| Message ID | 20200905013107.10457-3-lszubowi@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | integrity: Load certs from EFI MOK config table | expand |
On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <lszubowi@redhat.com> wrote: > > Move the loading of certs from the UEFI MokListRT into a separate > routine to facilitate additional MokList functionality. > > There is no visible functional change as a result of this patch. > Although the UEFI dbx certs are now loaded before the MokList certs, > they are loaded onto different key rings. So the order of the keys > on their respective key rings is the same. > > Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com> Why did you drop Mimi's reviewed-by from this patch? > --- > security/integrity/platform_certs/load_uefi.c | 63 +++++++++++++------ > 1 file changed, 44 insertions(+), 19 deletions(-) > > diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c > index 253fb9a7fc98..c1c622b4dc78 100644 > --- a/security/integrity/platform_certs/load_uefi.c > +++ b/security/integrity/platform_certs/load_uefi.c > @@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, > } > > /* > + * load_moklist_certs() - Load MokList certs > + * > + * Load the certs contained in the UEFI MokListRT database into the > + * platform trusted keyring. > + * > + * Return: Status > + */ > +static int __init load_moklist_certs(void) > +{ > + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; > + void *mok; > + unsigned long moksize; > + efi_status_t status; > + int rc; > + > + /* Get MokListRT. It might not exist, so it isn't an error > + * if we can't get it. > + */ > + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); > + if (mok) { > + rc = parse_efi_signature_list("UEFI:MokListRT", > + mok, moksize, get_handler_for_db); > + kfree(mok); > + if (rc) > + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); > + return rc; > + } > + if (status == EFI_NOT_FOUND) > + pr_debug("MokListRT variable wasn't found\n"); > + else > + pr_info("Couldn't get UEFI MokListRT\n"); > + return 0; > +} > + > +/* > + * load_uefi_certs() - Load certs from UEFI sources > + * > * Load the certs contained in the UEFI databases into the platform trusted > * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist > * keyring. > @@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, > static int __init load_uefi_certs(void) > { > efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; > - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; > - void *db = NULL, *dbx = NULL, *mok = NULL; > - unsigned long dbsize = 0, dbxsize = 0, moksize = 0; > + void *db = NULL, *dbx = NULL; > + unsigned long dbsize = 0, dbxsize = 0; > efi_status_t status; > int rc = 0; > > if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) > return false; > > - /* Get db, MokListRT, and dbx. They might not exist, so it isn't > - * an error if we can't get them. > + /* Get db and dbx. They might not exist, so it isn't an error > + * if we can't get them. > */ > if (!uefi_check_ignore_db()) { > db = get_cert_list(L"db", &secure_var, &dbsize, &status); > @@ -102,20 +138,6 @@ static int __init load_uefi_certs(void) > } > } > > - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); > - if (!mok) { > - if (status == EFI_NOT_FOUND) > - pr_debug("MokListRT variable wasn't found\n"); > - else > - pr_info("Couldn't get UEFI MokListRT\n"); > - } else { > - rc = parse_efi_signature_list("UEFI:MokListRT", > - mok, moksize, get_handler_for_db); > - if (rc) > - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); > - kfree(mok); > - } > - > dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status); > if (!dbx) { > if (status == EFI_NOT_FOUND) > @@ -131,6 +153,9 @@ static int __init load_uefi_certs(void) > kfree(dbx); > } > > + /* Load the MokListRT certs */ > + rc = load_moklist_certs(); > + > return rc; > } > late_initcall(load_uefi_certs); > -- > 2.27.0 >
On 9/11/20 11:02 AM, Ard Biesheuvel wrote: > On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <lszubowi@redhat.com> wrote: >> >> Move the loading of certs from the UEFI MokListRT into a separate >> routine to facilitate additional MokList functionality. >> >> There is no visible functional change as a result of this patch. >> Although the UEFI dbx certs are now loaded before the MokList certs, >> they are loaded onto different key rings. So the order of the keys >> on their respective key rings is the same. >> >> Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com> > > Why did you drop Mimi's reviewed-by from this patch? It was not intentional. I was just not aware that I needed to propagate Mimi Zohar's reviewed-by from V1 of the patch to V2. Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> V2 includes changes in that patch to incorporate suggestions from Andy Shevchenko. My assumption was that the maintainer would gather up the reviewed-by and add any signed-off-by as appropriate, but it sounds like my assumption was incorrect. In retrospect, I could see that having the maintainer dig through prior versions of a patch set for prior reviewed-by tags could be burdensome. Advice on the expected handling of this would be appreciated. -Lenny. > >> --- >> security/integrity/platform_certs/load_uefi.c | 63 +++++++++++++------ >> 1 file changed, 44 insertions(+), 19 deletions(-) >> >> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c >> index 253fb9a7fc98..c1c622b4dc78 100644 >> --- a/security/integrity/platform_certs/load_uefi.c >> +++ b/security/integrity/platform_certs/load_uefi.c >> @@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, >> } >> >> /* >> + * load_moklist_certs() - Load MokList certs >> + * >> + * Load the certs contained in the UEFI MokListRT database into the >> + * platform trusted keyring. >> + * >> + * Return: Status >> + */ >> +static int __init load_moklist_certs(void) >> +{ >> + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; >> + void *mok; >> + unsigned long moksize; >> + efi_status_t status; >> + int rc; >> + >> + /* Get MokListRT. It might not exist, so it isn't an error >> + * if we can't get it. >> + */ >> + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); >> + if (mok) { >> + rc = parse_efi_signature_list("UEFI:MokListRT", >> + mok, moksize, get_handler_for_db); >> + kfree(mok); >> + if (rc) >> + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); >> + return rc; >> + } >> + if (status == EFI_NOT_FOUND) >> + pr_debug("MokListRT variable wasn't found\n"); >> + else >> + pr_info("Couldn't get UEFI MokListRT\n"); >> + return 0; >> +} >> + >> +/* >> + * load_uefi_certs() - Load certs from UEFI sources >> + * >> * Load the certs contained in the UEFI databases into the platform trusted >> * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist >> * keyring. >> @@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, >> static int __init load_uefi_certs(void) >> { >> efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; >> - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; >> - void *db = NULL, *dbx = NULL, *mok = NULL; >> - unsigned long dbsize = 0, dbxsize = 0, moksize = 0; >> + void *db = NULL, *dbx = NULL; >> + unsigned long dbsize = 0, dbxsize = 0; >> efi_status_t status; >> int rc = 0; >> >> if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) >> return false; >> >> - /* Get db, MokListRT, and dbx. They might not exist, so it isn't >> - * an error if we can't get them. >> + /* Get db and dbx. They might not exist, so it isn't an error >> + * if we can't get them. >> */ >> if (!uefi_check_ignore_db()) { >> db = get_cert_list(L"db", &secure_var, &dbsize, &status); >> @@ -102,20 +138,6 @@ static int __init load_uefi_certs(void) >> } >> } >> >> - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); >> - if (!mok) { >> - if (status == EFI_NOT_FOUND) >> - pr_debug("MokListRT variable wasn't found\n"); >> - else >> - pr_info("Couldn't get UEFI MokListRT\n"); >> - } else { >> - rc = parse_efi_signature_list("UEFI:MokListRT", >> - mok, moksize, get_handler_for_db); >> - if (rc) >> - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); >> - kfree(mok); >> - } >> - >> dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status); >> if (!dbx) { >> if (status == EFI_NOT_FOUND) >> @@ -131,6 +153,9 @@ static int __init load_uefi_certs(void) >> kfree(dbx); >> } >> >> + /* Load the MokListRT certs */ >> + rc = load_moklist_certs(); >> + >> return rc; >> } >> late_initcall(load_uefi_certs); >> -- >> 2.27.0 >> >
On Fri, 2020-09-11 at 11:54 -0400, Lenny Szubowicz wrote: > On 9/11/20 11:02 AM, Ard Biesheuvel wrote: > > On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <lszubowi@redhat.com> wrote: > >> > >> Move the loading of certs from the UEFI MokListRT into a separate > >> routine to facilitate additional MokList functionality. > >> > >> There is no visible functional change as a result of this patch. > >> Although the UEFI dbx certs are now loaded before the MokList certs, > >> they are loaded onto different key rings. So the order of the keys > >> on their respective key rings is the same. > >> > >> Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com> > > > > Why did you drop Mimi's reviewed-by from this patch? > > It was not intentional. I was just not aware that I needed to propagate > Mimi Zohar's reviewed-by from V1 of the patch to V2. > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > > V2 includes changes in that patch to incorporate suggestions from > Andy Shevchenko. My assumption was that the maintainer would > gather up the reviewed-by and add any signed-off-by as appropriate, > but it sounds like my assumption was incorrect. In retrospect, I > could see that having the maintainer dig through prior versions > of a patch set for prior reviewed-by tags could be burdensome. As much as possible moving code should be done without making changes, simpler for code review. Then as a separate patch you make changes. That way you could also have retained my Reviewed-by. Mimi > > Advice on the expected handling of this would be appreciated.
