From 20d42f76be2f02cc59ba200847e7533b4384f026 Mon Sep 17 00:00:00 2001 From: "Lee, Chun-Yi" Date: Tue, 13 Mar 2018 18:37:59 +0800 Subject: [PATCH] [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled Origin: https://lore.kernel.org/patchwork/patch/933173/ The mok can not be trusted when the secure boot is disabled. Which means that the kernel embedded certificate is the only trusted key. Due to db/dbx are authenticated variables, they needs manufacturer's KEK for update. So db/dbx are secure when secureboot disabled. Cc: David Howells Cc: Josh Boyer Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" [Rebased by Luca Boccassi] [bwh: Forward-ported to 5.5.9: - get_cert_list() takes a pointer to status and returns the cert list - Adjust filename] [Salvatore Bonaccorso: Forward-ported to 5.10: Refresh for changes in 38a1f03aa240 ("integrity: Move import of MokListRT certs to a separate routine")] Gbp-Pq: Topic features/all/db-mok-keyring Gbp-Pq: Name 0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch --- security/integrity/platform_certs/load_uefi.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index ee4b4c66685..a2b998f385a 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -175,6 +175,10 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* the MOK can not be trusted when secure boot is disabled */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + /* Load the MokListRT certs */ rc = load_moklist_certs(); -- 2.30.2