From patchwork Tue Nov 30 11:04:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561560 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=nEeh5tM1; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3K9t4dVBz9sRR for ; Tue, 30 Nov 2021 22:04:50 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0wD-0007GS-4S; Tue, 30 Nov 2021 11:04:41 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0w6-0007B2-Oa for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:34 +0000 Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 48FE63F1D6 for ; Tue, 30 Nov 2021 11:04:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270273; bh=RJxGCPt1xvjEcvfpfLcBkEGUNGLtYvsPInxmjXhjkmg=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=nEeh5tM1CzPlwGpKGq6+N/DtYhEPrE0J2qG3o5KZ025jQtdcEhnlN6gA0o0TMsTAL T9XT77vJ1FDyexKMoQFhyUrAD+RETCfDitrjDQljs7wnHCaXGlGttbiCgFUHVWDcTe MRDFtkbuMP+5t35lq7YoNV0mn8HIGvXryc9hQHT9xF50beWaB0VUO1lPN3d05Ep+ka VMsRyoFFXKXvmKXB9Ecdt2HKgP/KcTSmJa6fFmEI2iM3wk7tncME2s9bWRYmlT4h6b FJrAySCVFmB1H0ma5Yft11M3lRSxccK7vq6x8JSbP08FvZUv3lOePlpjhuuRObsd3u f7UY+OD0VHUfQ== Received: by mail-ed1-f72.google.com with SMTP id m17-20020aa7d351000000b003e7c0bc8523so16589207edr.1 for ; Tue, 30 Nov 2021 03:04:33 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RJxGCPt1xvjEcvfpfLcBkEGUNGLtYvsPInxmjXhjkmg=; b=M6EOSIqbWI4MNxuT4iRXfpIQ9j93JmBQzdN8BwdQsVmW6dQCNMRS2vk+/IcEsjLKAe k+XorsmISYuxHjENA53/rmnqGMzE6C4fHNmTNlzleZ1jQ6qiM+lhD/eyelQQhdA6y18r P/zfNz/p+ny2GY71qHLcjpFPcB6sAkcSxFsc+L5hcduLYPXTaH0cgUqVxi6fuPtxal3g pxNHLLYT38z2AY7wel64Zmf2ZAvIw2q1IcPtaKdskye0eLTFaZDLbbO10ted/QiDQX/t prQ7zcC80O65a9bpkGMS/PSigY1DH/Hdg21EDXbXiKNnzH29xmQ/GGNstiArZTs4oVwu 7EVA== X-Gm-Message-State: AOAM531ceS5cFki425cZ86sgWC9Ow9Xsl/3dYmN9Vi0RwBGTGADM/wBk rZ0OjTkH7A5ipSA3nJsTuOAS3pmrZhr7vc6B44q670D6xpRNDkmeVc155BGOSOpvJxe9P4V3TkX T5kinE4V5GtxLk79bPec3OtdSpMnCb0WxGsdjhUcT3Q== X-Received: by 2002:a17:907:6291:: with SMTP id nd17mr67512087ejc.194.1638270272332; Tue, 30 Nov 2021 03:04:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJzkXvf2+w6Now5cYcaKLxqs1P2eZQmUvZFG62TN1PyYi7jDygEeNEJbCdtiapiiw2aUChD/QA== X-Received: by 2002:a17:907:6291:: with SMTP id nd17mr67512062ejc.194.1638270272075; Tue, 30 Nov 2021 03:04:32 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id j15sm11017896edl.34.2021.11.30.03.04.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:31 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 08/16] integrity: Load certs from the EFI MOK config table Date: Tue, 30 Nov 2021 11:04:08 +0000 Message-Id: <20211130110416.171269-9-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lenny Szubowicz BugLink: https://bugs.launchpad.net/bugs/1932029 Because of system-specific EFI firmware limitations, EFI volatile variables may not be capable of holding the required contents of the Machine Owner Key (MOK) certificate store when the certificate list grows above some size. Therefore, an EFI boot loader may pass the MOK certs via a EFI configuration table created specifically for this purpose to avoid this firmware limitation. An EFI configuration table is a much more primitive mechanism compared to EFI variables and is well suited for one-way passage of static information from a pre-OS environment to the kernel. This patch adds the support to load certs from the MokListRT entry in the MOK variable configuration table, if it's present. The pre-existing support to load certs from the MokListRT EFI variable remains and is used if the EFI MOK configuration table isn't present or can't be successfully used. Signed-off-by: Lenny Szubowicz Link: https://lore.kernel.org/r/20200905013107.10457-4-lszubowi@redhat.com Signed-off-by: Ard Biesheuvel (cherry picked from commit 726bd8965a5f112d9601f7ce68effa1e46e02bf2) Signed-off-by: Dimitri John Ledkov --- certs/load_uefi.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/certs/load_uefi.c b/certs/load_uefi.c index 895c085155..6f51c48be9 100644 --- a/certs/load_uefi.c +++ b/certs/load_uefi.c @@ -149,15 +149,37 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty * Load the certs contained in the UEFI MokListRT database into the * platform trusted keyring. * + * This routine checks the EFI MOK config table first. If and only if + * that fails, this routine uses the MokListRT ordinary UEFI variable. + * * Return: Status */ static int __init load_moklist_certs(void) { + struct efi_mokvar_table_entry *mokvar_entry; efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; void *mok; unsigned long moksize; int rc; + /* First try to load certs from the EFI MOKvar config table. + * It's not an error if the MOKvar config table doesn't exist + * or the MokListRT entry is not found in it. + */ + mokvar_entry = efi_mokvar_entry_find("MokListRT"); + if (mokvar_entry) { + rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", + mokvar_entry->data, + mokvar_entry->data_size, + get_handler_for_db); + /* All done if that worked. */ + if (!rc) + return rc; + + pr_err("Couldn't parse MokListRT signatures from EFI MOKvar config table: %d\n", + rc); + } + /* Get MokListRT. It might not exist, so it isn't an error * if we can't get it. */