1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Date: Tue, 13 Mar 2018 18:37:59 +0800
Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled
Origin: https://lore.kernel.org/patchwork/patch/933173/
The mok can not be trusted when the secure boot is disabled. Which
means that the kernel embedded certificate is the only trusted key.
Due to db/dbx are authenticated variables, they needs manufacturer's
KEK for update. So db/dbx are secure when secureboot disabled.
Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]
---
certs/load_uefi.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
Index: linux/certs/load_uefi.c
===================================================================
--- linux.orig/certs/load_uefi.c
+++ linux/certs/load_uefi.c
@@ -171,17 +171,6 @@ static int __init load_uefi_certs(void)
}
}
- rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
- if (rc < 0) {
- pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
- } else if (moksize != 0) {
- rc = parse_efi_signature_list("UEFI:MokListRT",
- mok, moksize, get_handler_for_db);
- if (rc)
- pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
- kfree(mok);
- }
-
rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx);
if (rc < 0) {
pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
@@ -194,6 +183,21 @@ static int __init load_uefi_certs(void)
kfree(dbx);
}
+ /* the MOK can not be trusted when secure boot is disabled */
+ if (!efi_enabled(EFI_SECURE_BOOT))
+ return 0;
+
+ rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
+ if (rc < 0) {
+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
+ } else if (moksize != 0) {
+ rc = parse_efi_signature_list("UEFI:MokListRT",
+ mok, moksize, get_handler_for_db);
+ if (rc)
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+ kfree(mok);
+ }
+
return rc;
}
late_initcall(load_uefi_certs);
|
