| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YD5Yf1gqvoKKRL+C@kernel.org>
Date: Tue, 2 Mar 2021 17:23:43 +0200
From: Jarkko Sakkinen <jarkko@...nel.org>
To: David Howells <dhowells@...hat.com>
Cc: Eric Snowberg <eric.snowberg@...cle.com>,
James Bottomley <James.Bottomley@...senpartnership.com>,
Mickaël Salaün <mic@...ikod.net>,
keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 4/4] integrity: Load mokx variables into the blacklist
keyring
On Fri, Feb 26, 2021 at 09:52:12AM +0000, David Howells wrote:
> From: Eric Snowberg <eric.snowberg@...cle.com>
>
> During boot the Secure Boot Forbidden Signature Database, dbx,
> is loaded into the blacklist keyring. Systems booted with shim
> have an equivalent Forbidden Signature Database called mokx.
> Currently mokx is only used by shim and grub, the contents are
> ignored by the kernel.
>
> Add the ability to load mokx into the blacklist keyring during boot.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
> Suggested-by: James Bottomley <James.Bottomley@...senPartnership.com>
> Signed-off-by: David Howells <dhowells@...hat.com>
> cc: Jarkko Sakkinen <jarkko@...nel.org>
> Link: https://lore.kernel.org/r/20210122181054.32635-5-eric.snowberg@oracle.com/ # v5
> Link: https://lore.kernel.org/r/c33c8e3839a41e9654f41cc92c7231104931b1d7.camel@HansenPartnership.com/
> Link: ohttps://lore.kernel.org/r/161428674320.677100.12637282414018170743.stgit@warthog.procyon.org.uk/
For all:
Reviewed-by: Jarkko Sakkinen <jarkko@...nel.org>
/Jarkko
> ---
>
> security/integrity/platform_certs/load_uefi.c | 20 ++++++++++++++++++--
> 1 file changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
> index ee4b4c666854..f290f78c3f30 100644
> --- a/security/integrity/platform_certs/load_uefi.c
> +++ b/security/integrity/platform_certs/load_uefi.c
> @@ -132,8 +132,9 @@ static int __init load_moklist_certs(void)
> static int __init load_uefi_certs(void)
> {
> efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
> - void *db = NULL, *dbx = NULL;
> - unsigned long dbsize = 0, dbxsize = 0;
> + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
> + void *db = NULL, *dbx = NULL, *mokx = NULL;
> + unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0;
> efi_status_t status;
> int rc = 0;
>
> @@ -175,6 +176,21 @@ static int __init load_uefi_certs(void)
> kfree(dbx);
> }
>
> + mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
> + if (!mokx) {
> + if (status == EFI_NOT_FOUND)
> + pr_debug("mokx variable wasn't found\n");
> + else
> + pr_info("Couldn't get mokx list\n");
> + } else {
> + rc = parse_efi_signature_list("UEFI:MokListXRT",
> + mokx, mokxsize,
> + get_handler_for_dbx);
> + if (rc)
> + pr_err("Couldn't parse mokx signatures %d\n", rc);
> + kfree(mokx);
> + }
> +
> /* Load the MokListRT certs */
> rc = load_moklist_certs();
>
>
>
Powered by blists - more mailing lists