kernel / kernel-source

Clone
Source Code
GIT

Files

  1.   6f01e8cfb4a016c4c2f3182bf84155a030cbcadf
  2.   patches.suse
  3.   MODSIGN-loading-keys-from-db-when-SecureBoot-disabled.patch
Blob Blame History Raw 
From: Lee, Chun-Yi <jlee@suse.com>
Date: Wed, 27 May 2015 10:14:23 -0400
Subject: MODSIGN: loading keys from db when SecureBoot disabled

Patch-mainline: Not yet, waiting Matthew Garrett's BSD-style securelevel
References: bnc#929696, fate#314574, bsc#856382
Target: SLE-12

Due to db/dbx are authenticated variables, that means it need manufacturer's
KEK for updating. It should be secure even SecureBoot disabled, kernel can
load db/dbx.

This change allows manufacturer to sign driver that will not taint kernel when
SecureBoot disabled.

v2:
Joerg Roedel <jroedel@suse.de>
The load_uefi_certs() function tries to call the EFI runtime
services, but only checks for EFI_BOOT before doing so. This
causes a crash when EFI_RUNTIME_SERVICES are not available.

Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>

---
 kernel/modsign_uefi.c |   27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -145,8 +145,7 @@ static int __init load_uefi_certs(void)
 	unsigned long dbsize = 0, dbxsize = 0, moksize = 0, mokxsize = 0;
 	int ignore_db, rc = 0;
 
-	/* Check if SB is enabled and just return if not */
-	if (!efi_enabled(EFI_SECURE_BOOT))
+	if (!efi_enabled(EFI_RUNTIME_SERVICES))
 		return 0;
 
 	/* See if the user has setup Ignore DB mode */
@@ -167,16 +166,6 @@ static int __init load_uefi_certs(void)
 		}
 	}
 
-	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
-	if (!mok) {
-		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
-	} else {
-		rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
-		if (rc)
-			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
-		kfree(mok);
-	}
-
 	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
 	if (!dbx) {
 		pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
@@ -188,6 +177,20 @@ static int __init load_uefi_certs(void)
 		kfree(dbx);
 	}
 
+	/* Check if SB is enabled and just return if not */
+	if (!efi_enabled(EFI_SECURE_BOOT))
+		return 0;
+
+	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+	if (!mok) {
+		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
+	} else {
+		rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
+		if (rc)
+			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+		kfree(mok);
+	}
+
 	mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize);
 	if (!mokx) {
 		pr_info("MODSIGN: Couldn't get UEFI MokListXRT\n");
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.