[PATCH v2] efi: Only print errors about failing to get certs if EFI vars are found

Javier Martinez Canillas javierm at redhat.com
Mon Dec 16 09:44:53 UTC 2019


On 11/19/19 4:40 PM, Hans de Goede wrote:
> Hi,
> 
> On 19-11-2019 12:50, Javier Martinez Canillas wrote:
>> If CONFIG_LOAD_UEFI_KEYS is enabled, the kernel attempts to load the certs
>> from the db, dbx and MokListRT EFI variables into the appropriate keyrings.
>>
>> But it just assumes that the variables will be present and prints an error
>> if the certs can't be loaded, even when is possible that the variables may
>> not exist. For example the MokListRT variable will only be present if shim
>> is used.
>>
>> So only print an error message about failing to get the certs list from an
>> EFI variable if this is found. Otherwise these printed errors just pollute
>> the kernel ring buffer with confusing messages like the following:
>>
>> [    5.427251] Couldn't get size: 0x800000000000000e
>> [    5.427261] MODSIGN: Couldn't get UEFI db list
>> [    5.428012] Couldn't get size: 0x800000000000000e
>> [    5.428023] Couldn't get UEFI MokListRT
>>
>> Reported-by: Hans de Goede <hdegoede at redhat.com>
>> Signed-off-by: Javier Martinez Canillas <javierm at redhat.com>
>>
>> ---
>> Hans,
>>
>> I'll really appreciate if you can test this patch. I just built tested it
>> because I don't have access to a machine to reproduce the issue right now.
> 
> Ok, I've given this a test-run just now, works as advertised for me:
> 
> Tested-by: Hans de Goede <hdegoede at redhat.com>
>

Thanks a lot for testing Hans.

James and Mimi,

Anything else that's needed for this patch to be picked?
 
> Regards,
> 
> Hans
> 
Best regards,
-- 
Javier Martinez Canillas
Software Engineer - Desktop Hardware Enablement
Red Hat



More information about the Linux-security-module-archive mailing list