On 9/11/20 11:59 AM, Mimi Zohar wrote: > On Fri, 2020-09-11 at 11:54 -0400, Lenny Szubowicz wrote: >> On 9/11/20 11:02 AM, Ard Biesheuvel wrote: >>> On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <lszubowi@redhat.com> wrote: >>>> >>>> Move the loading of certs from the UEFI MokListRT into a separate >>>> routine to facilitate additional MokList functionality. >>>> >>>> There is no visible functional change as a result of this patch. >>>> Although the UEFI dbx certs are now loaded before the MokList certs, >>>> they are loaded onto different key rings. So the order of the keys >>>> on their respective key rings is the same. >>>> >>>> Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com> >>> >>> Why did you drop Mimi's reviewed-by from this patch? >> >> It was not intentional. I was just not aware that I needed to propagate >> Mimi Zohar's reviewed-by from V1 of the patch to V2. >> >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> >> >> V2 includes changes in that patch to incorporate suggestions from >> Andy Shevchenko. My assumption was that the maintainer would >> gather up the reviewed-by and add any signed-off-by as appropriate, >> but it sounds like my assumption was incorrect. In retrospect, I >> could see that having the maintainer dig through prior versions >> of a patch set for prior reviewed-by tags could be burdensome. > > As much as possible moving code should be done without making changes, > simpler for code review. Then as a separate patch you make changes. > That way you could also have retained my Reviewed-by. > > Mimi If you or Ard think I should, I can do a V3 with: Patch V3 01: Unchanged from V2 Patch V3 02: Goes back to V1 of patch 02 that Mimi reviewed Patch V3 03: New. Has Andy's cleanup suggestions separated from patch 02 Patch V3 04: This would most probably just be the V2 of patch 03 with no changes -Lenny. > >> >> Advice on the expected handling of this would be appreciated. > >
On Fri, 11 Sep 2020 at 20:18, Lenny Szubowicz <lszubowi@redhat.com> wrote: > > On 9/11/20 11:59 AM, Mimi Zohar wrote: > > On Fri, 2020-09-11 at 11:54 -0400, Lenny Szubowicz wrote: > >> On 9/11/20 11:02 AM, Ard Biesheuvel wrote: > >>> On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <lszubowi@redhat.com> wrote: > >>>> > >>>> Move the loading of certs from the UEFI MokListRT into a separate > >>>> routine to facilitate additional MokList functionality. > >>>> > >>>> There is no visible functional change as a result of this patch. > >>>> Although the UEFI dbx certs are now loaded before the MokList certs, > >>>> they are loaded onto different key rings. So the order of the keys > >>>> on their respective key rings is the same. > >>>> > >>>> Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com> > >>> > >>> Why did you drop Mimi's reviewed-by from this patch? > >> > >> It was not intentional. I was just not aware that I needed to propagate > >> Mimi Zohar's reviewed-by from V1 of the patch to V2. > >> > >> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> > >> > >> V2 includes changes in that patch to incorporate suggestions from > >> Andy Shevchenko. My assumption was that the maintainer would > >> gather up the reviewed-by and add any signed-off-by as appropriate, > >> but it sounds like my assumption was incorrect. In retrospect, I > >> could see that having the maintainer dig through prior versions > >> of a patch set for prior reviewed-by tags could be burdensome. > > > > As much as possible moving code should be done without making changes, > > simpler for code review. Then as a separate patch you make changes. > > That way you could also have retained my Reviewed-by. > > > > Mimi > > If you or Ard think I should, I can do a V3 with: > > Patch V3 01: Unchanged from V2 > Patch V3 02: Goes back to V1 of patch 02 that Mimi reviewed > Patch V3 03: New. Has Andy's cleanup suggestions separated from patch 02 > Patch V3 04: This would most probably just be the V2 of patch 03 with no changes > I think we can just merge the patches as they are, with Mimi's R-b carried over.
