lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201102052907.GA31148@linux-8mug>
Date:   Mon, 2 Nov 2020 13:30:25 +0800
From:   Chester Lin <clin@...e.com>
To:     Ard Biesheuvel <ardb@...nel.org>
Cc:     Mimi Zohar <zohar@...ux.ibm.com>, James Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
        Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will@...nel.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
        "H. Peter Anvin" <hpa@...or.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Linux ARM <linux-arm-kernel@...ts.infradead.org>,
        linux-efi <linux-efi@...r.kernel.org>,
        linux-integrity <linux-integrity@...r.kernel.org>,
        linux-security-module@...r.kernel.org, X86 ML <x86@...nel.org>,
        "Lee, Chun-Yi" <jlee@...e.com>
Subject: Re: [PATCH v3 1/3] efi: generalize efi_get_secureboot

Hi Ard,

Thanks for your time and reviewing.

On Fri, Oct 30, 2020 at 12:51:10PM +0100, Ard Biesheuvel wrote:
> Hello Chester,
> 
> Thanks again for looking into this.
> 
> On Fri, 30 Oct 2020 at 07:09, Chester Lin <clin@...e.com> wrote:
> >
> > Generalize the efi_get_secureboot() function so not only efistub but also
> > other subsystems can use it.
> >
> > Signed-off-by: Chester Lin <clin@...e.com>
> > ---
> >  drivers/firmware/efi/libstub/Makefile     |  2 +-
> >  drivers/firmware/efi/libstub/efi-stub.c   |  2 +-
> >  drivers/firmware/efi/libstub/efistub.h    | 22 ++++---
> >  drivers/firmware/efi/libstub/secureboot.c | 76 -----------------------
> >  drivers/firmware/efi/libstub/x86-stub.c   |  2 +-
> >  include/linux/efi.h                       | 41 +++++++++++-
> >  6 files changed, 57 insertions(+), 88 deletions(-)
> >  delete mode 100644 drivers/firmware/efi/libstub/secureboot.c
> >
> > diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
> > index 8a94388e38b3..88e47b0ca09d 100644
> > --- a/drivers/firmware/efi/libstub/Makefile
> > +++ b/drivers/firmware/efi/libstub/Makefile
> > @@ -49,7 +49,7 @@ OBJECT_FILES_NON_STANDARD     := y
> >  # Prevents link failures: __sanitizer_cov_trace_pc() is not linked in.
> >  KCOV_INSTRUMENT                        := n
> >
> > -lib-y                          := efi-stub-helper.o gop.o secureboot.o tpm.o \
> > +lib-y                          := efi-stub-helper.o gop.o tpm.o \
> >                                    file.o mem.o random.o randomalloc.o pci.o \
> >                                    skip_spaces.o lib-cmdline.o lib-ctype.o \
> >                                    alignedmem.o relocate.o vsprintf.o
> > diff --git a/drivers/firmware/efi/libstub/efi-stub.c b/drivers/firmware/efi/libstub/efi-stub.c
> > index 914a343c7785..ad96f1d786a9 100644
> > --- a/drivers/firmware/efi/libstub/efi-stub.c
> > +++ b/drivers/firmware/efi/libstub/efi-stub.c
> > @@ -196,7 +196,7 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle,
> >         /* Ask the firmware to clear memory on unclean shutdown */
> >         efi_enable_reset_attack_mitigation();
> >
> > -       secure_boot = efi_get_secureboot();
> > +       secure_boot = efi_get_secureboot(get_efi_var);
> >
> >         /*
> >          * Unauthenticated device tree data is a security hazard, so ignore
> > diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h
> > index 2d7abcd99de9..b1833b51e6d6 100644
> > --- a/drivers/firmware/efi/libstub/efistub.h
> > +++ b/drivers/firmware/efi/libstub/efistub.h
> > @@ -91,14 +91,6 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle,
> >         fdt_setprop((fdt), (node_offset), (name), &(var), sizeof(var))
> >  #endif
> >
> > -#define get_efi_var(name, vendor, ...)                         \
> > -       efi_rt_call(get_variable, (efi_char16_t *)(name),       \
> > -                   (efi_guid_t *)(vendor), __VA_ARGS__)
> > -
> > -#define set_efi_var(name, vendor, ...)                         \
> > -       efi_rt_call(set_variable, (efi_char16_t *)(name),       \
> > -                   (efi_guid_t *)(vendor), __VA_ARGS__)
> > -
