Received: by 10.223.164.202 with SMTP id h10csp4695491wrb;
        Wed, 29 Nov 2017 10:18:32 -0800 (PST)
X-Google-Smtp-Source: AGs4zMbRYt6rL7U4cD08Obb+GveNv5Uq4TttREQ53NP/9aimopUHvnVsWn7IbXwpKUnLcFgFzDu9
X-Received: by 10.99.44.14 with SMTP id s14mr3607703pgs.4.1511979512471;
        Wed, 29 Nov 2017 10:18:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511979512; cv=none;
        d=google.com; s=arc-20160816;
        b=q1s9ZNxHe3+z4XghpRAKjg9bn5JH+oKNjg1AgsaUcBWGwmjZeXGYYxT3anXJkXy59U
         HvUfDEoITrjYgAIRaS+8/ZEF//5/bTwR4vCrl8C3sEBiK7zk9jATPIbv58TT3ySe/5rH
         RqDNPC31TorwK+8nESsogm8eEVq0THhUJgkUwN2B24PKS5jihKvVStTYPBR8u+2WPCrn
         +2r9cnuA/JvNEB9DyCnW46j1FB67AwpoS7EzzyZ4NpRfWMy1aed6wB6ZjCtxd7hr8sg2
         5Gc5HNWviHl5S7bNfhvKb0lobPWOWRCgRYePbBqmeAJvb5iRDjGWVGjOdM5avHn4Bui0
         4L0g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:arc-authentication-results;
        bh=NHtHni0qP2lDtBlEyzg2jVJNSaAg0VxVufZ1C5holvs=;
        b=y70zjE7JqrJRpeAOWKT0x1i8GMPTNqMFDACgro0UWvFn6+h97P9i+01CNz28jY7Xml
         sdohqFXAh0Ks/vCo6I7OdH+Q17NgZ/qV3lquSjGQJuUKxw3lHrJQaZKWI/gErxkxrthv
         M8XjVt1+zzwH0/zQHKUpuWqZxeTgZu8mgfGzJZehrCPxHr+jqqu80SOBp0nd5cRCMSeB
         Bmv9x6hjH7eFpswucr2GOVmMrHrRssPrrp69+/NyQGVQg+YQnW+ACZoR88lShB9g0XrE
         kf4WhaTTILne3NizG3XRj4xs+Vqez7ZkKh1kavoT5hJk+zUtFaUvKuKHvwLrATI0juGL
         fs+Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=J6yRk2Rf;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id b16si1732257pfj.224.2017.11.29.10.18.22;
        Wed, 29 Nov 2017 10:18:32 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=J6yRk2Rf;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932364AbdK2OBS (ORCPT <rfc822;c14006078@gmail.com> + 70 others);
        Wed, 29 Nov 2017 09:01:18 -0500
Received: from mail-pf0-f194.google.com ([209.85.192.194]:37780 "EHLO
        mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932077AbdK2OBQ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Nov 2017 09:01:16 -0500
Received: by mail-pf0-f194.google.com with SMTP id n6so1597875pfa.4;
        Wed, 29 Nov 2017 06:01:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=NHtHni0qP2lDtBlEyzg2jVJNSaAg0VxVufZ1C5holvs=;
        b=J6yRk2RfRlfwmyzEd4R6jqo73rqzayZW6q0VbDngz2sCm+sNDonBrtFo7tS9cAcejx
         5V/+uJb/8tvnpMuvAuE1GTK6lIkBG8OTwlL74fYIEHVUJfRNooOzXB1I2jDwXTwGk7eV
         DA4A5LdKNVWnFJurFRBYJMPBTfox0X9JStu72uV3YLqqOvbC1FjfFJEup/j2CMEwfk+F
         dF4plkVL7TnK2RnwapzEidYDzsg9ErF2V3ebGBj9/AJXnSlMjwBAkBZSbmknFPo2yhIO
         4h3EcA/gudZPZU2b2Tjz+RHYpd8A9nbdBYilC0ZxZsICiGJpUyUjtAMPrBa1LqpSzrQt
         bWrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=NHtHni0qP2lDtBlEyzg2jVJNSaAg0VxVufZ1C5holvs=;
        b=TuQz7pGvyUrqYxEUJ3JlyIcffhHY9g4AKN2lBGZrH/C4xdCIApK+P5Q+sxE2oEb9bp
         B54BYHfRKdDtLgfqlJ7pEwTFJna8nofBxq41J3wm0UgyNQbFx+pe1lqXc/zVDFL14f6C
         XYTdwdlYmfc//JyhH6DfCQPDgb87qEALt0hlUoaHVPjQEDbiop86mg2pq0XCQ8cYWPx+
         PcieB5KciRIjjMxufmvIGt3F2aNUYS8UkfIllGIKuBvrtZGIS+VlBvlbTz/XYjzIy+zd
         8rCgcH2YAoFDsXPsIguAtzHagsGI0aBWQ+n+MdbxkWlkhrSWTyAQx5NovKUPVUvEw7T7
         +5lQ==
X-Gm-Message-State: AJaThX5sVJ2DranZJe+Vtg+of+m59tn/iby4uR0sR2BMhtM9HvqaT1dw
        fYEMU6/8HB2y6d9uj7hxGRU=
X-Received: by 10.99.160.100 with SMTP id u36mr2931699pgn.22.1511964073329;
        Wed, 29 Nov 2017 06:01:13 -0800 (PST)
Received: from linux-l9pv.suse ([124.11.22.254])
        by smtp.gmail.com with ESMTPSA id c11sm3274219pgv.42.2017.11.29.06.01.11
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Wed, 29 Nov 2017 06:01:12 -0800 (PST)
From:   "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To:     David Howells <dhowells@redhat.com>
Cc:     linux-fs@vger.kernel.org, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org, "Lee, Chun-Yi" <jlee@suse.com>
Subject: [PATCH 0/4] Using the hash in MOKx to blacklist kernel module
Date:   Wed, 29 Nov 2017 22:00:57 +0800
Message-Id: <20171129140101.19682-1-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patch set is base on the efi-lock-down and keys-uefi branchs in
David Howells's linux-fs git tree. The main purpose is using the MOKx
to blacklist kernel module.

As the MOK (Machine Owner Key), MOKx is a EFI boot time variable which
is maintained by shim boot loader. We can enroll the hash of blacklisted
kernel module (with or without signature) to MOKx by mokutil. Kernel loads
the hash from MOKx to blacklist keyring when booting. Kernel will prevent
to load the kernel module when its hash be found in blacklist.

Except MOKx, this patch set fixs another two issues: The MOK/MOKx should
not be loaded when secure boot is disabled. And, modified error message
prints out appropriate status string for reading by human being.

Lee, Chun-Yi (4):
  MODSIGN: do not load mok when secure boot disabled
  MODSIGN: print appropriate status message when getting UEFI
    certificates list
  MODSIGN: load blacklist from MOKx
  MODSIGN: checking the blacklisted hash before loading a kernel module

 certs/load_uefi.c       | 71 +++++++++++++++++++++++++++++++++++--------------
 include/linux/efi.h     | 25 +++++++++++++++++
 kernel/module_signing.c | 62 ++++++++++++++++++++++++++++++++++++++++--
 3 files changed, 136 insertions(+), 22 deletions(-)

-- 
2.10.2


From 1585425399365395484@xxx Wed Nov 29 18:18:03 +0000 2017
X-GM-THRID: 1585425399365395484
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread