From 1a1b0fb8be6c7ef4300352e7b04cb73caf979da5 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Tue, 13 Mar 2018 18:37:59 +0800 Subject: [PATCH] MODSIGN: do not load mok when secure boot disabled The mok can not be trusted when the secure boot is disabled. Which means that the kernel embedded certificate is the only trusted key. Due to db/dbx are authenticated variables, they needs manufacturer's KEK for update. So db/dbx are secure when secureboot disabled. Cc: David Howells Cc: Josh Boyer Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" [Rebased by Luca Boccassi] Gbp-Pq: Topic features/all/db-mok-keyring Gbp-Pq: Name 0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch --- certs/load_uefi.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/certs/load_uefi.c b/certs/load_uefi.c index 9ef34c44fd1..08558b49e0c 100644 --- a/certs/load_uefi.c +++ b/certs/load_uefi.c @@ -171,17 +171,6 @@ static int __init load_uefi_certs(void) } } - rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok); - if (rc < 0) { - pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); - } else if (moksize != 0) { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); - if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); - kfree(mok); - } - rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx); if (rc < 0) { pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); @@ -194,6 +183,21 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* the MOK can not be trusted when secure boot is disabled */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + + rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok); + if (rc < 0) { + pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); + } else if (moksize != 0) { + rc = parse_efi_signature_list("UEFI:MokListRT", + mok, moksize, get_handler_for_db); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + kfree(mok); + } + return rc; } late_initcall(load_uefi_certs); -- 2.30.2