[PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found

Eric Snowberg eric.snowberg at oracle.com
Fri Sep 17 16:06:56 UTC 2021


> On Sep 17, 2021, at 9:03 AM, Peter Jones <pjones at redhat.com> wrote:
> 
> On Thu, Sep 16, 2021 at 08:00:54PM -0600, Eric Snowberg wrote:
>> 
>>> On Sep 16, 2021, at 4:19 PM, Peter Jones <pjones at redhat.com> wrote:
>>> 
>>> On Tue, Sep 14, 2021 at 05:14:15PM -0400, Eric Snowberg wrote:
>>>> +/*
>>>> + * Try to load the MokListTrustedRT UEFI variable to see if we should trust
>>>> + * the mok keys within the kernel. It is not an error if this variable
>>>> + * does not exist.  If it does not exist, mok keys should not be trusted
>>>> + * within the machine keyring.
>>>> + */
>>>> +static __init bool uefi_check_trust_mok_keys(void)
>>>> +{
>>>> +	efi_status_t status;
>>>> +	unsigned int mtrust = 0;
>>>> +	unsigned long size = sizeof(mtrust);
>>>> +	efi_guid_t guid = EFI_SHIM_LOCK_GUID;
>>>> +	u32 attr;
>>>> +
>>>> +	status = efi.get_variable(L"MokListTrustedRT", &guid, &attr, &size, &mtrust);
>>> 
>>> This should use efi_mokvar_entry_find("MokListTrustedRT") instead,
>>> similar to how load_moklist_certs() does.  It's a *much* more reliable
>>> mechanism.  We don't even need to fall back to checking for the
>>> variable, as any version of shim that populates this supports the config
>>> table method.
>> 
>> I’ll change this in v7, thanks.
> 
> We do also need to figure out a path forward for something like Dimitri
> Ledkov's MokListX patch[0] from May, though it doesn't necessarily need
> to hold up this patch set.  It looks like your patches will change the
> structure of the keyrings it needs to apply to, but I don't see a reason
> it wouldn't be conditional on the same MokListTrustedRT variable.  Any
> thoughts?
> 
> [0] https://lore.kernel.org/lkml/20210512153100.285169-1-dimitri.ledkov@canonical.com/
> 

I had a little different approach I was going to send for this problem, but dropped it 
after I saw Dimitri’s patch.  Yes, we will need to figure out a way to merge the two.  
But I don’t see that being too difficult or them being incompatible with one another.



More information about the Linux-security-module-archive mailing list