From: "Lee, Chun-Yi" Date: Tue, 13 Mar 2018 18:38:03 +0800 Subject: [PATCH 4/4] MODSIGN: check the attributes of db and mok Origin: https://lore.kernel.org/patchwork/patch/933176/ That's better for checking the attributes of db and mok variables before loading certificates to kernel keyring. For db and dbx, both of them are authenticated variables. Which means that they can only be modified by manufacturer's key. So the kernel should checks EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute before we trust it. For mok-rt and mokx-rt, both of them are created by shim boot loader to forward the mok/mokx content to runtime. They must be runtime-volatile variables. So kernel should checks that the attributes map did not set EFI_VARIABLE_NON_VOLATILE bit before we trust it. Cc: David Howells Cc: Josh Boyer Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" [Rebased by Luca Boccassi] [bwh: Forward-ported to 5.5.9: - get_cert_list() takes a pointer to status and returns the cert list - Adjust filename, context] [bwh: Forward-ported to 5.10: MokListRT and MokListXRT are now both loaded through a single code path.] --- security/integrity/platform_certs/load_uefi.c | 27 ++++++++++++++----- 1 file changed, 21 insertions(+), 6 deletions(-) --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -35,11 +35,13 @@ static __init bool uefi_check_ignore_db( * Get a certificate list blob from the named EFI variable. */ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, - unsigned long *size, efi_status_t *status) + unsigned long *size, efi_status_t *status, + u32 pos_attr, u32 neg_attr) { unsigned long lsize = 4; unsigned long tmpdb[4]; void *db; + u32 attr = 0; *status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); if (*status == EFI_NOT_FOUND) @@ -54,13 +56,22 @@ static __init void *get_cert_list(efi_ch if (!db) return NULL; - *status = efi.get_variable(name, guid, NULL, &lsize, db); + *status = efi.get_variable(name, guid, &attr, &lsize, db); if (*status != EFI_SUCCESS) { kfree(db); pr_err("Error reading db var: 0x%lx\n", *status); return NULL; } + /* must have positive attributes and no negative attributes */ + if ((pos_attr && !(attr & pos_attr)) || + (neg_attr && (attr & neg_attr))) { + kfree(db); + pr_err("Error reading db var attributes: 0x%016x\n", attr); + *status = EFI_SECURITY_VIOLATION; + return NULL; + } + *size = lsize; return db; } @@ -106,7 +117,8 @@ static int __init load_moklist_certs(voi /* Get MokListRT. It might not exist, so it isn't an error * if we can't get it. */ - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status, + 0, EFI_VARIABLE_NON_VOLATILE); if (mok) { rc = parse_efi_signature_list("UEFI:MokListRT", mok, moksize, get_handler_for_db); @@ -145,7 +157,8 @@ static int __init load_uefi_certs(void) * if we can't get them. */ if (!uefi_check_ignore_db()) { - db = get_cert_list(L"db", &secure_var, &dbsize, &status); + db = get_cert_list(L"db", &secure_var, &dbsize, &status, + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS, 0); if (!db) { if (status == EFI_NOT_FOUND) pr_debug("MODSIGN: db variable wasn't found\n"); @@ -161,7 +174,8 @@ static int __init load_uefi_certs(void) } } - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status); + dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status, + EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS, 0); if (!dbx) { if (status == EFI_NOT_FOUND) pr_debug("dbx variable wasn't found\n"); @@ -180,7 +194,8 @@ static int __init load_uefi_certs(void) if (!efi_enabled(EFI_SECURE_BOOT)) return 0; - mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); + mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status, + 0, EFI_VARIABLE_NON_VOLATILE); if (!mokx) { if (status == EFI_NOT_FOUND) pr_debug("mokx variable wasn't found\n");