| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <354B8A37-28BF-4C2E-9FF6-FF00B39B4D06@oracle.com>
Date: Fri, 17 Sep 2021 10:06:56 -0600
From: Eric Snowberg <eric.snowberg@...cle.com>
To: Peter Jones <pjones@...hat.com>
Cc: keyrings@...r.kernel.org,
linux-integrity <linux-integrity@...r.kernel.org>,
Mimi Zohar <zohar@...ux.ibm.com>,
David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S . Miller" <davem@...emloft.net>,
Jarkko Sakkinen <jarkko@...nel.org>,
James Morris <jmorris@...ei.org>,
"Serge E . Hallyn" <serge@...lyn.com>, keescook@...omium.org,
gregkh@...uxfoundation.org, torvalds@...ux-foundation.org,
scott.branden@...adcom.com, weiyongjun1@...wei.com,
nayna@...ux.ibm.com, ebiggers@...gle.com, ardb@...nel.org,
nramas@...ux.microsoft.com, lszubowi@...hat.com,
linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-security-module@...r.kernel.org,
James.Bottomley@...senPartnership.com,
"konrad.wilk@...cle.com" <konrad.wilk@...cle.com>,
Dimitri John Ledkov <dimitri.ledkov@...onical.com>
Subject: Re: [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT
found
> On Sep 17, 2021, at 9:03 AM, Peter Jones <pjones@...hat.com> wrote:
>
> On Thu, Sep 16, 2021 at 08:00:54PM -0600, Eric Snowberg wrote:
>>
>>> On Sep 16, 2021, at 4:19 PM, Peter Jones <pjones@...hat.com> wrote:
>>>
>>> On Tue, Sep 14, 2021 at 05:14:15PM -0400, Eric Snowberg wrote:
>>>> +/*
>>>> + * Try to load the MokListTrustedRT UEFI variable to see if we should trust
>>>> + * the mok keys within the kernel. It is not an error if this variable
>>>> + * does not exist. If it does not exist, mok keys should not be trusted
>>>> + * within the machine keyring.
>>>> + */
>>>> +static __init bool uefi_check_trust_mok_keys(void)
>>>> +{
>>>> + efi_status_t status;
>>>> + unsigned int mtrust = 0;
>>>> + unsigned long size = sizeof(mtrust);
>>>> + efi_guid_t guid = EFI_SHIM_LOCK_GUID;
>>>> + u32 attr;
>>>> +
>>>> + status = efi.get_variable(L"MokListTrustedRT", &guid, &attr, &size, &mtrust);
>>>
>>> This should use efi_mokvar_entry_find("MokListTrustedRT") instead,
>>> similar to how load_moklist_certs() does. It's a *much* more reliable
>>> mechanism. We don't even need to fall back to checking for the
>>> variable, as any version of shim that populates this supports the config
>>> table method.
>>
>> I’ll change this in v7, thanks.
>
> We do also need to figure out a path forward for something like Dimitri
> Ledkov's MokListX patch[0] from May, though it doesn't necessarily need
> to hold up this patch set. It looks like your patches will change the
> structure of the keyrings it needs to apply to, but I don't see a reason
> it wouldn't be conditional on the same MokListTrustedRT variable. Any
> thoughts?
>
> [0] https://lore.kernel.org/lkml/20210512153100.285169-1-dimitri.ledkov@canonical.com/
>
I had a little different approach I was going to send for this problem, but dropped it
after I saw Dimitri’s patch. Yes, we will need to figure out a way to merge the two.
But I don’t see that being too difficult or them being incompatible with one another.
Powered by blists - more mailing lists