter Anvin" , Vincenzo Frascino , Mark Rutland , Sami Tolvanen , Masahiro Yamada , Linux ARM , Linux Kernel Mailing List , X86 ML , linux-integrity , linux-efi , "Lee, Chun-Yi" Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello Chester, Thanks for looking into this. Some comments below. On Wed, 14 Oct 2020 at 12:41, Chester Lin wrote: > > Separate the get_sb_mode() from arch/x86 and treat it as a common function > [rename to efi_get_secureboot_mode] so all EFI-based architectures can > reuse the same logic. > > Signed-off-by: Chester Lin > --- > arch/x86/kernel/ima_arch.c | 47 ++------------------------------------ > drivers/firmware/efi/efi.c | 43 ++++++++++++++++++++++++++++++++++ > include/linux/efi.h | 5 ++++ > 3 files changed, 50 insertions(+), 45 deletions(-) > > diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c > index 7dfb1e808928..ed4623ecda6e 100644 > --- a/arch/x86/kernel/ima_arch.c > +++ b/arch/x86/kernel/ima_arch.c > @@ -8,49 +8,6 @@ > > extern struct boot_params boot_params; > > -static enum efi_secureboot_mode get_sb_mode(void) > -{ > - efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; > - efi_status_t status; > - unsigned long size; > - u8 secboot, setupmode; > - > - size = sizeof(secboot); > - > - if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) { > - pr_info("ima: secureboot mode unknown, no efi\n"); > - return efi_secureboot_mode_unknown; > - } > - > - /* Get variable contents into buffer */ > - status = efi.get_variable(L"SecureBoot", &efi_variable_guid, > - NULL, &size, &secboot); > - if (status == EFI_NOT_FOUND) { > - pr_info("ima: secureboot mode disabled\n"); > - return efi_secureboot_mode_disabled; > - } > - > - if (status != EFI_SUCCESS) { > - pr_info("ima: secureboot mode unknown\n"); > - return efi_secureboot_mode_unknown; > - } > - > - size = sizeof(setupmode); > - status = efi.get_variable(L"SetupMode", &efi_variable_guid, > - NULL, &size, &setupmode); > - > - if (status != EFI_SUCCESS) /* ignore unknown SetupMode */ > - setupmode = 0; > - > - if (secboot == 0 || setupmode == 1) { > - pr_info("ima: secureboot mode disabled\n"); > - return efi_secureboot_mode_disabled; > - } > - > - pr_info("ima: secureboot mode enabled\n"); > - return efi_secureboot_mode_enabled; > -} > - > bool arch_ima_get_secureboot(void) > { > static enum efi_secureboot_mode sb_mode; > @@ -60,7 +17,7 @@ bool arch_ima_get_secureboot(void) > sb_mode = boot_params.secure_boot; > > if (sb_mode == efi_secureboot_mode_unset) > - sb_mode = get_sb_mode(); > + sb_mode = efi_get_secureboot_mode(); > initialized = true; > } > > @@ -70,7 +27,7 @@ bool arch_ima_get_secureboot(void) > return false; > } > > -/* secureboot arch rules */ > +/* secure and trusted boot arch rules */ > static const char * const sb_arch_rules[] = { > #if !IS_ENABLED(CONFIG_KEXEC_SIG) > "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig", > diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c > index 5e5480a0a32d..68ffa6a069c0 100644 > --- a/drivers/firmware/efi/efi.c > +++ b/drivers/firmware/efi/efi.c > @@ -1022,3 +1022,46 @@ static int __init register_update_efi_random_seed(void) > } > late_initcall(register_update_efi_random_seed); > #endif > + > +enum efi_secureboot_mode efi_get_secureboot_mode(void) > +{ > + efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; > + efi_status_t status; > + unsigned long size; > + u8 secboot, setupmode; > + > + size = sizeof(secboot); > + > + if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) { > + pr_info("ima: secureboot mode unknown, no efi\n"); These prints don't belong here anymore. Also, it would be useful if we could reuse this logic in the EFI stub as well, which is built as a separate executable, and does not provide efi.get_variable(). So, you could you please break this up into static inline enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var) { } placed into include/linux/efi.h, which encapsulates the core logic, but using get_var(), and without the prints. Then, we could put something like bool efi_ima_get_secureboot(void) { } in drivers/firmware/efi/efi.c (guarded by #ifdef CONFIG_IMA_xxx), which performs the efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) check, calls efi_get_secureboot_mode(efi.get_variable), and implements the logic. And actually, if the logic is identical between x86 and arm64, I wonder if it wouldn't be better to put the whole thing into drivers/firmware/efi/efi-ima.c or security/integrity/ima/ima-efi.c with the only difference being the boot_params->secure_boot access for x86, which we can factor out to a static inline helper. Mimi, any thoughts here? > + return efi_secureboot_mode_unknown; > + } > + > + /* Get variable contents into buffer */ > + status = efi.get_variable(L"SecureBoot", &efi_variable_guid, > + NULL, &size, &secboot); > + if (status == EFI_NOT_FOUND) { > + pr_info("ima: secureboot mode disabled\n"); > + return efi_secureboot_mode_disabled; > + } > + > + if (status != EFI_SUCCESS) { > + pr_info("ima: secureboot mode unknown\n"); > + return efi_secureboot_mode_unknown; > + } > + > + size = sizeof(setupmode); > + status = efi.get_variable(L"SetupMode", &efi_variable_guid, > + NULL, &size, &setupmode); > + > + if (status != EFI_SUCCESS) /* ignore unknown SetupMode */ > + setupmode = 0; > + > + if (secboot == 0 || setupmode == 1) { > + pr_info("ima: secureboot mode disabled\n"); > + return efi_secureboot_mode_disabled; > + } > + > + pr_info("ima: secureboot mode enabled\n"); > + return efi_secureboot_mode_enabled; > +} > diff --git a/include/linux/efi.h b/include/linux/efi.h > index d7c0e73af2b9..a73e5ae04672 100644 > --- a/include/linux/efi.h > +++ b/include/linux/efi.h > @@ -1076,8 +1076,13 @@ static inline int efi_runtime_map_copy(void *buf, size_t bufsz) > > #ifdef CONFIG_EFI > extern bool efi_runtime_disabled(void); > +extern enum efi_secureboot_mode efi_get_secureboot_mode(void); > #else > static inline bool efi_runtime_disabled(void) { return true; } > +static inline enum efi_secureboot_mode efi_get_secureboot_mode(void) > +{ > + return efi_secureboot_mode_disabled; > +} > #endif > > extern void efi_call_virt_check_flags(unsigned long flags, const char *call); > -- > 2.26.1 >