lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210917150332.cakrhyxh655e73jo@redhat.com>
Date:   Fri, 17 Sep 2021 11:03:33 -0400
From:   Peter Jones <pjones@...hat.com>
To:     Eric Snowberg <eric.snowberg@...cle.com>
Cc:     keyrings@...r.kernel.org,
        linux-integrity <linux-integrity@...r.kernel.org>,
        Mimi Zohar <zohar@...ux.ibm.com>,
        David Howells <dhowells@...hat.com>,
        David Woodhouse <dwmw2@...radead.org>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        "David S . Miller" <davem@...emloft.net>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        James Morris <jmorris@...ei.org>,
        "Serge E . Hallyn" <serge@...lyn.com>, keescook@...omium.org,
        gregkh@...uxfoundation.org, torvalds@...ux-foundation.org,
        scott.branden@...adcom.com, weiyongjun1@...wei.com,
        nayna@...ux.ibm.com, ebiggers@...gle.com, ardb@...nel.org,
        nramas@...ux.microsoft.com, lszubowi@...hat.com,
        linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        James.Bottomley@...senPartnership.com,
        "konrad.wilk@...cle.com" <konrad.wilk@...cle.com>,
        Dimitri John Ledkov <dimitri.ledkov@...onical.com>
Subject: Re: [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT
 found

On Thu, Sep 16, 2021 at 08:00:54PM -0600, Eric Snowberg wrote:
> 
> > On Sep 16, 2021, at 4:19 PM, Peter Jones <pjones@...hat.com> wrote:
> > 
> > On Tue, Sep 14, 2021 at 05:14:15PM -0400, Eric Snowberg wrote:
> >> +/*
> >> + * Try to load the MokListTrustedRT UEFI variable to see if we should trust
> >> + * the mok keys within the kernel. It is not an error if this variable
> >> + * does not exist.  If it does not exist, mok keys should not be trusted
> >> + * within the machine keyring.
> >> + */
> >> +static __init bool uefi_check_trust_mok_keys(void)
> >> +{
> >> +	efi_status_t status;
> >> +	unsigned int mtrust = 0;
> >> +	unsigned long size = sizeof(mtrust);
> >> +	efi_guid_t guid = EFI_SHIM_LOCK_GUID;
> >> +	u32 attr;
> >> +
> >> +	status = efi.get_variable(L"MokListTrustedRT", &guid, &attr, &size, &mtrust);
> > 
> > This should use efi_mokvar_entry_find("MokListTrustedRT") instead,
> > similar to how load_moklist_certs() does.  It's a *much* more reliable
> > mechanism.  We don't even need to fall back to checking for the
> > variable, as any version of shim that populates this supports the config
> > table method.
> 
> I’ll change this in v7, thanks.

We do also need to figure out a path forward for something like Dimitri
Ledkov's MokListX patch[0] from May, though it doesn't necessarily need
to hold up this patch set.  It looks like your patches will change the
structure of the keyrings it needs to apply to, but I don't see a reason
it wouldn't be conditional on the same MokListTrustedRT variable.  Any
thoughts?

[0] https://lore.kernel.org/lkml/20210512153100.285169-1-dimitri.ledkov@canonical.com/

-- 
        Peter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