Received: by 10.223.164.202 with SMTP id h10csp4431679wrb;
        Wed, 29 Nov 2017 06:20:32 -0800 (PST)
X-Google-Smtp-Source: AGs4zMZqgRVxmzP2uqRS1NJr4d/elbiUvqLwuQ5mPczNJPrLNqs3x7iQCPc+AvpmCatFP22gOo3W
X-Received: by 10.84.169.1 with SMTP id g1mr3141503plb.134.1511965232219;
        Wed, 29 Nov 2017 06:20:32 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1511965232; cv=none;
        d=google.com; s=arc-20160816;
        b=bScMvhJ2+wK1hqYdlhHukMfJS1kttAPsAUTp9PVqE6yuS9flSDQKtpnDEpLyQajsQW
         /4SO7N+Oee6Io8R9Od6bHzbML3upAK6G9ejpxdi4TtgEKJgcUikyWW/y14tSzelfZoWH
         53EQQRFCMtfltnmd4E6v+L3ietGamE92S8j9s3I2oMq30Pym4e8OvX3djdm00mC5yOTT
         ReUq4kkiP1MqCUJY3EtweQc5UoKjbygxQQZ/8XqPs2KwiqS5Tq/nHGnTlbbW766JMzwS
         F81eu6UjNvaySywvlxGZofGGj0c1KgAYS12K4xrerJ3SWPCkbWUFeFBcVBKQMpv0E4W/
         3r1g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:references:in-reply-to:message-id:date
         :subject:cc:to:from:dkim-signature:arc-authentication-results;
        bh=MUnC93dCbq8QlS++urBJLgjbxw/b3B7ib+Jraf5BA2w=;
        b=Mp+7h/AU6ZLTWdMh0KPIuUfP14DGEP7E3kA+OofonGXAmrNLFbJ6xKUk4eiAbJuPH4
         QJ0N2B9/vJlBVzHfOeh07xrS6Qy7oPFNPT8PaxdwlE2EO8CbEfweZBOhcpYtQ0E4D2aB
         82DWyt0TGKnwH9GaiAD3fjLjI0fU2tUl8KcReJ4vjzhPXbDLxfkPRGyg3YdGttUKDmEX
         IrzEf/4w8u9mfjmiVxxvOPloYDcsXhiAMo7+rcXiKOdlpFzLl45A2AJLPwM3mMfgaBUJ
         dPsncVUJR6GjXDFC22JVm0FhrYBZbbGgj0ntkJaeu/75EPxiA3X77dVy/hmh58XquL52
         Feng==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=cMwZnsPc;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 197si1285264pgg.741.2017.11.29.06.20.22;
        Wed, 29 Nov 2017 06:20:32 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=cMwZnsPc;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755257AbdK2OMw (ORCPT <rfc822;c14006078@gmail.com> + 70 others);
        Wed, 29 Nov 2017 09:12:52 -0500
Received: from mail-pf0-f196.google.com ([209.85.192.196]:36297 "EHLO
        mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1755217AbdK2OMm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Nov 2017 09:12:42 -0500
Received: by mail-pf0-f196.google.com with SMTP id p84so1612783pfd.3;
        Wed, 29 Nov 2017 06:12:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:in-reply-to:references;
        bh=MUnC93dCbq8QlS++urBJLgjbxw/b3B7ib+Jraf5BA2w=;
        b=cMwZnsPcAeXUHppQXrKRohlO3C+Mzj7iUQx+iIc5wxMO1dDJNb13Et09i0cQis4kCd
         6O4H/uDVIdR29E/Op6wbSv9tKXD1sznTyERd36oicfc32JK+XQAW77rpRvGW9oSOPGXi
         RHVEXis9IPBCw/TnJ1po+VRw6OH8cC5pWRwJIB3Ibh62g8lhMg+FuhNupoQjLGPP2rv6
         SygB5W87E1bHW+VB8tVWMbPB6Qh0h255ESoRiqAGBujt27hRoqjrMOt2Y92KlyHtJ0ws
         TVtCX1ItzubvSqQKcmIZdh64LRCgunc06lTO7efUb6fko1BvJL+5SzSckfskNa6n8tNI
         uz/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
         :references;
        bh=MUnC93dCbq8QlS++urBJLgjbxw/b3B7ib+Jraf5BA2w=;
        b=o9PlAiyr1Io1/zyrvDujKlPN4SIFKy+q2FRp8Sk1f0P+BEdwNuJp6naww+Pqz16XxC
         L6YANs5r3FDeqMn+Ol7kmi11BtxrPbPaycoZsygSJR2erJItWLuizAtdNShIG8rRM7B2
         helz/FO/Zv4Qgo8V6MIvMxXgu/X288ak4dNHSJQ5ex1sLQehSiYFduzRAdJlmrcRGBr4
         IQUWVGWLMPDj78toelukOY2NGxsMJRjvm5GJ24Y4xzfyfFg+6ExsaQApJIeJuFVxZoxJ
         LuG7ksymTYpTuHZv2u5/0yIpjsW9eo3QTZxB84o04E/aCv9/mu1ToIwujXrJ4sid3mGt
         9o9g==
X-Gm-Message-State: AJaThX7FT2Yme5o83Zyuv2QgLCVW3wKfhUMY4OCJtEtD9ihTXqDLZq7C
        z33tUjJHZ2zuyUb2H0WfzkE=
X-Received: by 10.98.160.193 with SMTP id p62mr3187100pfl.138.1511964762093;
        Wed, 29 Nov 2017 06:12:42 -0800 (PST)
Received: from linux-l9pv.suse ([124.11.22.254])
        by smtp.gmail.com with ESMTPSA id n12sm3481373pfb.5.2017.11.29.06.12.39
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Wed, 29 Nov 2017 06:12:41 -0800 (PST)
From:   "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
X-Google-Original-From: "Lee, Chun-Yi" <jlee@suse.com>
To:     David Howells <dhowells@redhat.com>
Cc:     linux-fs@vger.kernel.org, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org, "Lee, Chun-Yi" <jlee@suse.com>,
        Josh Boyer <jwboyer@fedoraproject.org>
Subject: [PATCH 3/4] MODSIGN: load blacklist from MOKx
Date:   Wed, 29 Nov 2017 22:11:38 +0800
Message-Id: <20171129141139.20088-4-jlee@suse.com>
X-Mailer: git-send-email 2.12.3
In-Reply-To: <20171129141139.20088-1-jlee@suse.com>
References: <20171129141139.20088-1-jlee@suse.com>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This patch adds the logic to load the blacklisted hash and
certificates from MOKx which is maintained by shim bootloader.

Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 certs/load_uefi.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/certs/load_uefi.c b/certs/load_uefi.c
index f2f372b..dc66a79 100644
--- a/certs/load_uefi.c
+++ b/certs/load_uefi.c
@@ -164,8 +164,8 @@ static int __init load_uefi_certs(void)
 {
 	efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
 	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
-	void *db = NULL, *dbx = NULL, *mok = NULL;
-	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+	void *db = NULL, *dbx = NULL, *mok = NULL, *mokx = NULL;
+	unsigned long dbsize = 0, dbxsize = 0, moksize = 0, mokxsize = 0;
 	int rc = 0;
 
 	if (!efi.get_variable)
@@ -195,7 +195,7 @@ static int __init load_uefi_certs(void)
 		kfree(dbx);
 	}
 
-	/* the MOK can not be trusted when secure boot is disabled */
+	/* the MOK and MOKx can not be trusted when secure boot is disabled */
 	if (!efi_enabled(EFI_SECURE_BOOT))
 		return 0;
 
@@ -208,6 +208,16 @@ static int __init load_uefi_certs(void)
 		kfree(mok);
 	}
 
+	mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize);
+	if (mokx) {
+		rc = parse_efi_signature_list("UEFI:mokx",
+					      mokx, mokxsize,
+					      get_handler_for_dbx);
+		if (rc)
+			pr_err("Couldn't parse MokListXRT signatures: %d\n", rc);
+		kfree(mokx);
+	}
+
 	return rc;
 }
 late_initcall(load_uefi_certs);
-- 
2.10.2


From 1585611555463001718@xxx Fri Dec 01 19:36:56 +0000 2017
X-GM-THRID: 1585611555463001718
X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread