[PATCH v3 RESEND] efi: Do not import certificates from UEFI Secure Boot for T2 Macs

Mimi Zohar zohar at linux.ibm.com
Tue Apr 12 15:13:52 UTC 2022


On Tue, 2022-04-12 at 14:13 +0000, Aditya Garg wrote:
> >> @@ -138,6 +181,11 @@ static int __init load_uefi_certs(void)
> >>      unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0;
> >>      efi_status_t status;
> >>      int rc = 0;
> >> +    const struct dmi_system_id *dmi_id;
> >> +
> >> +    dmi_id = dmi_first_match(uefi_skip_cert);
> >> +    if (dmi_id)
> >> +            return 0;
> > 
> > uefi_check_ignore_db(), get_cert_list(), uefi_check_ignore_db(), and
> > /load_moklist_certs() are all defined all static and are gated here by
> > this dmi_first_match(). There's probably no need for any of the other
> > calls to dmi_first_match().
> I couldn’t get you here. Could you elaborate?

dmi_first_match() is called here at the beginning of load_uefi_certs().
Only if it succeeds would uefi_check_ignore_db(), get_cert_list(),
uefi_check_ignore_db(), or
load_moklist_certs() be called.  Is there a need for adding a call to
dmi_first_match() in any of these other functions?

thanks,

Mimi

> > 
> > Like in all the other cases, there should be some sort of message. At
> > minimum, there should be a pr_info().
> > 
> >> 
> >>      if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
> >>              return false;
> > 




More information about the Linux-security-module-archive mailing list