From c502f172bc8153891213e492382fb5844e9cb0aa Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Wed, 29 Nov 2017 15:45:25 +0800
Subject: [PATCH 1/4] MODSIGN: do not load mok when secure boot disabled
Patch-mainline: Submitted - https://patchwork.kernel.org/patch/10082305/
References: fate#316531, bnc#854875, bsc#1188366

The mok can not be trusted when the secure boot is disabled. Which
means that the kernel embedded certificate is the only trusted key.

Due to db/dbx are authenticated variables, they needs manufacturer's
KEK for update. So db/dbx are secure when secureboot disabled.

This patch be merged with "integrity: use arch_ima_get_secureboot
instead of checking EFI_SECURE_BOOT when loading MokListRT" patch, so
the CONFIG_IMA_ARCH_POLICY=y, CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT=y
also need to be set.

Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
 security/integrity/platform_certs/load_uefi.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -6,6 +6,7 @@
 #include <linux/err.h>
 #include <linux/efi.h>
 #include <linux/slab.h>
+#include <linux/ima.h>
 #include <keys/asymmetric-type.h>
 #include <keys/system_keyring.h>
 #include "../integrity.h"
@@ -85,6 +86,10 @@ static int __init load_moklist_certs(voi
 	efi_status_t status;
 	int rc;
 
+	/* the MOK can not be trusted when secure boot is disabled */
+	if (!arch_ima_get_secureboot())
+		return 0;
+
 	/* First try to load certs from the EFI MOKvar config table.
 	 * It's not an error if the MOKvar config table doesn't exist
 	 * or the MokListRT entry is not found in it.