> >  #define efi_get_handle_at(array, idx)                                  \
> >         (efi_is_native() ? (array)[idx]                                 \
> >                 : (efi_handle_t)(unsigned long)((u32 *)(array))[idx])
> > @@ -112,6 +104,20 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle,
> >                 ((handle = efi_get_handle_at((array), i)) || true);     \
> >              i++)
> >
> > +static inline
> > +efi_status_t get_efi_var(efi_char16_t *name, efi_guid_t *vendor, u32 *attr,
> > +                        unsigned long *size, void *data)
> > +{
> > +       return efi_rt_call(get_variable, name, vendor, attr, size, data);
> > +}
> > +
> > +static inline
> > +efi_status_t set_efi_var(efi_char16_t *name, efi_guid_t *vendor, u32 attr,
> > +                        unsigned long size, void *data)
> > +{
> > +       return efi_rt_call(set_variable, name, vendor, attr, size, data);
> > +}
> > +
> >  static inline
> >  void efi_set_u64_split(u64 data, u32 *lo, u32 *hi)
> >  {
> > diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c
> > deleted file mode 100644
> > index 5efc524b14be..000000000000
> > --- a/drivers/firmware/efi/libstub/secureboot.c
> > +++ /dev/null
> 
> Please keep this file (see below)
> 
> > @@ -1,76 +0,0 @@
> > -// SPDX-License-Identifier: GPL-2.0
> > -/*
> > - * Secure boot handling.
> > - *
> > - * Copyright (C) 2013,2014 Linaro Limited
> > - *     Roy Franz <roy.franz@...aro.org
> > - * Copyright (C) 2013 Red Hat, Inc.
> > - *     Mark Salter <msalter@...hat.com>
> > - */
> > -#include <linux/efi.h>
> > -#include <asm/efi.h>
> > -
> > -#include "efistub.h"
> > -
> > -/* BIOS variables */
> > -static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
> > -static const efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
> > -static const efi_char16_t efi_SetupMode_name[] = L"SetupMode";
> > -
> > -/* SHIM variables */
> > -static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
> > -static const efi_char16_t shim_MokSBState_name[] = L"MokSBState";
> > -
> > -/*
> > - * Determine whether we're in secure boot mode.
> > - *
> > - * Please keep the logic in sync with
> > - * arch/x86/xen/efi.c:xen_efi_get_secureboot().
> > - */
> > -enum efi_secureboot_mode efi_get_secureboot(void)
> > -{
> > -       u32 attr;
> > -       u8 secboot, setupmode, moksbstate;
> > -       unsigned long size;
> > -       efi_status_t status;
> > -
> > -       size = sizeof(secboot);
> > -       status = get_efi_var(efi_SecureBoot_name, &efi_variable_guid,
> > -                            NULL, &size, &secboot);
> > -       if (status == EFI_NOT_FOUND)
> > -               return efi_secureboot_mode_disabled;
> > -       if (status != EFI_SUCCESS)
> > -               goto out_efi_err;
> > -
> > -       size = sizeof(setupmode);
> > -       status = get_efi_var(efi_SetupMode_name, &efi_variable_guid,
> > -                            NULL, &size, &setupmode);
> > -       if (status != EFI_SUCCESS)
> > -               goto out_efi_err;
> > -
> > -       if (secboot == 0 || setupmode == 1)
> > -               return efi_secureboot_mode_disabled;
> > -
> > -       /*
> > -        * See if a user has put the shim into insecure mode. If so, and if the
> > -        * variable doesn't have the runtime attribute set, we might as well
> > -        * honor that.
> > -        */
> > -       size = sizeof(moksbstate);
> > -       status = get_efi_var(shim_MokSBState_name, &shim_guid,
> > -                            &attr, &size, &moksbstate);
> > -
> 
> MokSBState is a boot time variable, so we cannot access it when
> running under the OS. Xen also has a code flow similar to this one,
> but it looks at MokSbStateRt instead (which may be a mistake but let's
> forget about that for now)
> 
> So what we will need to do is factor out only the top part of this
> function (which, incidentally, is the only part that IMA uses in the
i> first place)
> 

Thanks for the reminder. I will take this change into next revision.

