[PATCH 9/9] integrity: check properly whether EFI GetVariable() is available
Serge E. Hallyn
serge at hallyn.com
Thu Feb 20 03:19:53 UTC 2020
On Wed, Feb 19, 2020 at 10:00:11PM +0100, Ard Biesheuvel wrote:
> On Wed, 19 Feb 2020 at 21:46, Serge E. Hallyn <serge at hallyn.com> wrote:
> >
> > On Wed, Feb 19, 2020 at 06:19:07PM +0100, Ard Biesheuvel wrote:
> > > Testing the value of the efi.get_variable function pointer is not
> > > the right way to establish whether the platform supports EFI
> > > variables at runtime. Instead, use the newly added granular check
> > > that can test for the presence of each EFI runtime service
> > > individually.
> > >
> > > Cc: James Morris <jmorris at namei.org>
> > > Cc: "Serge E. Hallyn" <serge at hallyn.com>
> > > Cc: linux-security-module at vger.kernel.org
> > > Signed-off-by: Ard Biesheuvel <ardb at kernel.org>
> > > ---
> > > security/integrity/platform_certs/load_uefi.c | 2 +-
> > > 1 file changed, 1 insertion(+), 1 deletion(-)
> > >
> > > diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
> > > index 111898aad56e..e2fe1bd3abb9 100644
> > > --- a/security/integrity/platform_certs/load_uefi.c
> > > +++ b/security/integrity/platform_certs/load_uefi.c
> > > @@ -76,7 +76,7 @@ static int __init load_uefi_certs(void)
> > > unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
> > > int rc = 0;
> > >
> > > - if (!efi.get_variable)
> > > + if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
> >
> > Sorry, where is this defined?
> >
>
> Apologies, I failed to cc everyone on the whole series.
>
> It is defined in the first patch.
>
> https://lore.kernel.org/linux-efi/20200219171907.11894-1-ardb@kernel.org/
Gotcha, thanks, I shoulda get-lore-mbox'ed it :)
Acked-by: Serge Hallyn <serge at hallyn.com>
thanks,
-serge
More information about the Linux-security-module-archive
mailing list