Received: by 2002:a05:6a10:1a4d:0:0:0:0 with SMTP id nk13csp2674474pxb; Thu, 10 Feb 2022 03:05:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJyc7x2SQ4zBAD/ZYGKQm3INoSCDnSPcIBYSpHkX4fd/AnebIRORJ2+hOkMbuxLxo/KtNihY X-Received: by 2002:a17:90a:1a0f:: with SMTP id 15mr2193467pjk.164.1644491109659; Thu, 10 Feb 2022 03:05:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1644491109; cv=none; d=google.com; s=arc-20160816; b=KsBp7emhh2kcsRMwSQqkqy/dCZx8hxZjvGaf/Niibx0mJx4DJ/cxZprRmIibICc0lr P5fdZAMbGa1f1oI92SfAK2/wFwKk03gzBeqeLfj8JDGHmRqpokCbElcAeWwm28tQBH55 q6yNBKRFJgR97eCdepd79I7qd+Ru2eK9OXZv4snEDCR4tV5UhpJst/wTUS55iCENKc8i 8ya/nzoD9UnIouDqsX8kJG1TUttSh5EbdoWi062KqOL0WJY8kjYXOxSRf9u7iu/w47BI PqfQZ9pQyD4tLIuqLNDwPcWAJ8UHC7Xywfjp2CtOHdRvmReaSN14vYeTqaC+/Pz0y7l4 YcqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=88hNU8DvYfqRe0+7k2k7KmBQtPACyPlxuNI+p3V0+L4=; b=HxBfl701iEiu7OXyHz5gY7Lsg26rmfmCjFwT9pSoAMFMovqAjjqEYo6UNpB58l8glP cZk/M/s8Nmwr4S8MTTeB0+9/2WzKe+f6Et9Eaf3S5l77bbzgk52KdwuIcH4js7hBCdTo F/PhcZDKaI68qBwQ4AzPxJX7bCJOb3DIuA7RyJqe+9aGL3Ke3BJo6oPlJItTA5+NEYq1 yB+bS41VEUb06NKb/rv0yb7q7YuD7g6TjY+Ws0s/kH2YCE1PvP0dHoRAwKDf7PEhDmji CmPGJVS2josS882CIfkFRciIe5lnWg5hddzqbHrgd5PoVCXZLY32Fug5/y5ilAoaSupF +Luw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=tRWgrSV6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id me3si1287529pjb.16.2022.02.10.03.04.55; Thu, 10 Feb 2022 03:05:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=tRWgrSV6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240120AbiBJKrs (ORCPT + 99 others); Thu, 10 Feb 2022 05:47:48 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:57198 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240153AbiBJKrp (ORCPT ); Thu, 10 Feb 2022 05:47:45 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3D6731013; Thu, 10 Feb 2022 02:47:45 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id BBC0FB8243C; Thu, 10 Feb 2022 10:47:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 8B128C340F1; Thu, 10 Feb 2022 10:47:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1644490062; bh=9wxC2ohwSsmxyDPagb62w902qK6d55OxtY0vmSam7j0=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=tRWgrSV6WZxbdD9PioGgHF+AT89TpZJnkw5Pc7sbO2VIOkt2lh21eVMQ50gVR3qaA traACGQG7ATmTZwWrAmTtKWC4FpKgqJUm7c7Hn+pAwlC6WVK0271hDotJRTGMksxsb GNJvmDE+D5uZg3pGiuS5Y+4oLkhsrpE5jjpYUA5dYs1yVmm8OEvqGFjx8xVHXOPTmG oXP64J6ECuE/SZJ7pVz/t6ssGhKEeGPmWpII/GRG7ngRYit32ikXqt6X41L9pWJreh JYJEDOIloSe9DnD4C6Dnvyd9FtOvcJBxk4cXb5ohogRs/B5QDFI1Jw92g7w/S+XSo6 9gbvg9IDCxelA== Received: by mail-wr1-f44.google.com with SMTP id q7so8673918wrc.13; Thu, 10 Feb 2022 02:47:42 -0800 (PST) X-Gm-Message-State: AOAM532DWKAZyznh9tYrBgYnbLxO0dPaTcAD30SgILLj1/TA18mGDBMR eHvPsNWuyhc232WL3ooavL1Sc7jpeRX3Gs8gSJs= X-Received: by 2002:a05:6000:15ca:: with SMTP id y10mr5852990wry.417.1644490060790; Thu, 10 Feb 2022 02:47:40 -0800 (PST) MIME-Version: 1.0 References: <9D0C961D-9999-4C41-A44B-22FEAF0DAB7F@live.com> <755cffe1dfaf43ea87cfeea124160fe0@AcuMS.aculab.com> <20103919-A276-4CA6-B1AD-6E45DB58500B@live.com> In-Reply-To: <20103919-A276-4CA6-B1AD-6E45DB58500B@live.com> From: Ard Biesheuvel Date: Thu, 10 Feb 2022 11:47:29 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v2] efi: Do not import