lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f0a079b1-5f02-8618-fdfe-aea2278113c9@redhat.com>
Date:   Fri, 11 Sep 2020 11:54:10 -0400
From:   Lenny Szubowicz <lszubowi@...hat.com>
To:     Ard Biesheuvel <ardb@...nel.org>
Cc:     Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        linux-efi <linux-efi@...r.kernel.org>,
        platform-driver-x86@...r.kernel.org,
        linux-security-module@...r.kernel.org, andy.shevchenko@...il.com,
        James Morris <jmorris@...ei.org>, serge@...lyn.com,
        Kees Cook <keescook@...omium.org>, zohar@...ux.ibm.com,
        Borislav Petkov <bp@...en8.de>,
        Peter Jones <pjones@...hat.com>,
        David Howells <dhowells@...hat.com>, prarit@...hat.com
Subject: Re: [PATCH V2 2/3] integrity: Move import of MokListRT certs to a
 separate routine

On 9/11/20 11:02 AM, Ard Biesheuvel wrote:
> On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <lszubowi@...hat.com> wrote:
>>
>> Move the loading of certs from the UEFI MokListRT into a separate
>> routine to facilitate additional MokList functionality.
>>
>> There is no visible functional change as a result of this patch.
>> Although the UEFI dbx certs are now loaded before the MokList certs,
>> they are loaded onto different key rings. So the order of the keys
>> on their respective key rings is the same.
>>
>> Signed-off-by: Lenny Szubowicz <lszubowi@...hat.com>
> 
> Why did you drop Mimi's reviewed-by from this patch?

It was not intentional. I was just not aware that I needed to propagate
Mimi Zohar's reviewed-by from V1 of the patch to V2.

Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>

V2 includes changes in that patch to incorporate suggestions from
Andy Shevchenko. My assumption was that the maintainer would
gather up the reviewed-by and add any signed-off-by as appropriate,
but it sounds like my assumption was incorrect. In retrospect, I
could see that having the maintainer dig through prior versions
of a patch set for prior reviewed-by tags could be burdensome.

Advice on the expected handling of this would be appreciated.

                     -Lenny.

> 
>> ---
>>   security/integrity/platform_certs/load_uefi.c | 63 +++++++++++++------
>>   1 file changed, 44 insertions(+), 19 deletions(-)
>>
>> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
>> index 253fb9a7fc98..c1c622b4dc78 100644
>> --- a/security/integrity/platform_certs/load_uefi.c
>> +++ b/security/integrity/platform_certs/load_uefi.c
>> @@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
>>   }
>>
>>   /*
>> + * load_moklist_certs() - Load MokList certs
>> + *
>> + * Load the certs contained in the UEFI MokListRT database into the
>> + * platform trusted keyring.
>> + *
>> + * Return:     Status
>> + */
>> +static int __init load_moklist_certs(void)
>> +{
>> +       efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
>> +       void *mok;
>> +       unsigned long moksize;
>> +       efi_status_t status;
>> +       int rc;
>> +
>> +       /* Get MokListRT. It might not exist, so it isn't an error
>> +        * if we can't get it.
>> +        */
>> +       mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
>> +       if (mok) {
>> +               rc = parse_efi_signature_list("UEFI:MokListRT",
>> +                                             mok, moksize, get_handler_for_db);
>> +               kfree(mok);
>> +               if (rc)
>> +                       pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
>> +               return rc;
>> +       }
>> +       if (status == EFI_NOT_FOUND)
>> +               pr_debug("MokListRT variable wasn't found\n");
>> +       else
>> +               pr_info("Couldn't get UEFI MokListRT\n");
>> +       return 0;
>> +}
>> +
>> +/*
>> + * load_uefi_certs() - Load certs from UEFI sources
>> + *
>>    * Load the certs contained in the UEFI databases into the platform trusted
>>    * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
>>    * keyring.
>> @@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
>>   static int __init load_uefi_certs(void)
>>   {
>>          efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
>> -       efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
>> -       void *db = NULL, *dbx = NULL, *mok = NULL;
>> -       unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
>> +       void *db = NULL, *dbx = NULL;
>> +       unsigned long dbsize = 0, dbxsize = 0;
>>          efi_status_t status;
>>          int rc = 0;
>>
>>          if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
>>                  return false;
>>
>> -       /* Get db, MokListRT, and dbx.  They might not exist, so it isn't
>> -        * an error if we can't get them.
>> +       /* Get db and dbx.  They might not exist, so it isn't an error
>> +        * if we can't get them.
>>           */
>>          if (!uefi_check_ignore_db()) {
>>                  db = get_cert_list(L"db", &secure_var, &dbsize, &status);
>> @@ -102,20 +138,6 @@ static int __init load_uefi_certs(void)
>>                  }
>>          }
>>
>> -       mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
>> -       if (!mok) {
>> -               if (status == EFI_NOT_FOUND)
>> -                       pr_debug("MokListRT variable wasn't found\n");
>> -               else
>> -                       pr_info("Couldn't get UEFI MokListRT\n");
>> -       } else {
>> -               rc = parse_efi_signature_list("UEFI:MokListRT",
>> -                                             mok, moksize, get_handler_for_db);
>> -               if (rc)
>> -                       pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
>> -               kfree(mok);
>> -       }
>> -
>>          dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
>>          if (!dbx) {
>>                  if (status == EFI_NOT_FOUND)
>> @@ -131,6 +153,9 @@ static int __init load_uefi_certs(void)
>>                  kfree(dbx);
>>          }
>>
>> +       /* Load the MokListRT certs */
>> +       rc = load_moklist_certs();
>> +
>>          return rc;
>>   }
>>   late_initcall(load_uefi_certs);
>> --
>> 2.27.0
>>
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