lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20161123133817.GF24624@leverpostej>
Date:   Wed, 23 Nov 2016 13:38:17 +0000
From:   Mark Rutland <mark.rutland@....com>
To:     David Howells <dhowells@...hat.com>
Cc:     lukas@...ner.de, linux-efi@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        Josh Boyer <jwboyer@...oraproject.org>,
        keyrings@...r.kernel.org
Subject: Re: [PATCH 5/6] efi: Disable secure boot if shim is in insecure mode
 [ver #2]

On Wed, Nov 23, 2016 at 12:23:04AM +0000, David Howells wrote:
> +	/* See if a user has put shim into insecure mode.  If so, and if the
> +	 * variable doesn't have the runtime attribute set, we might as well
> +	 * honor that.
> +	 */
> +	size = sizeof(moksbstate);
> +	status = get_efi_var(shim_MokSBState_name, &shim_guid,
> +			     &attr, &size, &moksbstate);
> +
> +	/* If it fails, we don't care why.  Default to secure */
> +	if (status != EFI_SUCCESS)
> +		return 1;

I was going to suggest branching to out_efi_err, but I see that wouldn't
work when EFI_NOT_FOUND was returned. It might be worth noting
explicitly that we can't use that, so as to avoid 'obvious' cleanup in
future.

Thanks,
Mark.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