From: Lee, Chun-Yi Date: Tue, 13 Mar 2018 10:37:59 +0000 (+0800) Subject: MODSIGN: do not load mok when secure boot disabled X-Git-Tag: archive/raspbian/5.2.17-1+rpi1^2~22 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=cf7f3faa90ac0ba12540ca7b748afa28d920abeb;p=linux.git MODSIGN: do not load mok when secure boot disabled The mok can not be trusted when the secure boot is disabled. Which means that the kernel embedded certificate is the only trusted key. Due to db/dbx are authenticated variables, they needs manufacturer's KEK for update. So db/dbx are secure when secureboot disabled. Cc: David Howells Cc: Josh Boyer Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" [Rebased by Luca Boccassi] [bwh: Forward-ported to 5.0: adjust filename] Gbp-Pq: Topic features/all/db-mok-keyring Gbp-Pq: Name 0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch --- diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 21201be7d05..f72aa3e4937 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -173,17 +173,6 @@ static int __init load_uefi_certs(void) } } - rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok); - if (rc < 0) { - pr_info("Couldn't get UEFI MokListRT\n"); - } else if (moksize != 0) { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); - if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); - kfree(mok); - } - rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx); if (rc < 0) { pr_info("Couldn't get UEFI dbx list\n"); @@ -196,6 +185,21 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* the MOK can not be trusted when secure boot is disabled */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + + rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok); + if (rc < 0) { + pr_info("Couldn't get UEFI MokListRT\n"); + } else if (moksize != 0) { + rc = parse_efi_signature_list("UEFI:MokListRT", + mok, moksize, get_handler_for_db); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + kfree(mok); + } + return rc; } late_initcall(load_uefi_certs);