From: "Lee, Chun-Yi" Date: Tue, 13 Mar 2018 18:37:59 +0800 Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled Origin: https://lore.kernel.org/patchwork/patch/933173/ The mok can not be trusted when the secure boot is disabled. Which means that the kernel embedded certificate is the only trusted key. Due to db/dbx are authenticated variables, they needs manufacturer's KEK for update. So db/dbx are secure when secureboot disabled. Cc: David Howells Cc: Josh Boyer Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" [Rebased by Luca Boccassi] --- certs/load_uefi.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) Index: linux/certs/load_uefi.c =================================================================== --- linux.orig/certs/load_uefi.c +++ linux/certs/load_uefi.c @@ -171,17 +171,6 @@ static int __init load_uefi_certs(void) } } - rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok); - if (rc < 0) { - pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); - } else if (moksize != 0) { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); - if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); - kfree(mok); - } - rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx); if (rc < 0) { pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); @@ -194,6 +183,21 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* the MOK can not be trusted when secure boot is disabled */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + + rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok); + if (rc < 0) { + pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); + } else if (moksize != 0) { + rc = parse_efi_signature_list("UEFI:MokListRT", + mok, moksize, get_handler_for_db); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + kfree(mok); + } + return rc; } late_initcall(load_uefi_certs);