Received: by 10.223.164.202 with SMTP id h10csp4695039wrb;
        Wed, 29 Nov 2017 10:18:04 -0800 (PST)
X-Google-Smtp-Source: AGs4zMY0ccoy/eCaWBzZKDBivAvqrPXs/aLsy19niEynnnWw6cZ0ou+KPcRm5FkK16X3fnz+/PyB
X-Received: by 10.99.126.93 with SMTP id o29mr3662544pgn.304.1511979483932;
        Wed, 29 Nov 2017 10:18:03 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511979483; cv=none;
        d=google.com; s=arc-20160816;
        b=aeTNVmQ3Ys5/QWqMV2SWSbMMAb4cP6fOWyuu3jdOCkG/y3dq67eG8Xok5AIFTFmHwN
         37KDFaD6vf3J4bAofOeALekAyboZe/tJHf7XihK2pCII5NG4dJPLNfBARJrD95HN2kE9
         aTmQnuxY2OVXlVHDuKsSD9pJ/R34iJ3UAC41DO0q++9i5Yx/PW3klgNkx5+WhhD9ymNv
         oeF8w6y008Wey/eoB+8iX/iHWIkLfLFhrVsOdf7rXDkmN4hKwwRCkc7WY3aDb7e1G0JT
         +OoLHeZsSFTmRzgYP7Ju/1NtCoz3PiaGxineagQaxzr41CU1/8iEI+ifjifhgDG5sziq
         taAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature:arc-authentication-results;
        bh=yKlEjXlnQS95DeySHj3wWPxUppHQblKDIHLW+55RjnM=;
        b=nJASdx1StOfLk7cn/KNXXPFHQC5GsI3rIvDBS6OWfrJeo9mdmemUbFGm+fh6OKrqCk
         dZceBl3k5jlSOUcASqiNSKly4BukL3HH0rvisDjqN5bfZyzXpPkRdEKZt2DbCfONlPzV
         ANgIpKMN88VrwWoNkqHOLJJU/RH91xXA6S8Y1QLDrYJoq/pAfQk4WUGmC2fFPyFxANoe
         WC7GGLLnQdc01OAksCPkklQj0SaSPu+sbq8EkzQJCnROoxKFT+zaplgNHiJzxshXgf3B
         5RivtWsphhE9Jh3CoqGZByfrTruJmWs9PxWM6fS/CcAY2A4mH0aF8CzswdG5x58s0I/t
         t2+w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=iF8zXkZ3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v128si1619140pgv.276.2017.11.29.10.17.53;
        Wed, 29 Nov 2017 10:18:03 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=iF8zXkZ3;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755156AbdK2OMG (ORCPT <rfc822;c14006078@gmail.com> + 70 others);
        Wed, 29 Nov 2017 09:12:06 -0500
Received: from mail-pl0-f68.google.com ([209.85.160.68]:36840 "EHLO
        mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754223AbdK2OMD (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Nov 2017 09:12:03 -0500
Received: by mail-pl0-f68.google.com with SMTP id b12so2158199plm.3;
        Wed, 29 Nov 2017 06:12:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=yKlEjXlnQS95DeySHj3wWPxUppHQblKDIHLW+55RjnM=;
        b=iF8zXkZ3Mn7lND98GdI8aCEdLGbzmk62emFS2eudEpYK+qZmppd5bO/qv7e4unou9k
         KTwvUkCqlV8WPoiW02ctOYojJngdsewkkdJ46mb8c8YuNTgJZ5XXvxWjtqXwmcN0HF+b
         lvlYYj/448inJx1/Yjzo4DndZ6c7b53ueqsLGTQHKmBMxvMAZ4LLkonHzHD3RcLW+bsJ
         CTgLjPFzKNtSZz8ez1F2pFypJ338Gt/jy+V3gjxWZdnDlPZUlwZsgUgKBMpiP6kU7yYa
         hN3X8KHQFMTGFgHMqYgBlizutPTrWDWEEgRXAG4KfwTtmosCZxnHu0CXiH7znWyNTimN
         fhaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=yKlEjXlnQS95DeySHj3wWPxUppHQblKDIHLW+55RjnM=;
        b=fLylECAjufu7zwX0cphnaX/sfs4GxzkyhCAeA6luayZuYZQvtrDwz7MLyQ8ln9thUR
         JU2kWmGS02i+K8gUBs+dd4Yuhp3Z9M46KR+/bdYqNZoOKU2plHYDi9stdjhv9xWUI2V9
         Q4UGShEngVAoWw0O6/Jg02R76pfL4UNqXlXYZyp3mDdbN+yJUl3A4Ze4J/5RiWsUjTcY
         ab5zF8abNxruUStfYcSD3kJWuoO/WA395MvnO8aM2/yf8MlOOXdj2RIJCawR+MV35rvy
         b//PhneBSXk3j8GEB5LjKC5H43iU6gkr4HBpAOnvIqsCS8l1cJRBTp0SRhobMlWKmTF8
         BQWg==
X-Gm-Message-State: AJaThX4CD1E1RZmDqVIonIx6xJX8e9F+IkCGgHVaT2uqKkTYeQudekwO
        YPnKoRU2a+hQHEmD2KdocrY=
X-Received: by 10.159.241.9 with SMTP id q9mr3055590plr.190.1511964722955;
        Wed, 29 Nov 2017 06:12:02 -0800 (PST)
Received: from linux-l9pv.suse ([124.11.22.254])
        by smtp.gmail.com with ESMTPSA id n12sm3481373pfb.5.2017.11.29.06.11.58
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Wed, 29 Nov 2017 06:12:02 -0800 (PST)
From:   "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To:     David Howells <dhowells@redhat.com>
Cc:     linux-fs@vger.kernel.org, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org, "Lee, Chun-Yi" <jlee@suse.com>
Subject: [PATCH 0/4] Using the hash in MOKx to blacklist kernel module
Date:   Wed, 29 Nov 2017 22:11:35 +0800
Message-Id: <20171129141139.20088-1-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patch set is base on the efi-lock-down and keys-uefi branchs in
David Howells's linux-fs git tree. The main purpose is using the MOKx
to blacklist kernel module.

As the MOK (Machine Owner Key), MOKx is a EFI boot time variable which
is maintained by shim boot loader. We can enroll the hash of blacklisted
kernel module (with or without signature) to MOKx by mokutil. Kernel loads
the hash from MOKx to blacklist keyring when booting. Kernel will prevent
to load the kernel module when its hash be found in blacklist.

This function is useful to revoke a kernel module that it has exploit. Or
revoking a kernel module that it was signed by a unsecure key.

Except MOKx, this patch set fixs another two issues: The MOK/MOKx should
not be loaded when secure boot is disabled. And, modified error message
prints out appropriate status string for reading by human being.

Lee, Chun-Yi (4):
  MODSIGN: do not load mok when secure boot disabled
  MODSIGN: print appropriate status message when getting UEFI
    certificates list
  MODSIGN: load blacklist from MOKx
  MODSIGN: checking the blacklisted hash before loading a kernel module

 certs/load_uefi.c       | 71 +++++++++++++++++++++++++++++++++++--------------
 include/linux/efi.h     | 25 +++++++++++++++++
 kernel/module_signing.c | 62 ++++++++++++++++++++++++++++++++++++++++--
 3 files changed, 136 insertions(+), 22 deletions(-)

-- 
2.10.2


From 1585505122905854200@xxx Thu Nov 30 15:25:14 +0000 2017
X-GM-THRID: 1584225895006680074
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread