Re: [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found

[PATCH v6 00/13] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 01/13] integrity: Introduce a Linux keyring called machine · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 07/13] KEYS: add a reference to machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 03/13] KEYS: CA link restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
Re: [PATCH v6 03/13] KEYS: CA link restriction · kernel test robot <hidden> · 2021-09-16
Re: [PATCH v6 03/13] KEYS: CA link restriction · kernel test robot <hidden> · 2021-09-16
Re: [PATCH v6 03/13] KEYS: CA link restriction · Nayna <hidden> · 2021-09-16
[PATCH v6 02/13] integrity: Do not allow machine keyring updates following init · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 06/13] KEYS: Rename get_builtin_and_secondary_restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 08/13] KEYS: Introduce link restriction for machine keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 05/13] integrity: add new keyring handler for mok keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
Re: [PATCH v6 05/13] integrity: add new keyring handler for mok keys · kernel test robot <hidden> · 2021-09-16
[PATCH v6 04/13] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
Re: [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found · Peter Jones <pjones@redhat.com> · 2021-09-16
Re: [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-17
Re: [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found · Peter Jones <pjones@redhat.com> · 2021-09-17
Re: [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-17
[PATCH v6 13/13] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 10/13] KEYS: link secondary_trusted_keys to machine trusted keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 11/13] integrity: store reference to machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
[PATCH v6 09/13] KEYS: integrity: change link restriction to trust the machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-14
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-15
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-15
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-16
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Peter Jones <pjones@redhat.com> · 2021-09-16
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-17
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-21
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Nayna <hidden> · 2021-09-16
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-17
Re: [PATCH v6 00/13] Enroll kernel keys thru MOK · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-17

From: Peter Jones <pjones@redhat.com>
Date: 2021-09-16 22:19:41
Also in: keyrings, linux-crypto, linux-security-module, lkml

On Tue, Sep 14, 2021 at 05:14:15PM -0400, Eric Snowberg wrote:

+/*
+ * Try to load the MokListTrustedRT UEFI variable to see if we should trust
+ * the mok keys within the kernel. It is not an error if this variable
+ * does not exist.  If it does not exist, mok keys should not be trusted
+ * within the machine keyring.
+ */
+static __init bool uefi_check_trust_mok_keys(void)
+{
+	efi_status_t status;
+	unsigned int mtrust = 0;
+	unsigned long size = sizeof(mtrust);
+	efi_guid_t guid = EFI_SHIM_LOCK_GUID;
+	u32 attr;
+
+	status = efi.get_variable(L"MokListTrustedRT", &guid, &attr, &size, &mtrust);

This should use efi_mokvar_entry_find("MokListTrustedRT") instead,
similar to how load_moklist_certs() does.  It's a *much* more reliable
mechanism.  We don't even need to fall back to checking for the
variable, as any version of shim that populates this supports the config
table method.

-- 
        Peter

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help