MODSIGN: do not load mok when secure boot disabled

The mok can not be trusted when the secure boot is disabled. Which
means that the kernel embedded certificate is the only trusted key.

Due to db/dbx are authenticated variables, they needs manufacturer's
KEK for update. So db/dbx are secure when secureboot disabled.

Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]
[bwh: Forward-ported to 5.0: adjust filename]

Gbp-Pq: Topic features/all/db-mok-keyring
Gbp-Pq: Name 0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch

diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 21201be7d055035def0f74856c26f4b8d1861b92..f72aa3e49372397fa2bdc902b6263d0d73fa7cba 100644 (file)
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -173,17 +173,6 @@ static int __init load_uefi_certs(void)
                }
        }
 
-       rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
-       if (rc < 0) {
-               pr_info("Couldn't get UEFI MokListRT\n");
-       } else if (moksize != 0) {
-               rc = parse_efi_signature_list("UEFI:MokListRT",
-                                             mok, moksize, get_handler_for_db);
-               if (rc)
-                       pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
-               kfree(mok);
-       }
-
        rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx);
        if (rc < 0) {
                pr_info("Couldn't get UEFI dbx list\n");
@@ -196,6 +185,21 @@ static int __init load_uefi_certs(void)
                kfree(dbx);
        }
 
+       /* the MOK can not be trusted when secure boot is disabled */
+       if (!efi_enabled(EFI_SECURE_BOOT))
+               return 0;
+
+       rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
+       if (rc < 0) {
+               pr_info("Couldn't get UEFI MokListRT\n");
+       } else if (moksize != 0) {
+               rc = parse_efi_signature_list("UEFI:MokListRT",
+                                             mok, moksize, get_handler_for_db);
+               if (rc)
+                       pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+               kfree(mok);
+       }
+
        return rc;
 }
 late_initcall(load_uefi_certs);