blob: 3233fbf100a610f2990f061ae7cebdfcb4d61c92 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Date: Tue, 13 Mar 2018 18:37:59 +0800
Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled
Origin: https://lore.kernel.org/patchwork/patch/933173/
The mok can not be trusted when the secure boot is disabled. Which
means that the kernel embedded certificate is the only trusted key.
Due to db/dbx are authenticated variables, they needs manufacturer's
KEK for update. So db/dbx are secure when secureboot disabled.
Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]
[bwh: Forward-ported to 5.5.9:
- get_cert_list() takes a pointer to status and returns the cert list
- Adjust filename]
[Salvatore Bonaccorso: Forward-ported to 5.10: Refresh for changes in
38a1f03aa240 ("integrity: Move import of MokListRT certs to a separate
routine")]
---
security/integrity/platform_certs/load_uefi.c | 26 +++++++++++++++-----------
1 file changed, 15 insertions(+), 11 deletions(-)
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -191,6 +191,10 @@
kfree(mokx);
}
+ /* the MOK can not be trusted when secure boot is disabled */
+ if (!efi_enabled(EFI_SECURE_BOOT))
+ return 0;
+
/* Load the MokListRT certs */
rc = load_moklist_certs();
|