[PATCH v2] efi: Only print errors about failing to get certs if EFI vars are found
Javier Martinez Canillas
javierm at redhat.com
Mon Dec 16 09:44:53 UTC 2019
On 11/19/19 4:40 PM, Hans de Goede wrote:
> Hi,
>
> On 19-11-2019 12:50, Javier Martinez Canillas wrote:
>> If CONFIG_LOAD_UEFI_KEYS is enabled, the kernel attempts to load the certs
>> from the db, dbx and MokListRT EFI variables into the appropriate keyrings.
>>
>> But it just assumes that the variables will be present and prints an error
>> if the certs can't be loaded, even when is possible that the variables may
>> not exist. For example the MokListRT variable will only be present if shim
>> is used.
>>
>> So only print an error message about failing to get the certs list from an
>> EFI variable if this is found. Otherwise these printed errors just pollute
>> the kernel ring buffer with confusing messages like the following:
>>
>> [ 5.427251] Couldn't get size: 0x800000000000000e
>> [ 5.427261] MODSIGN: Couldn't get UEFI db list
>> [ 5.428012] Couldn't get size: 0x800000000000000e
>> [ 5.428023] Couldn't get UEFI MokListRT
>>
>> Reported-by: Hans de Goede <hdegoede at redhat.com>
>> Signed-off-by: Javier Martinez Canillas <javierm at redhat.com>
>>
>> ---
>> Hans,
>>
>> I'll really appreciate if you can test this patch. I just built tested it
>> because I don't have access to a machine to reproduce the issue right now.
>
> Ok, I've given this a test-run just now, works as advertised for me:
>
> Tested-by: Hans de Goede <hdegoede at redhat.com>
>
Thanks a lot for testing Hans.
James and Mimi,
Anything else that's needed for this patch to be picked?
> Regards,
>
> Hans
>
Best regards,
--
Javier Martinez Canillas
Software Engineer - Desktop Hardware Enablement
Red Hat
More information about the Linux-security-module-archive
mailing list