[PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found
Eric Snowberg
eric.snowberg at oracle.com
Fri Sep 17 16:06:56 UTC 2021
> On Sep 17, 2021, at 9:03 AM, Peter Jones <pjones at redhat.com> wrote:
>
> On Thu, Sep 16, 2021 at 08:00:54PM -0600, Eric Snowberg wrote:
>>
>>> On Sep 16, 2021, at 4:19 PM, Peter Jones <pjones at redhat.com> wrote:
>>>
>>> On Tue, Sep 14, 2021 at 05:14:15PM -0400, Eric Snowberg wrote:
>>>> +/*
>>>> + * Try to load the MokListTrustedRT UEFI variable to see if we should trust
>>>> + * the mok keys within the kernel. It is not an error if this variable
>>>> + * does not exist. If it does not exist, mok keys should not be trusted
>>>> + * within the machine keyring.
>>>> + */
>>>> +static __init bool uefi_check_trust_mok_keys(void)
>>>> +{
>>>> + efi_status_t status;
>>>> + unsigned int mtrust = 0;
>>>> + unsigned long size = sizeof(mtrust);
>>>> + efi_guid_t guid = EFI_SHIM_LOCK_GUID;
>>>> + u32 attr;
>>>> +
>>>> + status = efi.get_variable(L"MokListTrustedRT", &guid, &attr, &size, &mtrust);
>>>
>>> This should use efi_mokvar_entry_find("MokListTrustedRT") instead,
>>> similar to how load_moklist_certs() does. It's a *much* more reliable
>>> mechanism. We don't even need to fall back to checking for the
>>> variable, as any version of shim that populates this supports the config
>>> table method.
>>
>> I’ll change this in v7, thanks.
>
> We do also need to figure out a path forward for something like Dimitri
> Ledkov's MokListX patch[0] from May, though it doesn't necessarily need
> to hold up this patch set. It looks like your patches will change the
> structure of the keyrings it needs to apply to, but I don't see a reason
> it wouldn't be conditional on the same MokListTrustedRT variable. Any
> thoughts?
>
> [0] https://lore.kernel.org/lkml/20210512153100.285169-1-dimitri.ledkov@canonical.com/
>
I had a little different approach I was going to send for this problem, but dropped it
after I saw Dimitri’s patch. Yes, we will need to figure out a way to merge the two.
But I don’t see that being too difficult or them being incompatible with one another.
More information about the Linux-security-module-archive
mailing list