[PATCH 9/9] integrity: check properly whether EFI GetVariable() is available
Serge E. Hallyn
serge at hallyn.com
Wed Feb 19 20:46:03 UTC 2020
On Wed, Feb 19, 2020 at 06:19:07PM +0100, Ard Biesheuvel wrote:
> Testing the value of the efi.get_variable function pointer is not
> the right way to establish whether the platform supports EFI
> variables at runtime. Instead, use the newly added granular check
> that can test for the presence of each EFI runtime service
> individually.
>
> Cc: James Morris <jmorris at namei.org>
> Cc: "Serge E. Hallyn" <serge at hallyn.com>
> Cc: linux-security-module at vger.kernel.org
> Signed-off-by: Ard Biesheuvel <ardb at kernel.org>
> ---
> security/integrity/platform_certs/load_uefi.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
> index 111898aad56e..e2fe1bd3abb9 100644
> --- a/security/integrity/platform_certs/load_uefi.c
> +++ b/security/integrity/platform_certs/load_uefi.c
> @@ -76,7 +76,7 @@ static int __init load_uefi_certs(void)
> unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
> int rc = 0;
>
> - if (!efi.get_variable)
> + if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
Sorry, where is this defined?
> return false;
>
> /* Get db, MokListRT, and dbx. They might not exist, so it isn't
> --
> 2.17.1
More information about the Linux-security-module-archive
mailing list