Re: [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found

From: Peter Jones
Date: Fri Sep 17 2021 - 11:03:48 EST


On Thu, Sep 16, 2021 at 08:00:54PM -0600, Eric Snowberg wrote:
>
> > On Sep 16, 2021, at 4:19 PM, Peter Jones <pjones@xxxxxxxxxx> wrote:
> >
> > On Tue, Sep 14, 2021 at 05:14:15PM -0400, Eric Snowberg wrote:
> >> +/*
> >> + * Try to load the MokListTrustedRT UEFI variable to see if we should trust
> >> + * the mok keys within the kernel. It is not an error if this variable
> >> + * does not exist. If it does not exist, mok keys should not be trusted
> >> + * within the machine keyring.
> >> + */
> >> +static __init bool uefi_check_trust_mok_keys(void)
> >> +{
> >> + efi_status_t status;
> >> + unsigned int mtrust = 0;
> >> + unsigned long size = sizeof(mtrust);
> >> + efi_guid_t guid = EFI_SHIM_LOCK_GUID;
> >> + u32 attr;
> >> +
> >> + status = efi.get_variable(L"MokListTrustedRT", &guid, &attr, &size, &mtrust);
> >
> > This should use efi_mokvar_entry_find("MokListTrustedRT") instead,
> > similar to how load_moklist_certs() does. It's a *much* more reliable
> > mechanism. We don't even need to fall back to checking for the
> > variable, as any version of shim that populates this supports the config
> > table method.
>
> I’ll change this in v7, thanks.

We do also need to figure out a path forward for something like Dimitri
Ledkov's MokListX patch[0] from May, though it doesn't necessarily need
to hold up this patch set. It looks like your patches will change the
structure of the keyrings it needs to apply to, but I don't see a reason
it wouldn't be conditional on the same MokListTrustedRT variable. Any
thoughts?

[0] https://lore.kernel.org/lkml/20210512153100.285169-1-dimitri.ledkov@xxxxxxxxxxxxx/

--
Peter