On Fri, 2020-09-11 at 21:16 +0300, Ard Biesheuvel wrote:
> I think we can just merge the patches as they are, with Mimi's R-b carried over.
Other than the comments beginning on the "/*" line as opposed to the
subsequent line, the updated 2/2 and 3/3 patches look fine.
thanks,
Mimi
On 9/11/20 3:08 PM, Mimi Zohar wrote: > On Fri, 2020-09-11 at 21:16 +0300, Ard Biesheuvel wrote: >> I think we can just merge the patches as they are, with Mimi's R-b carried over. > > Other than the comments beginning on the "/*" line as opposed to the > subsequent line, the updated 2/2 and 3/3 patches look fine. > > thanks, > > Mimi > I also prefer the block comment style that you are suggesting. However, I kept to the style used by the load_uefi.c source file. If checkpatch.pl considers it acceptable, I deferred to consistency within the source module. -Lenny.
diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 253fb9a7fc98..c1c622b4dc78 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, } /* + * load_moklist_certs() - Load MokList certs + * + * Load the certs contained in the UEFI MokListRT database into the + * platform trusted keyring. + * + * Return: Status + */ +static int __init load_moklist_certs(void) +{ + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *mok; + unsigned long moksize; + efi_status_t status; + int rc; + + /* Get MokListRT. It might not exist, so it isn't an error + * if we can't get it. + */ + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); + if (mok) { + rc = parse_efi_signature_list("UEFI:MokListRT", + mok, moksize, get_handler_for_db); + kfree(mok); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + return rc; + } + if (status == EFI_NOT_FOUND) + pr_debug("MokListRT variable wasn't found\n"); + else + pr_info("Couldn't get UEFI MokListRT\n"); + return 0; +} + +/* + * load_uefi_certs() - Load certs from UEFI sources + * * Load the certs contained in the UEFI databases into the platform trusted * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist * keyring. @@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; - void *db = NULL, *dbx = NULL, *mok = NULL; - unsigned long dbsize = 0, dbxsize = 0, moksize = 0; + void *db = NULL, *dbx = NULL; + unsigned long dbsize = 0, dbxsize = 0; efi_status_t status; int rc = 0; if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) return false; - /* Get db, MokListRT, and dbx. They might not exist, so it isn't - * an error if we can't get them. + /* Get db and dbx. They might not exist, so it isn't an error + * if we can't get them. */ if (!uefi_check_ignore_db()) { db = get_cert_list(L"db", &secure_var, &dbsize, &status); @@ -102,20 +138,6 @@ static int __init load_uefi_certs(void) } } - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); - if (!mok) { - if (status == EFI_NOT_FOUND) - pr_debug("MokListRT variable wasn't found\n"); - else - pr_info("Couldn't get UEFI MokListRT\n"); - } else { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); - if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); - kfree(mok); - } - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status); if (!dbx) { if (status == EFI_NOT_FOUND) @@ -131,6 +153,9 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* Load the MokListRT certs */ + rc = load_moklist_certs(); + return rc; } late_initcall(load_uefi_certs);
Move the loading of certs from the UEFI MokListRT into a separate routine to facilitate additional MokList functionality. There is no visible functional change as a result of this patch. Although the UEFI dbx certs are now loaded before the MokList certs, they are loaded onto different key rings. So the order of the keys on their respective key rings is the same. Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com> --- security/integrity/platform_certs/load_uefi.c | 63 +++++++++++++------ 1 file changed, 44 insertions(+), 19 deletions(-)