[PATCH V2 0/3] integrity: Load certs from EFI MOK config table
Ard Biesheuvel
ardb at kernel.org
Fri Sep 11 15:17:28 UTC 2020
On Sat, 5 Sep 2020 at 04:31, Lenny Szubowicz <lszubowi at redhat.com> wrote:
>
> Because of system-specific EFI firmware limitations, EFI volatile
> variables may not be capable of holding the required contents of
> the Machine Owner Key (MOK) certificate store when the certificate
> list grows above some size. Therefore, an EFI boot loader may pass
> the MOK certs via a EFI configuration table created specifically for
> this purpose to avoid this firmware limitation.
>
> An EFI configuration table is a simpler and more robust mechanism
> compared to EFI variables and is well suited for one-way passage
> of static information from a pre-OS environment to the kernel.
>
> Entries in the MOK variable configuration table are named key/value
> pairs. Therefore the shim boot loader can create a MokListRT named
> entry in the MOK configuration table that contains exactly the same
> data as the MokListRT UEFI variable does or would otherwise contain.
> As such, the kernel can load certs from the data in the MokListRT
> configuration table entry data in the same way that it loads certs
> from the data returned by the EFI GetVariable() runtime call for the
> MokListRT variable.
>
> This patch set does not remove the support for loading certs from the
> EFI MOK variables into the platform key ring. However, if both the EFI
> MOK configuration table and corresponding EFI MOK variables are present,
> the MOK table is used as the source of MOK certs.
>
> The contents of the individual named MOK config table entries are
> made available to user space as individual sysfs binary files,
> which are read-only to root, under:
>
> /sys/firmware/efi/mok-variables/
>
> This enables an updated mokutil to provide support for:
>
> mokutil --list-enrolled
>
> such that it can provide accurate information regardless of whether
> the MOK configuration table or MOK EFI variables were the source
> for certs. Note that all modifications of MOK related state are still
> initiated by mokutil via EFI variables.
>
> V2: Incorporate feedback from V1
> Patch 01: efi: Support for MOK variable config table
> - Minor update to change log; no code changes
> Patch 02: integrity: Move import of MokListRT certs to a separate routine
> - Clean up code flow in code moved to load_moklist_certs()
> - Remove some unnecessary initialization of variables
> Patch 03: integrity: Load certs from the EFI MOK config table
> - Update required due to changes in patch 02.
> - Remove unnecessary init of mokvar_entry in load_moklist_certs()
>
> V1:
> https://lore.kernel.org/lkml/20200826034455.28707-1-lszubowi@redhat.com/
>
> Lenny Szubowicz (3):
> efi: Support for MOK variable config table
> integrity: Move import of MokListRT certs to a separate routine
> integrity: Load certs from the EFI MOK config table
>
> arch/x86/kernel/setup.c | 1 +
> arch/x86/platform/efi/efi.c | 3 +
> drivers/firmware/efi/Makefile | 1 +
> drivers/firmware/efi/arm-init.c | 1 +
> drivers/firmware/efi/efi.c | 6 +
> drivers/firmware/efi/mokvar-table.c | 360 ++++++++++++++++++
> include/linux/efi.h | 34 ++
> security/integrity/platform_certs/load_uefi.c | 85 ++++-
> 8 files changed, 472 insertions(+), 19 deletions(-)
> create mode 100644 drivers/firmware/efi/mokvar-table.c
>
Thanks. I have tentatively queued these up in efi/next.
Mimi, please let me know if you have any thoughts on 3/3, and whether
your R-b on 2/3 [v1] implies that you are ok with the series going
through the EFI tree.
--
Ard.
More information about the Linux-security-module-archive
mailing list