From: Jarkko Sakkinen <jarkko@kernel.org>
To: Lennart Poettering <mzxreary@0pointer.de>
Cc: Mimi Zohar <zohar@linux.ibm.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Eric Snowberg <eric.snowberg@oracle.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, "Lee,
Chun-Yi" <joeyli.kernel@gmail.com>
Subject: Re: [PATCH] Revert "integrity: Do not load MOK and MOKx when secure boot be disabled"
Date: Thu, 20 Mar 2025 16:52:10 +0200 [thread overview]
Message-ID: <Z9wrmoPHWoxdEImx@kernel.org> (raw)
In-Reply-To: <Z9wDxeRQPhTi1EIS@gardel-login>
On Thu, Mar 20, 2025 at 01:02:13PM +0100, Lennart Poettering wrote:
> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
> index d1fdd113450a..7783bcacd26c 100644
> --- a/security/integrity/platform_certs/load_uefi.c
> +++ b/security/integrity/platform_certs/load_uefi.c
> @@ -7,7 +7,6 @@
> #include <linux/err.h>
> #include <linux/efi.h>
> #include <linux/slab.h>
> -#include <linux/ima.h>
> #include <keys/asymmetric-type.h>
> #include <keys/system_keyring.h>
> #include "../integrity.h"
> @@ -211,10 +210,6 @@ static int __init load_uefi_certs(void)
> kfree(dbx);
> }
>
> - /* the MOK/MOKx can not be trusted when secure boot is disabled */
> - if (!arch_ima_get_secureboot())
> - return 0;
> -
> mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
> if (!mokx) {
> if (status == EFI_NOT_FOUND)
The original commit message is foggy:
"
integrity: Do not load MOK and MOKx when secure boot be disabled
The security of Machine Owner Key (MOK) relies on secure boot. When
secure boot is disabled, EFI firmware will not verify binary code. Then
arbitrary efi binary code can modify MOK when rebooting.
This patch prevents MOK/MOKx be loaded when secure boot be disabled.
"
Given that I don't understand the problem it is trying to solve:
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
> --
> 2.48.1
>
>
> Lennart
>
> --
> Lennart Poettering, Berlin
>
Jarkko
next prev parent reply other threads:[~2025-03-20 14:52 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-20 12:02 [PATCH] Revert "integrity: Do not load MOK and MOKx when secure boot be disabled" Lennart Poettering
2025-03-20 14:52 ` Jarkko Sakkinen [this message]
2025-03-21 7:13 ` lee joey
2025-03-21 8:39 ` Lennart Poettering
2025-03-22 21:24 ` Jarkko Sakkinen
2025-03-21 13:19 ` James Bottomley
2025-07-03 1:40 ` Mimi Zohar
2025-07-03 7:18 ` Lennart Poettering
2025-07-03 11:23 ` Mimi Zohar
2025-07-03 13:04 ` Lennart Poettering
2025-07-03 23:56 ` Mimi Zohar
2025-07-04 7:34 ` Lennart Poettering
2025-07-08 20:52 ` Mimi Zohar
2025-07-04 1:30 ` GONG Ruiqi
2025-07-04 7:47 ` Lennart Poettering
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z9wrmoPHWoxdEImx@kernel.org \
--to=jarkko@kernel.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=jmorris@namei.org \
--cc=joeyli.kernel@gmail.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mzxreary@0pointer.de \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).