certificates from UEFI Secure Boot for T2 Macs To: Aditya Garg Cc: David Laight , Matthew Garrett , Jeremy Kerr , "joeyli.kernel@gmail.com" , "zohar@linux.ibm.com" , "jmorris@namei.org" , "eric.snowberg@oracle.com" , "dhowells@redhat.com" , "jlee@suse.com" , "James.Bottomley@hansenpartnership.com" , "jarkko@kernel.org" , "mic@digikod.net" , "dmitry.kasatkin@gmail.com" , Linux Kernel Mailing List , "linux-efi@vger.kernel.org" , "linux-security-module@vger.kernel.org" , "stable@vger.kernel.org" , "keyrings@vger.kernel.org" , "linux-integrity@vger.kernel.org" , Orlando Chamberlain , Aun-Ali Zaidi Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 10 Feb 2022 at 11:45, Aditya Garg wrote: > > From: Aditya Garg > > On T2 Macs, the secure boot is handled by the T2 Chip. If enabled, only > macOS and Windows are allowed to boot on these machines. Thus we need to > disable secure boot for Linux. If we boot into Linux after disabling > secure boot, if CONFIG_LOAD_UEFI_KEYS is enabled, EFI Runtime services > fail to start, with the following logs in dmesg > > Call Trace: > > page_fault_oops+0x4f/0x2c0 > ? search_bpf_extables+0x6b/0x80 > ? search_module_extables+0x50/0x80 > ? search_exception_tables+0x5b/0x60 > kernelmode_fixup_or_oops+0x9e/0x110 > __bad_area_nosemaphore+0x155/0x190 > bad_area_nosemaphore+0x16/0x20 > do_kern_addr_fault+0x8c/0xa0 > exc_page_fault+0xd8/0x180 > asm_exc_page_fault+0x1e/0x30 > (Removed some logs from here) > ? __efi_call+0x28/0x30 > ? switch_mm+0x20/0x30 > ? efi_call_rts+0x19a/0x8e0 > ? process_one_work+0x222/0x3f0 > ? worker_thread+0x4a/0x3d0 > ? kthread+0x17a/0x1a0 > ? process_one_work+0x3f0/0x3f0 > ? set_kthread_struct+0x40/0x40 > ? ret_from_fork+0x22/0x30 > > ---[ end trace 1f82023595a5927f ]--- > efi: Froze efi_rts_wq and disabled EFI Runtime Services > integrity: Couldn't get size: 0x8000000000000015 > integrity: MODSIGN: Couldn't get UEFI db list > efi: EFI Runtime Services are disabled! > integrity: Couldn't get size: 0x8000000000000015 > integrity: Couldn't get UEFI dbx list > integrity: Couldn't get size: 0x8000000000000015 > integrity: Couldn't get mokx list > integrity: Couldn't get size: 0x80000000 > > This patch prevents querying of these UEFI variables, since these Macs > seem to use a non-standard EFI hardware > > Cc: stable@vger.kernel.org > Signed-off-by: Aditya Garg > --- > v2 :- Reduce code size of the table. NAK. As Matthew pointed out, other reads of the same variables may still trigger the same issue. > .../platform_certs/keyring_handler.h | 8 ++++ > security/integrity/platform_certs/load_uefi.c | 48 +++++++++++++++++++ > 2 files changed, 56 insertions(+) > > diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h > index 2462bfa08..cd06bd607 100644 > --- a/security/integrity/platform_certs/keyring_handler.h > +++ b/security/integrity/platform_certs/keyring_handler.h > @@ -30,3 +30,11 @@ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); > efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type); > > #endif > + > +#ifndef UEFI_QUIRK_SKIP_CERT > +#define UEFI_QUIRK_SKIP_CERT(vendor, product) \ > + .matches = { \ > + DMI_MATCH(DMI_BOARD_VENDOR, vendor), \ > + DMI_MATCH(DMI_PRODUCT_NAME, product), \ > + }, > +#endif > diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c > index 08b6d12f9..f246c8732 100644 > --- a/security/integrity/platform_certs/load_uefi.c > +++ b/security/integrity/platform_certs/load_uefi.c > @@ -3,6 +3,7 @@ > #include > #include > #include > +#include > #include > #include > #include > @@ -12,6 +13,32 @@ > #include "../integrity.h" > #include "keyring_handler.h" > > +/* Apple Macs with T2 Security chip don't support these UEFI variables. > + * The T2 chip manages the Secure Boot and does not allow Linux to boot > + * if it is turned on. If turned off, an attempt to get certificates > + * causes a crash, so we simply return 0 for them in each function. > + */ > + > +static const struct dmi_system_id uefi_skip_cert[] = { > + > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,1" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,2" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,3" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,4" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,1" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,2" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,3" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,4" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,1" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,2" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir9,1" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacMini8,1" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1" }, > + { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2" }, > + { } > +}; > + > /* > * Look to see if a UEFI variable called MokIgnoreDB exists and return true if > * it does. > @@ -21,12 +48,18 @@ > * is set, we should ignore the db variable also and the true return indicates > * this. > */ > + > static __init bool uefi_check_ignore_db(void) > { > efi_status_t status; > unsigned int db = 0; > unsigned long size = sizeof(db); > efi_guid_t guid = EFI_SHIM_LOCK_GUID; > + const struct dmi_system_id *dmi_id; > + > + dmi_id = dmi_first_match(uefi_skip_cert); > + if (dmi_id) > + return 0; > > status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); > return status == EFI_SUCCESS; > @@ -41,6 +74,11 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, > unsigned long lsize = 4; > unsigned long tmpdb[4]; > void *db; > + const struct dmi_system_id *dmi_id; > + > + dmi_id = dmi_first_match(uefi_skip_cert); > + if (dmi_id) > + return 0; > > *status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); > if (*status == EFI_NOT_FOUND) > @@ -85,6 +123,11 @@ static int __init load_moklist_certs(void) > unsigned long moksize; > efi_status_t status; > int rc; > + const struct dmi_system_id *dmi_id; > + > + dmi_id = dmi_first_match(uefi_skip_cert); > + if (dmi_id) > + return 0; > > /* First try to load certs from the EFI MOKvar config table. > * It's not an error if the MOKvar config table doesn't exist > @@ -138,6 +181,11 @@ static int __init load_uefi_certs(void) > unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0; > efi_status_t status; > int rc = 0; > + const struct dmi_system_id *dmi_id; > + > + dmi_id = dmi_first_match(uefi_skip_cert); > + if (dmi_id) > + return 0; > > if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) > return false; > -- > 2.25.1 > >