60 lines
1.8 KiB
Diff
60 lines
1.8 KiB
Diff
Origin: https://lore.kernel.org/patchwork/cover/933178/
|
|
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
|
Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled
|
|
|
|
The mok can not be trusted when the secure boot is disabled. Which
|
|
means that the kernel embedded certificate is the only trusted key.
|
|
|
|
Due to db/dbx are authenticated variables, they needs manufacturer's
|
|
KEK for update. So db/dbx are secure when secureboot disabled.
|
|
|
|
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
|
---
|
|
certs/load_uefi.c | 26 +++++++++++++++-----------
|
|
1 file changed, 15 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/certs/load_uefi.c b/certs/load_uefi.c
|
|
index 3d88459..d6de4d0 100644
|
|
--- a/certs/load_uefi.c
|
|
+++ b/certs/load_uefi.c
|
|
@@ -171,17 +171,6 @@
|
|
}
|
|
}
|
|
|
|
- rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
|
|
- if (rc < 0) {
|
|
- pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
|
|
- } else if (moksize != 0) {
|
|
- rc = parse_efi_signature_list("UEFI:MokListRT",
|
|
- mok, moksize, get_handler_for_db);
|
|
- if (rc)
|
|
- pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
|
|
- kfree(mok);
|
|
- }
|
|
-
|
|
rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx);
|
|
if (rc < 0) {
|
|
pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
|
|
@@ -194,6 +183,21 @@
|
|
kfree(dbx);
|
|
}
|
|
|
|
+ /* the MOK can not be trusted when secure boot is disabled */
|
|
+ if (!efi_enabled(EFI_SECURE_BOOT))
|
|
+ return 0;
|
|
+
|
|
+ rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
|
|
+ if (rc < 0) {
|
|
+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
|
|
+ } else if (moksize != 0) {
|
|
+ rc = parse_efi_signature_list("UEFI:MokListRT",
|
|
+ mok, moksize, get_handler_for_db);
|
|
+ if (rc)
|
|
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
|
|
+ kfree(mok);
|
|
+ }
|
|
+
|
|
return rc;
|
|
}
|
|
late_initcall(load_uefi_certs);
|