From 056759890763a7fe735ffadd5e74b805482f68d1 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Tue, 13 Mar 2018 18:37:59 +0800 Subject: [PATCH] [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled Origin: https://lore.kernel.org/patchwork/patch/933173/ The mok can not be trusted when the secure boot is disabled. Which means that the kernel embedded certificate is the only trusted key. Due to db/dbx are authenticated variables, they needs manufacturer's KEK for update. So db/dbx are secure when secureboot disabled. Cc: David Howells Cc: Josh Boyer Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" [Rebased by Luca Boccassi] [bwh: Forward-ported to 5.5.9: - get_cert_list() takes a pointer to status and returns the cert list - Adjust filename] [Salvatore Bonaccorso: Forward-ported to 5.10: Refresh for changes in 38a1f03aa240 ("integrity: Move import of MokListRT certs to a separate routine"). Refresh in context for change in ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring")] Gbp-Pq: Topic features/all/db-mok-keyring Gbp-Pq: Name 0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch --- security/integrity/platform_certs/load_uefi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 185c609c6e3..9bc292ba3cf 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -209,6 +209,10 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* the MOK can not be trusted when secure boot is disabled */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); if (!mokx) { if (status == EFI_NOT_FOUND) -- 2.30.2