Received: by 10.223.164.202 with SMTP id h10csp4696051wrb; Wed, 29 Nov 2017 10:19:02 -0800 (PST) X-Google-Smtp-Source: AGs4zMbSZj903TqDX2pKcv9v6mW86jfkTOQDdOmOPDR5318SETlb4JJjElJqQcRFhlCAIiZpDqzR X-Received: by 10.101.82.76 with SMTP id q12mr3602166pgp.65.1511979542596; Wed, 29 Nov 2017 10:19:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511979542; cv=none; d=google.com; s=arc-20160816; b=Bppbo4yZy/mo4aPj6l2zuTL3RY5T9CuILyH9WzX9A7gC1cQ08alaiHmirotg8uwhT+ Dem16In3gEjZL+hgyF6mYmDCD9BGy8fZ7UOJ/285nTuYnylo1RTYt9IhBHvHvxY6+JmM rUrJK200eOxm0jIPtvC4kFE5YNeqrl+4qhkrQP5D24AdfXDOOqpGjDbXa+jP9fjI4+ns TmIMYbzNteJE0Pd5TXiHedAdUdYTu1wuT7NalWS2g34fPtmP9/eB/21kFN3kGiCJPLeb EgYiraTixJCgKtNZKuJqYh2D3S2aTxKQdGiyTMNlDvfc3Iz7p0+0RQ1DJMBi0wBJrYXL tHCg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=CJhnvVUxWa/esSVljAeQ+kHzBsZYarwZwXwX1fiKSdM=; b=xdoIkH/4OaPqETj1r9lpcxB0vAlJf0yxiyM8x6ZX76ZXbHwwcdCqbuZF7cMTmHEICu ziI0M+dEqCASl+wvl9fBO4BLL6pxGQ6c5RtcAi6/eiQaJZxDc8JmYlODTLTinWVlneSH c9LQsPs5bycgE7N8bzTo16fIDgeSBi56bObX19IKZTgUemMxd+TX5kFqCWAcT8eyw6CJ qLaKpecleK7kX4x8sw7e+UVXc9Hc+SJ2fmOH2saNje2xW7/q2o8668MwIC2Z6qp5I0QZ +v5DQJXnfhakn/6Q/GI227XO8W0d9QWwId5BZbNPnLwjRLC2L3EEI6ZGO47BEqqhoTb6 5tjQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=iBdn6ePo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o76si1744616pfg.10.2017.11.29.10.18.52; Wed, 29 Nov 2017 10:19:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=iBdn6ePo; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755172AbdK2OMK (ORCPT + 70 others); Wed, 29 Nov 2017 09:12:10 -0500 Received: from mail-pl0-f65.google.com ([209.85.160.65]:40397 "EHLO mail-pl0-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755158AbdK2OMG (ORCPT ); Wed, 29 Nov 2017 09:12:06 -0500 Received: by mail-pl0-f65.google.com with SMTP id 1so2160489pla.7; Wed, 29 Nov 2017 06:12:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=CJhnvVUxWa/esSVljAeQ+kHzBsZYarwZwXwX1fiKSdM=; b=iBdn6ePoQYuYPg4/b4l9Rw4TuAhHK7DOMbwxFjHJH9NFHJQPGBrUpLHX+1XCO3HkOM XHH1kYu4QZuH5cDxb7BJWxjNATd+JRFnLWSDLdHKT2P2uMxSvEZnt+xutCQ/dEVgy4ap yieu1W6Rz8LsUeODdOaJcTMvZ0O/UWvvVSXGW2dn3W2ftDWRq6fV/5LQKR2Nse0j6U4c +3EAokcMp7eErwhNUlFP2HKp1KhW67UDui84UOX2K5AMjuORUg1LzEBlMI2IFOD2qCqz BExkCOqvCkyhPhWqbok+cWiie8fE7hODq1aDN76imFTNYH4aBMIP6BasB9471QeQLahc HGyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=CJhnvVUxWa/esSVljAeQ+kHzBsZYarwZwXwX1fiKSdM=; b=Mu7nc3D1+iQA8qfqcFu5hNq7KiUsrymnQaMtfPvKILQ1VTMZv7at7Yx9RrpvkKSE86 hjcJ9OpPqEZWYIOQEwvhXHQvDHFI/Njzn7i9k3GD/oOfBv+D1BfUOAKUCVqH6KOxlGDt XTTqkBB2XRLc1Eu5qu2CVAW2tsd0zEd6oWUMD4JxZ78WKMhGD1sbsbxrscy5xaZv7lkN s4AvI93zD3OAh4x3ObH98JrpLp3dVQw8J6ztTiPFq0IKnIzMjrUoqGYl8boa7eXlPB7s gBIVMVB51JINeYhPXIcRspxSkAIrqZCVKTWKLU9+Pjpnjm3A0ka+vZZUToowdSFmpyVw HA4w== X-Gm-Message-State: AJaThX6VlOaOFvVnn3mWq+rE/1lACwOssJEunGVB8OBWdh9CwmIy1i70 KhEgcJCfSm1VvA1ZVhMv3Ck= X-Received: by 10.84.244.139 with SMTP id h11mr3052150pll.127.1511964726389; Wed, 29 Nov 2017 06:12:06 -0800 (PST) Received: from linux-l9pv.suse ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id n12sm3481373pfb.5.2017.11.29.06.12.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 29 Nov 2017 06:12:05 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: David Howells Cc: linux-fs@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" , Josh Boyer Subject: [PATCH 1/4] MODSIGN: do not load mok when secure boot disabled Date: Wed, 29 Nov 2017 22:11:36 +0800 Message-Id: <20171129141139.20088-2-jlee@suse.com> X-Mailer: git-send-email 2.12.3 In-Reply-To: <20171129141139.20088-1-jlee@suse.com> References: <20171129141139.20088-1-jlee@suse.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The mok can not be trusted when the secure boot is disabled. Which means that the kernel embedded certificate is the only trusted key. Due to db/dbx are authenticated variables, they needs manufacturer's KEK for update. So db/dbx are secure when secureboot disabled. Cc: David Howells Cc: Josh Boyer Signed-off-by: "Lee, Chun-Yi" --- certs/load_uefi.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/certs/load_uefi.c b/certs/load_uefi.c index 3d88459..d6de4d0 100644 --- a/certs/load_uefi.c +++ b/certs/load_uefi.c @@ -164,17 +164,6 @@ static int __init load_uefi_certs(void) } } - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); - if (!mok) { - pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); - } else { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); - if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); - kfree(mok); - } - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); if (!dbx) { pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); @@ -187,6 +176,21 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* the MOK can not be trusted when secure boot is disabled */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + + mok = get_cert_list(L"MokListRT", &mok_var, &moksize); + if (!mok) { + pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); + } else { + rc = parse_efi_signature_list("UEFI:MokListRT", + mok, moksize, get_handler_for_db); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + kfree(mok); + } + return rc; } late_initcall(load_uefi_certs); -- 2.10.2 From 1585575101897516324@xxx Fri Dec 01 09:57:31 +0000 2017 X-GM-THRID: 1585575101897516324 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread