Re: [PATCH 8/9] MODSIGN: Import certificates from UEFI Secure Boot

From: James Bottomley
Date: Thu Nov 24 2016 - 14:22:24 EST


On Mon, 2016-11-21 at 11:25 -0500, Josh Boyer wrote:
> On Mon, Nov 21, 2016 at 11:16 AM, Ard Biesheuvel
> <ard.biesheuvel@xxxxxxxxxx> wrote:
> > On 16 November 2016 at 18:11, David Howells <dhowells@xxxxxxxxxx>
> > wrote:
> > > From: Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx>
> > >
> > > Secure Boot stores a list of allowed certificates in the 'db'
> > > variable. This imports those certificates into the system trusted
> > > keyring. This allows for a third party signing certificate to
> > > be used in conjunction with signed modules. By importing the
> > > public certificate into the 'db' variable, a user can allow a
> > > module signed with that certificate to load. The shim UEFI
> > > bootloader has a similar certificate list stored in the
> > > 'MokListRT' variable. We import those as well.
> > >
> >
> > This sounds like a bad idea to me. For the standard databases like
> > db and dbx, we can rely on the firmware to ensure that they are
> > what you expect. For MokListRt, not so much: anyone with sufficient
> > capabilities can generate such a variable from userland, and not
> > every arch/distro combo will be using shim and/or mokmanager. (The
> > debates are still ongoing, but my position is that there is no need
> > for shim at all on ARM given that the M$ problem only exists on
> > x86)
>
> In order for MokListRT to be modified, the user has to have physical
> access and boot into Mok and complete the enrollment. That is no
> different than simply enrolling in db or dbx. I don't see a
> difference in security under the thread model that Secure Boot is
> attempting to protect against.

Isn't a potential attack to write to MokListRT and then force a kexec?
That means shim doesn't validate the variable yet you treat it as
though it has been validated.

James