From 6afd12a1d5ddd93e876fefde77d8cf13b367020b Mon Sep 17 00:00:00 2001
From: "Lee, Chun-Yi" <jlee@suse.com>
Date: Wed, 13 Jul 2016 17:06:45 +0800
Subject: [PATCH] MODSIGN: Print appropriate status message when accessing UEFI
variable
Patch-mainline: Not yet, wait SecureLevel and MOK patches accepted by upstream
References: bsc#958606
Target: SLE-12
This patch adds the code to return the result of getting EFI variable to
caller for printing appropriate string against the access status.
The message shows like this:
[ 0.788529] MODSIGN: Couldn't get UEFI MokListRT: EFI_NOT_FOUND
[ 0.788537] MODSIGN: Couldn't get UEFI MokListXRT: EFI_NOT_FOUND
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
kernel/modsign_uefi.c | 33 +++++++++++++++++----------------
1 file changed, 17 insertions(+), 16 deletions(-)
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -42,16 +42,16 @@ static __init int check_ignore_db(void)
return 1;
}
-static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size, efi_status_t *status)
{
- efi_status_t status;
unsigned long lsize = 4;
unsigned long tmpdb[4];
void *db = NULL;
- status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
- if (status != EFI_BUFFER_TOO_SMALL) {
- pr_err("Couldn't get size: 0x%lx\n", status);
+ *status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
+ if (*status != EFI_BUFFER_TOO_SMALL) {
+ if (*status != EFI_NOT_FOUND)
+ pr_err("Couldn't get size: 0x%lx\n", *status);
return NULL;
}
@@ -61,11 +61,11 @@ static __init void *get_cert_list(efi_ch
goto out;
}
- status = efi.get_variable(name, guid, NULL, &lsize, db);
- if (status != EFI_SUCCESS) {
+ *status = efi.get_variable(name, guid, NULL, &lsize, db);
+ if (*status != EFI_SUCCESS) {
kfree(db);
db = NULL;
- pr_err("Error reading db var: 0x%lx\n", status);
+ pr_err("Error reading db var: 0x%lx\n", *status);
}
out:
*size = lsize;
@@ -144,6 +144,7 @@ static int __init load_uefi_certs(void)
void *db = NULL, *dbx = NULL, *mok = NULL, *mokx = NULL;
unsigned long dbsize = 0, dbxsize = 0, moksize = 0, mokxsize = 0;
int ignore_db, rc = 0;
+ efi_status_t status = 0;
if (!efi_enabled(EFI_RUNTIME_SERVICES))
return 0;
@@ -155,9 +156,9 @@ static int __init load_uefi_certs(void)
* an error if we can't get them.
*/
if (!ignore_db) {
- db = get_cert_list(L"db", &secure_var, &dbsize);
+ db = get_cert_list(L"db", &secure_var, &dbsize, &status);
if (!db) {
- pr_err("MODSIGN: Couldn't get UEFI db list\n");
+ pr_err("MODSIGN: Couldn't get UEFI db list: %s\n", efi_status_to_str(status));
} else {
rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
if (rc)
@@ -166,9 +167,9 @@ static int __init load_uefi_certs(void)
}
}
- dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
if (!dbx) {
- pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
+ pr_info("MODSIGN: Couldn't get UEFI dbx list: %s\n", efi_status_to_str(status));
} else {
rc = parse_efi_signature_list(dbx, dbxsize,
system_blacklist_keyring);
@@ -181,9 +182,9 @@ static int __init load_uefi_certs(void)
if (!efi_enabled(EFI_SECURE_BOOT))
return 0;
- mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
if (!mok) {
- pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
+ pr_info("MODSIGN: Couldn't get UEFI MokListRT: %s\n", efi_status_to_str(status));
} else {
rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
if (rc)
@@ -191,9 +192,9 @@ static int __init load_uefi_certs(void)
kfree(mok);
}
- mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize);
+ mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
if (!mokx) {
- pr_info("MODSIGN: Couldn't get UEFI MokListXRT\n");
+ pr_info("MODSIGN: Couldn't get UEFI MokListXRT: %s\n", efi_status_to_str(status));
} else {
rc = parse_efi_signature_list(mokx, mokxsize,
system_blacklist_keyring);