From patchwork Tue May 18 09:56:41 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1480161 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4Fkry11Pd1z9sXH; Tue, 18 May 2021 19:56:57 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1liwT7-0004dN-TX; Tue, 18 May 2021 09:56:53 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1liwT3-0004bg-38 for kernel-team@lists.ubuntu.com; Tue, 18 May 2021 09:56:49 +0000 Received: from mail-wm1-f70.google.com ([209.85.128.70]) by youngberry.canonical.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1liwT2-0007rb-Sb for kernel-team@lists.ubuntu.com; Tue, 18 May 2021 09:56:48 +0000 Received: by mail-wm1-f70.google.com with SMTP id o126-20020a1c28840000b0290149b8f27c99so834045wmo.2 for ; Tue, 18 May 2021 02:56:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=MSAQSmxHkBDgTj9VOVaXffKyD4F5yLpqlzo12zSanzo=; b=lTz7NP5f4MTPGakmOEZ3scK+wFRMau7eQnKOh4kyq47QyUCyz59gtDh0VHg4JnJ0t6 qrJ9lnC6pkRIrVxlcryb0KI2eY06dbgg4ld3GvggKsSkhIOJ2C1EVpylbLCp/Ftp9S8X bnnuyIJRo/zQTLXVQySwuJ9r5F+1y02rPWY6kUAHzbd/YuVJEBxyWv9yAr3ITr+sYPyd 5TzVZPm5ecv3TGi3bcUVnRcFBLW5vtq7mjxEi704faswfWd6j4F3Pa1Dzqb5Rb5ZCboD tsgk1u55ybQlsVNY6L/8m9Wm2w4P3eiY6Yfpwspp+df2t9kS2QHNXbbxOiuT07uTs9B2 9u8w== X-Gm-Message-State: AOAM533/io05wO0u1rAiRXuPRoElCBOODelvB6tjo/6JKugu6iQvQc6l ftXDRon9gTxgSLom27UYtlCk4J4EouHR1kvesQJAWIGsaAlvMlQV+tiMB8u0qv9zXHh0A/o12yd uHV3T1S5hGnIqWQXPFUR1+WfR6lyTs7h/lYPpT6++Lw== X-Received: by 2002:a1c:4043:: with SMTP id n64mr4602629wma.9.1621331808259; Tue, 18 May 2021 02:56:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwNNphSnNogfUBlYzAIbEdFc3d5Rr3qdEGVXwWFnwsFn+uxWPagN4b/6wkDADzDzszwy0PrUw== X-Received: by 2002:a1c:4043:: with SMTP id n64mr4602614wma.9.1621331808002; Tue, 18 May 2021 02:56:48 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:5e37:8c51:f26a:2ada]) by smtp.gmail.com with ESMTPSA id h14sm2761091wmb.1.2021.05.18.02.56.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 May 2021 02:56:47 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [UNSTABLE][PATCH v3 1/2] UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table Date: Tue, 18 May 2021 10:56:41 +0100 Message-Id: <20210518095642.132998-2-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210518095642.132998-1-dimitri.ledkov@canonical.com> References: <20210517131848.61153-1-dimitri.ledkov@canonical.com> <20210518095642.132998-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Refactor load_moklist_certs() to load either MokListRT into db, or MokListXRT into dbx. Call load_moklist_certs() twice - first to load mokx certs into dbx, then mok certs into db. This thus now attempts to load mokx certs via the EFI MOKvar config table first, and if that fails, via the EFI variable. Previously mokx certs were only loaded via the EFI variable. Which fails when MokListXRT is large. Instead of large MokListXRT variable, only MokListXRT{1,2,3} are available which are not loaded. This is the case with Ubuntu's 15.4 based shim. This patch is required to address CVE-2020-26541 when certificates are revoked via MokListXRT. Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring") BugLink: https://bugs.launchpad.net/bugs/1928679 Signed-off-by: Dimitri John Ledkov --- security/integrity/platform_certs/load_uefi.c | 74 ++++++++++--------- 1 file changed, 40 insertions(+), 34 deletions(-) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index d3e7ae04f5be..b010b4ab5d52 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -68,17 +68,18 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, } /* - * load_moklist_certs() - Load MokList certs + * load_moklist_certs() - Load Mok(X)List certs + * @load_db: Load MokListRT into db when true; MokListXRT into dbx when false * - * Load the certs contained in the UEFI MokListRT database into the - * platform trusted keyring. + * Load