> > -       /* If it fails, we don't care why. Default to secure */
> > -       if (status != EFI_SUCCESS)
> > -               goto secure_boot_enabled;
> > -       if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1)
> > -               return efi_secureboot_mode_disabled;
> > -
> > -secure_boot_enabled:
> > -       efi_info("UEFI Secure Boot is enabled.\n");
> > -       return efi_secureboot_mode_enabled;
> > -
> > -out_efi_err:
> > -       efi_err("Could not determine UEFI Secure Boot status.\n");
> > -       return efi_secureboot_mode_unknown;
> > -}
> 
> So let's keep this file, and also, let's put a wrapper function around
> get_efi_var() here, of which you can take the address and pass to the
> static inline function.

If I understand correctly, that means it's better to define a new wrapper
function around the get_efi_var() rather than changing it from a macro to
an inline function. Please feel free to let me know if I misunderstand it.

> 
> > diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c
> > index 3672539cb96e..3f9b492c566b 100644
> > --- a/drivers/firmware/efi/libstub/x86-stub.c
> > +++ b/drivers/firmware/efi/libstub/x86-stub.c
> > @@ -781,7 +781,7 @@ unsigned long efi_main(efi_handle_t handle,
> >          * otherwise we ask the BIOS.
> >          */
> >         if (boot_params->secure_boot == efi_secureboot_mode_unset)
> > -               boot_params->secure_boot = efi_get_secureboot();
> > +               boot_params->secure_boot = efi_get_secureboot(get_efi_var);
> >
> >         /* Ask the firmware to clear memory on unclean shutdown */
> >         efi_enable_reset_attack_mitigation();
> > diff --git a/include/linux/efi.h b/include/linux/efi.h
> > index d7c0e73af2b9..cc2d3de39031 100644
> > --- a/include/linux/efi.h
> > +++ b/include/linux/efi.h
> > @@ -1089,7 +1089,46 @@ enum efi_secureboot_mode {
> >         efi_secureboot_mode_disabled,
> >         efi_secureboot_mode_enabled,
> >  };
> > -enum efi_secureboot_mode efi_get_secureboot(void);
> > +
> > +static inline enum efi_secureboot_mode efi_get_secureboot(efi_get_variable_t *get_var)
> > +{
> > +       efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;
> > +       efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
> > +       efi_status_t status;
> > +       unsigned long size;
> > +       u8 secboot, setupmode, moksbstate;
> > +       u32 attr;
> > +
> > +       size = sizeof(secboot);
> > +       status = get_var(L"SecureBoot", &var_guid, NULL, &size, &secboot);
> > +
> > +       if (status == EFI_NOT_FOUND)
> > +               return efi_secureboot_mode_disabled;
> > +       if (status != EFI_SUCCESS)
> > +               return efi_secureboot_mode_unknown;
> > +
> > +       size = sizeof(setupmode);
> > +       status = get_var(L"SetupMode", &var_guid, NULL, &size, &setupmode);
> > +
> > +       if (status != EFI_SUCCESS)
> > +               return efi_secureboot_mode_unknown;
> > +       if (secboot == 0 || setupmode == 1)
> > +               return efi_secureboot_mode_disabled;
> > +
> 
> So keep until here and move the rest back into the .c file
> 
> > +       /*
> > +        * See if a user has put the shim into insecure mode. If so, and if the
> > +        * variable doesn't have the runtime attribute set, we might as well
> > +        * honor that.
> > +        */
> > +       size = sizeof(moksbstate);
> > +       status = get_var(L"MokSBState", &shim_guid, &attr, &size, &moksbstate);
> > +       /* If it fails, we don't care why. Default to secure */
> > +       if (status == EFI_SUCCESS && moksbstate == 1
> > +           && !(attr & EFI_VARIABLE_RUNTIME_ACCESS))
> > +               return efi_secureboot_mode_disabled;
> > +
> > +       return efi_secureboot_mode_enabled;
> > +}
> >
> >  #ifdef CONFIG_RESET_ATTACK_MITIGATION
> >  void efi_enable_reset_attack_mitigation(void);
> > --
> > 2.28.0
> >
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