Re: [PATCH v2] efi: Only print errors about failing to get certs if EFI vars are found

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Hans de Goede <hdegoede@redhat.com>
To: Javier Martinez Canillas <javierm@redhat.com>,
	linux-kernel@vger.kernel.org
Cc: Peter Jones <pjones@redhat.com>,
	David Howells <dhowells@redhat.com>,
	James Morris <jmorris@namei.org>,
	Josh Boyer <jwboyer@fedoraproject.org>,
	Mimi Zohar <zohar@linux.ibm.com>,
	Nayna Jain <nayna@linux.ibm.com>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH v2] efi: Only print errors about failing to get certs if EFI vars are found
Date: Tue, 19 Nov 2019 16:40:26 +0100	[thread overview]
Message-ID: <bb68bacf-4982-0d86-d2cb-7799e47200f5@redhat.com> (raw)
In-Reply-To: <20191119115043.21585-1-javierm@redhat.com>

Hi,

On 19-11-2019 12:50, Javier Martinez Canillas wrote:
> If CONFIG_LOAD_UEFI_KEYS is enabled, the kernel attempts to load the certs
> from the db, dbx and MokListRT EFI variables into the appropriate keyrings.
> 
> But it just assumes that the variables will be present and prints an error
> if the certs can't be loaded, even when is possible that the variables may
> not exist. For example the MokListRT variable will only be present if shim
> is used.
> 
> So only print an error message about failing to get the certs list from an
> EFI variable if this is found. Otherwise these printed errors just pollute
> the kernel ring buffer with confusing messages like the following:
> 
> [    5.427251] Couldn't get size: 0x800000000000000e
> [    5.427261] MODSIGN: Couldn't get UEFI db list
> [    5.428012] Couldn't get size: 0x800000000000000e
> [    5.428023] Couldn't get UEFI MokListRT
> 
> Reported-by: Hans de Goede <hdegoede@redhat.com>
> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
> 
> ---
> Hans,
> 
> I'll really appreciate if you can test this patch. I just built tested it
> because I don't have access to a machine to reproduce the issue right now.

Ok, I've given this a test-run just now, works as advertised for me:

Tested-by: Hans de Goede <hdegoede@redhat.com>

Regards,

Hans



> Changes in v2:
> - Fix flaws in the logic, that caused the signature list was parsed if
>    the return code was EFI_NOT_FOUND that pointed out Hans de Goede.
> - Print debug messages if the variables are not found.
> 
>   security/integrity/platform_certs/load_uefi.c | 40 ++++++++++++-------
>   1 file changed, 26 insertions(+), 14 deletions(-)
> 
> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
> index 81b19c52832..020fc7a11ef 100644
> --- a/security/integrity/platform_certs/load_uefi.c
> +++ b/security/integrity/platform_certs/load_uefi.c
> @@ -39,16 +39,18 @@ static __init bool uefi_check_ignore_db(void)
>    * Get a certificate list blob from the named EFI variable.
>    */
>   static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
> -				  unsigned long *size)
> +				  unsigned long *size, efi_status_t *status)
>   {
> -	efi_status_t status;
>   	unsigned long lsize = 4;
>   	unsigned long tmpdb[4];
>   	void *db;
>   
> -	status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
> -	if (status != EFI_BUFFER_TOO_SMALL) {
> -		pr_err("Couldn't get size: 0x%lx\n", status);
> +	*status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
> +	if (*status == EFI_NOT_FOUND)
> +		return NULL;
> +
> +	if (*status != EFI_BUFFER_TOO_SMALL) {
> +		pr_err("Couldn't get size: 0x%lx\n", *status);
>   		return NULL;
>   	}
>   
> @@ -56,10 +58,10 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
>   	if (!db)
>   		return NULL;
>   
> -	status = efi.get_variable(name, guid, NULL, &lsize, db);
> -	if (status != EFI_SUCCESS) {
> +	*status = efi.get_variable(name, guid, NULL, &lsize, db);
> +	if (*status != EFI_SUCCESS) {
>   		kfree(db);
> -		pr_err("Error reading db var: 0x%lx\n", status);
> +		pr_err("Error reading db var: 0x%lx\n", *status);
>   		return NULL;
>   	}
>   
> @@ -144,6 +146,7 @@ static int __init load_uefi_certs(void)
>   	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
>   	void *db = NULL, *dbx = NULL, *mok = NULL;
>   	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
> +	efi_status_t status;
>   	int rc = 0;
>   
>   	if (!efi.get_variable)
> @@ -153,9 +156,12 @@ static int __init load_uefi_certs(void)
>   	 * an error if we can't get them.
>   	 */
>   	if (!uefi_check_ignore_db()) {
> -		db = get_cert_list(L"db", &secure_var, &dbsize);
> +		db = get_cert_list(L"db", &secure_var, &dbsize, &status);
>   		if (!db) {
> -			pr_err("MODSIGN: Couldn't get UEFI db list\n");
> +			if (status == EFI_NOT_FOUND)
> +				pr_debug("MODSIGN: db variable wasn't found\n");
> +			else
> +				pr_err("MODSIGN: Couldn't get UEFI db list\n");
>   		} else {
>   			rc = parse_efi_signature_list("UEFI:db",
>   					db, dbsize, get_handler_for_db);
> @@ -166,9 +172,12 @@ static int __init load_uefi_certs(void)
>   		}
>   	}
>   
> -	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
> +	mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
>   	if (!mok) {
> -		pr_info("Couldn't get UEFI MokListRT\n");
> +		if (status == EFI_NOT_FOUND)
> +			pr_debug("MokListRT variable wasn't found\n");
> +		else
> +			pr_info("Couldn't get UEFI MokListRT\n");
>   	} else {
>   		rc = parse_efi_signature_list("UEFI:MokListRT",
>   					      mok, moksize, get_handler_for_db);
> @@ -177,9 +186,12 @@ static int __init load_uefi_certs(void)
>   		kfree(mok);
>   	}
>   
> -	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
> +	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
>   	if (!dbx) {
> -		pr_info("Couldn't get UEFI dbx list\n");
> +		if (status == EFI_NOT_FOUND)
> +			pr_debug("dbx variable wasn't found\n");
> +		else
> +			pr_info("Couldn't get UEFI dbx list\n");
>   	} else {
>   		rc = parse_efi_signature_list("UEFI:dbx",
>   					      dbx, dbxsize,
>

next prev parent reply	other threads:[~2019-11-19 15:40 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-19 11:50 [PATCH v2] efi: Only print errors about failing to get certs if EFI vars are found Javier Martinez Canillas
2019-11-19 15:40 ` Hans de Goede [this message]
2019-12-16  9:44   ` Javier Martinez Canillas

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bb68bacf-4982-0d86-d2cb-7799e47200f5@redhat.com \
    --to=hdegoede@redhat.com \
    --cc=dhowells@redhat.com \
    --cc=javierm@redhat.com \
    --cc=jmorris@namei.org \
    --cc=jwboyer@fedoraproject.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=pjones@redhat.com \
    --cc=serge@hallyn.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).