From: Lee, Chun-Yi <jlee@suse.com>
Date: Wed, 27 May 2015 10:14:23 -0400
Subject: MODSIGN: loading keys from db when SecureBoot disabled
Patch-mainline: Not yet, waiting Matthew Garrett's BSD-style securelevel
References: bnc#929696, fate#314574, bsc#856382
Target: SLE-12
Due to db/dbx are authenticated variables, that means it need manufacturer's
KEK for updating. It should be secure even SecureBoot disabled, kernel can
load db/dbx.
This change allows manufacturer to sign driver that will not taint kernel when
SecureBoot disabled.
v2:
Joerg Roedel <jroedel@suse.de>
The load_uefi_certs() function tries to call the EFI runtime
services, but only checks for EFI_BOOT before doing so. This
causes a crash when EFI_RUNTIME_SERVICES are not available.
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
---
kernel/modsign_uefi.c | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -145,8 +145,7 @@ static int __init load_uefi_certs(void)
unsigned long dbsize = 0, dbxsize = 0, moksize = 0, mokxsize = 0;
int ignore_db, rc = 0;
- /* Check if SB is enabled and just return if not */
- if (!efi_enabled(EFI_SECURE_BOOT))
+ if (!efi_enabled(EFI_RUNTIME_SERVICES))
return 0;
/* See if the user has setup Ignore DB mode */
@@ -167,16 +166,6 @@ static int __init load_uefi_certs(void)
}
}
- mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
- if (!mok) {
- pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
- } else {
- rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
- if (rc)
- pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
- kfree(mok);
- }
-
dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
if (!dbx) {
pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
@@ -188,6 +177,20 @@ static int __init load_uefi_certs(void)
kfree(dbx);
}
+ /* Check if SB is enabled and just return if not */
+ if (!efi_enabled(EFI_SECURE_BOOT))
+ return 0;
+
+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+ if (!mok) {
+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
+ } else {
+ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
+ if (rc)
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+ kfree(mok);
+ }
+
mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize);
if (!mokx) {
pr_info("MODSIGN: Couldn't get UEFI MokListXRT\n");