Received: by 10.223.164.202 with SMTP id h10csp4696051wrb;
        Wed, 29 Nov 2017 10:19:02 -0800 (PST)
X-Google-Smtp-Source: AGs4zMbSZj903TqDX2pKcv9v6mW86jfkTOQDdOmOPDR5318SETlb4JJjElJqQcRFhlCAIiZpDqzR
X-Received: by 10.101.82.76 with SMTP id q12mr3602166pgp.65.1511979542596;
        Wed, 29 Nov 2017 10:19:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511979542; cv=none;
        d=google.com; s=arc-20160816;
        b=Bppbo4yZy/mo4aPj6l2zuTL3RY5T9CuILyH9WzX9A7gC1cQ08alaiHmirotg8uwhT+
         Dem16In3gEjZL+hgyF6mYmDCD9BGy8fZ7UOJ/285nTuYnylo1RTYt9IhBHvHvxY6+JmM
         rUrJK200eOxm0jIPtvC4kFE5YNeqrl+4qhkrQP5D24AdfXDOOqpGjDbXa+jP9fjI4+ns
         TmIMYbzNteJE0Pd5TXiHedAdUdYTu1wuT7NalWS2g34fPtmP9/eB/21kFN3kGiCJPLeb
         EgYiraTixJCgKtNZKuJqYh2D3S2aTxKQdGiyTMNlDvfc3Iz7p0+0RQ1DJMBi0wBJrYXL
         tHCg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature:arc-authentication-results;
        bh=CJhnvVUxWa/esSVljAeQ+kHzBsZYarwZwXwX1fiKSdM=;
        b=xdoIkH/4OaPqETj1r9lpcxB0vAlJf0yxiyM8x6ZX76ZXbHwwcdCqbuZF7cMTmHEICu
         ziI0M+dEqCASl+wvl9fBO4BLL6pxGQ6c5RtcAi6/eiQaJZxDc8JmYlODTLTinWVlneSH
         c9LQsPs5bycgE7N8bzTo16fIDgeSBi56bObX19IKZTgUemMxd+TX5kFqCWAcT8eyw6CJ
         qLaKpecleK7kX4x8sw7e+UVXc9Hc+SJ2fmOH2saNje2xW7/q2o8668MwIC2Z6qp5I0QZ
         +v5DQJXnfhakn/6Q/GI227XO8W0d9QWwId5BZbNPnLwjRLC2L3EEI6ZGO47BEqqhoTb6
         5tjQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=iBdn6ePo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id o76si1744616pfg.10.2017.11.29.10.18.52;
        Wed, 29 Nov 2017 10:19:02 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=iBdn6ePo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755172AbdK2OMK (ORCPT <rfc822;c14006078@gmail.com> + 70 others);
        Wed, 29 Nov 2017 09:12:10 -0500
Received: from mail-pl0-f65.google.com ([209.85.160.65]:40397 "EHLO
        mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755158AbdK2OMG (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Nov 2017 09:12:06 -0500
Received: by mail-pl0-f65.google.com with SMTP id 1so2160489pla.7;
        Wed, 29 Nov 2017 06:12:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=CJhnvVUxWa/esSVljAeQ+kHzBsZYarwZwXwX1fiKSdM=;
        b=iBdn6ePoQYuYPg4/b4l9Rw4TuAhHK7DOMbwxFjHJH9NFHJQPGBrUpLHX+1XCO3HkOM
         XHH1kYu4QZuH5cDxb7BJWxjNATd+JRFnLWSDLdHKT2P2uMxSvEZnt+xutCQ/dEVgy4ap
         yieu1W6Rz8LsUeODdOaJcTMvZ0O/UWvvVSXGW2dn3W2ftDWRq6fV/5LQKR2Nse0j6U4c
         +3EAokcMp7eErwhNUlFP2HKp1KhW67UDui84UOX2K5AMjuORUg1LzEBlMI2IFOD2qCqz
         BExkCOqvCkyhPhWqbok+cWiie8fE7hODq1aDN76imFTNYH4aBMIP6BasB9471QeQLahc
         HGyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=CJhnvVUxWa/esSVljAeQ+kHzBsZYarwZwXwX1fiKSdM=;
        b=Mu7nc3D1+iQA8qfqcFu5hNq7KiUsrymnQaMtfPvKILQ1VTMZv7at7Yx9RrpvkKSE86
         hjcJ9OpPqEZWYIOQEwvhXHQvDHFI/Njzn7i9k3GD/oOfBv+D1BfUOAKUCVqH6KOxlGDt
         XTTqkBB2XRLc1Eu5qu2CVAW2tsd0zEd6oWUMD4JxZ78WKMhGD1sbsbxrscy5xaZv7lkN
         s4AvI93zD3OAh4x3ObH98JrpLp3dVQw8J6ztTiPFq0IKnIzMjrUoqGYl8boa7eXlPB7s
         gBIVMVB51JINeYhPXIcRspxSkAIrqZCVKTWKLU9+Pjpnjm3A0ka+vZZUToowdSFmpyVw
         HA4w==
X-Gm-Message-State: AJaThX6VlOaOFvVnn3mWq+rE/1lACwOssJEunGVB8OBWdh9CwmIy1i70
        KhEgcJCfSm1VvA1ZVhMv3Ck=
X-Received: by 10.84.244.139 with SMTP id h11mr3052150pll.127.1511964726389;
        Wed, 29 Nov 2017 06:12:06 -0800 (PST)
Received: from linux-l9pv.suse ([124.11.22.254])
        by smtp.gmail.com with ESMTPSA id n12sm3481373pfb.5.2017.11.29.06.12.03
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Wed, 29 Nov 2017 06:12:05 -0800 (PST)
From:   "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To:     David Howells <dhowells@redhat.com>
Cc:     linux-fs@vger.kernel.org, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org, "Lee, Chun-Yi" <jlee@suse.com>,
        Josh Boyer <jwboyer@fedoraproject.org>
Subject: [PATCH 1/4] MODSIGN: do not load mok when secure boot disabled
Date:   Wed, 29 Nov 2017 22:11:36 +0800
Message-Id: <20171129141139.20088-2-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
In-Reply-To: <20171129141139.20088-1-jlee@suse.com>
References: <20171129141139.20088-1-jlee@suse.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The mok can not be trusted when the secure boot is disabled. Which
means that the kernel embedded certificate is the only trusted key.