the certs contained in the UEFI MokList(X)RT database into the + * platform trusted/denied keyring. * * This routine checks the EFI MOK config table first. If and only if - * that fails, this routine uses the MokListRT ordinary UEFI variable. + * that fails, this routine uses the MokList(X)RT ordinary UEFI variable. * * Return: Status */ -static int __init load_moklist_certs(void) +static int __init load_moklist_certs(const bool load_db) { struct efi_mokvar_table_entry *mokvar_entry; efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; @@ -86,41 +87,55 @@ static int __init load_moklist_certs(void) unsigned long moksize; efi_status_t status; int rc; + const char *mokvar_name = "MokListRT"; + /* Should be const, but get_cert_list() doesn't have it as const yet */ + efi_char16_t *efivar_name = L"MokListRT"; + const char *parse_mokvar_name = "UEFI:MokListRT (MOKvar table)"; + const char *parse_efivar_name = "UEFI:MokListRT"; + efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *) = get_handler_for_db; + + if (!load_db) { + mokvar_name = "MokListXRT"; + efivar_name = L"MokListXRT"; + parse_mokvar_name = "UEFI:MokListXRT (MOKvar table)"; + parse_efivar_name = "UEFI:MokListXRT"; + get_handler_for_guid = get_handler_for_dbx; + } /* First try to load certs from the EFI MOKvar config table. * It's not an error if the MOKvar config table doesn't exist * or the MokListRT entry is not found in it. */ - mokvar_entry = efi_mokvar_entry_find("MokListRT"); + mokvar_entry = efi_mokvar_entry_find(mokvar_name); if (mokvar_entry) { - rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", + rc = parse_efi_signature_list(parse_mokvar_name, mokvar_entry->data, mokvar_entry->data_size, - get_handler_for_db); + get_handler_for_guid); /* All done if that worked. */ if (!rc) return rc; - pr_err("Couldn't parse MokListRT signatures from EFI MOKvar config table: %d\n", - rc); + pr_err("Couldn't parse %s signatures from EFI MOKvar config table: %d\n", + mokvar_name, rc); } /* Get MokListRT. It might not exist, so it isn't an error * if we can't get it. */ - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); + mok = get_cert_list(efivar_name, &mok_var, &moksize, &status); if (mok) { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); + rc = parse_efi_signature_list(parse_efivar_name, + mok, moksize, get_handler_for_guid); kfree(mok); if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + pr_err("Couldn't parse %s signatures: %d\n", mokvar_name, rc); return rc; } if (status == EFI_NOT_FOUND) - pr_debug("MokListRT variable wasn't found\n"); + pr_debug("%s variable wasn't found\n", mokvar_name); else - pr_info("Couldn't get UEFI MokListRT\n"); + pr_info("Couldn't get UEFI %s\n", mokvar_name); return 0; } @@ -134,9 +149,8 @@ static int __init load_moklist_certs(void) static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; - void *db = NULL, *dbx = NULL, *mokx = NULL; - unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0; + void *db = NULL, *dbx = NULL; + unsigned long dbsize = 0, dbxsize = 0; efi_status_t status; int rc = 0; @@ -178,23 +192,15 @@ static int __init load_uefi_certs(void) kfree(dbx); } - mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); - if (!mokx) { - if (status == EFI_NOT_FOUND) - pr_debug("mokx variable wasn't found\n"); - else - pr_info("Couldn't get mokx list\n"); - } else { - rc = parse_efi_signature_list("UEFI:MokListXRT", - mokx, mokxsize, - get_handler_for_dbx); - if (rc) - pr_err("Couldn't parse mokx signatures %d\n", rc); - kfree(mokx); - } + /* Load the MokListXRT certs */ + rc = load_moklist_certs(false); + if (rc) + pr_err("Couldn't parse mokx signatures: %d\n", rc); /* Load the MokListRT certs */ - rc = load_moklist_certs(); + rc = load_moklist_certs(true); + if (rc) + pr_err("Couldn't parse mok signatures: %d\n", rc); return rc; }