[PATCH 2/2] efi: print appropriate status message when loading certificates

jlee at suse.com jlee at suse.com
Sat Mar 23 02:56:13 UTC 2019


Hi Ard,

On Fri, Mar 22, 2019 at 03:27:46PM +0100, Ard Biesheuvel wrote:
> On Fri, 22 Mar 2019 at 11:34, Lee, Chun-Yi <joeyli.kernel at gmail.com> wrote:
> >
> > When loading certificates list from UEFI variable, the original error
> > message direct shows the efi status code from UEFI firmware. It looks
> > ugly:
> >
> > [    2.335031] Couldn't get size: 0x800000000000000e
> > [    2.335032] Couldn't get UEFI MokListRT
> > [    2.339985] Couldn't get size: 0x800000000000000e
> > [    2.339987] Couldn't get UEFI dbx list
> >
> 
> Why is it an error in the first place if these EFI variables do not exist?
> 

As you said, the error message should only be exposed when
these EFI variables exist. I will change it in next version of
my patch.

Thanks a lot!
Joey Lee

> 
> > So, this patch shows the status string instead of status code.
> >
> > On the other hand, the error message of EFI_NOT_FOUND
> > (0x800000000000000e) doesn't need to be exposed because kernel
> > already prints "Couldn't get UEFI..." message. This patch also
> > filtered out it.
> >
> > Link: https://forums.opensuse.org/showthread.php/535324-MODSIGN-Couldn-t-get-UEFI-db-list?p=2897516#post2897516
> > Cc: James Morris <jmorris at namei.org>
> > Cc: Serge E. Hallyn" <serge at hallyn.com>
> > Cc: David Howells <dhowells at redhat.com>
> > Cc: Nayna Jain <nayna at linux.ibm.com>
> > Cc: Josh Boyer <jwboyer at fedoraproject.org>
> > Cc: Mimi Zohar <zohar at linux.ibm.com>
> > Signed-off-by: "Lee, Chun-Yi" <jlee at suse.com>
> > ---
> >  security/integrity/platform_certs/load_uefi.c | 7 +++++--
> >  1 file changed, 5 insertions(+), 2 deletions(-)
> >
> > diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
> > index 81b19c52832b..fe261166621f 100644
> > --- a/security/integrity/platform_certs/load_uefi.c
> > +++ b/security/integrity/platform_certs/load_uefi.c
> > @@ -48,7 +48,9 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
> >
> >         status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
> >         if (status != EFI_BUFFER_TOO_SMALL) {
> > -               pr_err("Couldn't get size: 0x%lx\n", status);
> > +               if (status != EFI_NOT_FOUND)
> > +                       pr_err("Couldn't get size: %s\n",
> > +                               efi_status_to_str(status));
> >                 return NULL;
> >         }
> >
> > @@ -59,7 +61,8 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
> >         status = efi.get_variable(name, guid, NULL, &lsize, db);
> >         if (status != EFI_SUCCESS) {
> >                 kfree(db);
> > -               pr_err("Error reading db var: 0x%lx\n", status);
> > +               pr_err("Error reading db var: %s\n",
> > +                       efi_status_to_str(status));
> >                 return NULL;
> >         }
> >
> > --
> > 2.16.4
> >



More information about the Linux-security-module-archive mailing list