Due to db/dbx are authenticated variables, they needs manufacturer's
KEK for update. So db/dbx are secure when secureboot disabled.

Cc: David Howells <dhowells@redhat.com> 
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 certs/load_uefi.c | 26 +++++++++++++++-----------
 1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/certs/load_uefi.c b/certs/load_uefi.c
index 3d88459..d6de4d0 100644
--- a/certs/load_uefi.c
+++ b/certs/load_uefi.c
@@ -164,17 +164,6 @@ static int __init load_uefi_certs(void)
 		}
 	}
 
-	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
-	if (!mok) {
-		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
-	} else {
-		rc = parse_efi_signature_list("UEFI:MokListRT",
-					      mok, moksize, get_handler_for_db);
-		if (rc)
-			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
-		kfree(mok);
-	}
-
 	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
 	if (!dbx) {
 		pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
@@ -187,6 +176,21 @@ static int __init load_uefi_certs(void)
 		kfree(dbx);
 	}
 
+	/* the MOK can not be trusted when secure boot is disabled */
+	if (!efi_enabled(EFI_SECURE_BOOT))
+		return 0;
+
+	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+	if (!mok) {
+		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
+	} else {
+		rc = parse_efi_signature_list("UEFI:MokListRT",
+					      mok, moksize, get_handler_for_db);
+		if (rc)
+			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+		kfree(mok);
+	}
+
 	return rc;
 }
 late_initcall(load_uefi_certs);
-- 
2.10.2


From 1585575101897516324@xxx Fri Dec 01 09:57:31 +0000 2017
X-GM-THRID: 1585575101897516324
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread