[PATCH 1/5] MODSIGN: do not load mok when secure boot disabled

Origin: https://lore.kernel.org/patchwork/patch/933173/

The mok can not be trusted when the secure boot is disabled. Which
means that the kernel embedded certificate is the only trusted key.

Due to db/dbx are authenticated variables, they needs manufacturer's
KEK for update. So db/dbx are secure when secureboot disabled.

Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]
[bwh: Forward-ported to 5.5.9:
 - get_cert_list() takes a pointer to status and returns the cert list
 - Adjust filename]
[Salvatore Bonaccorso: Forward-ported to 5.10: Refresh for changes in
38a1f03aa240 ("integrity: Move import of MokListRT certs to a separate
routine"). Refresh in context for change in ebd9c2ae369a ("integrity: Load mokx
variables into the blacklist keyring")]

Gbp-Pq: Topic features/all/db-mok-keyring
Gbp-Pq: Name 0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch

diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index d2f2c3936277ab05c7dfedb50e42e88f1d6d012b..cef9e5d212c0af8007dab59c493fbe99e69f3ec0 100644 (file)
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -210,6 +210,10 @@ static int __init load_uefi_certs(void)
                kfree(dbx);
        }
 
+       /* the MOK can not be trusted when secure boot is disabled */
+       if (!efi_enabled(EFI_SECURE_BOOT))
+               return 0;
+
        mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
        if (!mokx) {
                if (status == EFI_NOT_FOUND)