From: Lee, Chun-Yi Date: Tue, 13 Mar 2018 10:37:59 +0000 (+0800) Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled X-Git-Tag: archive/raspbian/6.0.10-1+rpi1^2~19 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=45b1d769a9cf7c819df110824ccd86e325848a8c;p=linux.git [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled Origin: https://lore.kernel.org/patchwork/patch/933173/ The mok can not be trusted when the secure boot is disabled. Which means that the kernel embedded certificate is the only trusted key. Due to db/dbx are authenticated variables, they needs manufacturer's KEK for update. So db/dbx are secure when secureboot disabled. Cc: David Howells Cc: Josh Boyer Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" [Rebased by Luca Boccassi] [bwh: Forward-ported to 5.5.9: - get_cert_list() takes a pointer to status and returns the cert list - Adjust filename] [Salvatore Bonaccorso: Forward-ported to 5.10: Refresh for changes in 38a1f03aa240 ("integrity: Move import of MokListRT certs to a separate routine")] [bwh: Forward-ported to 5.17: The upstream code now has this check but ties it to IMA policy. Until we determine whether we want to do that, revert to checking the EFI flag directly instead.] Gbp-Pq: Topic features/all/db-mok-keyring Gbp-Pq: Name 0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch --- diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index b78753d27d8..fd5dae51c2e 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -211,7 +211,7 @@ static int __init load_uefi_certs(void) } /* the MOK/MOKx can not be trusted when secure boot is disabled */ - if (!arch_ima_get_secureboot()) + if (!efi_enabled(EFI_SECURE_BOOT)) return 0; mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);