From: Lenny Szubowicz <lszubowi@redhat.com>
To: linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org,
platform-driver-x86@vger.kernel.org,
linux-security-module@vger.kernel.org, andy.shevchenko@gmail.com,
ardb@kernel.org, jmorris@namei.org, serge@hallyn.com,
keescook@chromium.org, zohar@linux.ibm.com, bp@alien8.de,
pjones@redhat.com, dhowells@redhat.com, prarit@redhat.com
Subject: [PATCH V2 3/3] integrity: Load certs from the EFI MOK config table
Date: Fri, 4 Sep 2020 21:31:07 -0400 [thread overview]
Message-ID: <20200905013107.10457-4-lszubowi@redhat.com> (raw)
In-Reply-To: <20200905013107.10457-1-lszubowi@redhat.com>
Because of system-specific EFI firmware limitations, EFI volatile
variables may not be capable of holding the required contents of
the Machine Owner Key (MOK) certificate store when the certificate
list grows above some size. Therefore, an EFI boot loader may pass
the MOK certs via a EFI configuration table created specifically for
this purpose to avoid this firmware limitation.
An EFI configuration table is a much more primitive mechanism
compared to EFI variables and is well suited for one-way passage
of static information from a pre-OS environment to the kernel.
This patch adds the support to load certs from the MokListRT
entry in the MOK variable configuration table, if it's present.
The pre-existing support to load certs from the MokListRT EFI
variable remains and is used if the EFI MOK configuration table
isn't present or can't be successfully used.
Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com>
---
security/integrity/platform_certs/load_uefi.c | 22 +++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index c1c622b4dc78..ee4b4c666854 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -71,16 +71,38 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
* Load the certs contained in the UEFI MokListRT database into the
* platform trusted keyring.
*
+ * This routine checks the EFI MOK config table first. If and only if
+ * that fails, this routine uses the MokListRT ordinary UEFI variable.
+ *
* Return: Status
*/
static int __init load_moklist_certs(void)
{
+ struct efi_mokvar_table_entry *mokvar_entry;
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
void *mok;
unsigned long moksize;
efi_status_t status;
int rc;
+ /* First try to load certs from the EFI MOKvar config table.
+ * It's not an error if the MOKvar config table doesn't exist
+ * or the MokListRT entry is not found in it.
+ */
+ mokvar_entry = efi_mokvar_entry_find("MokListRT");
+ if (mokvar_entry) {
+ rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)",
+ mokvar_entry->data,
+ mokvar_entry->data_size,
+ get_handler_for_db);
+ /* All done if that worked. */
+ if (!rc)
+ return rc;
+
+ pr_err("Couldn't parse MokListRT signatures from EFI MOKvar config table: %d\n",
+ rc);
+ }
+
/* Get MokListRT. It might not exist, so it isn't an error
* if we can't get it.
*/
--
2.27.0
next prev parent reply other threads:[~2020-09-05 1:31 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-05 1:31 [PATCH V2 0/3] integrity: Load certs from EFI MOK config table Lenny Szubowicz
2020-09-05 1:31 ` [PATCH V2 1/3] efi: Support for MOK variable " Lenny Szubowicz
2020-09-21 16:18 ` Arvind Sankar
2020-09-21 16:27 ` Ard Biesheuvel
2020-09-21 16:55 ` Arvind Sankar
2020-09-24 19:09 ` Lenny Szubowicz
2020-10-01 17:44 ` Nathan Chancellor
2020-10-01 20:57 ` Ard Biesheuvel
2020-10-01 21:07 ` Nathan Chancellor
2020-09-05 1:31 ` [PATCH V2 2/3] integrity: Move import of MokListRT certs to a separate routine Lenny Szubowicz
2020-09-11 15:02 ` Ard Biesheuvel
2020-09-11 15:54 ` Lenny Szubowicz
2020-09-11 15:59 ` Mimi Zohar
2020-09-11 17:18 ` Lenny Szubowicz
2020-09-11 18:16 ` Ard Biesheuvel
2020-09-11 19:08 ` Mimi Zohar
2020-09-11 19:46 ` Lenny Szubowicz
2020-09-05 1:31 ` Lenny Szubowicz [this message]
2020-09-11 15:17 ` [PATCH V2 0/3] integrity: Load certs from EFI MOK config table Ard Biesheuvel
2020-09-11 16:01 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200905013107.10457-4-lszubowi@redhat.com \
--to=lszubowi@redhat.com \
--cc=andy.shevchenko@gmail.com \
--cc=ardb@kernel.org \
--cc=bp@alien8.de \
--cc=dhowells@redhat.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=pjones@redhat.com \
--cc=platform-driver-x86@vger.kernel.org \
--cc=prarit@redhat.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).