103 lines
3.7 KiB
Diff
103 lines
3.7 KiB
Diff
|
From 5b4a9bf506709048bdc7e34dfd45d77d12204088 Mon Sep 17 00:00:00 2001
|
||
|
From: Maximilian Luz <luzmaximilian@gmail.com>
|
||
|
Date: Fri, 26 Aug 2022 21:24:36 +0200
|
||
|
Subject: [PATCH] Revert "integrity: Only use machine keyring when
|
||
|
uefi_check_trust_mok_keys is true"
|
||
|
|
||
|
This reverts commit 3d6ae1a5d0c2019d274284859f556dcb64aa98a7.
|
||
|
|
||
|
MokListTrustedRT doesn't seem to be set by the Shim version used by
|
||
|
Ubuntu and Debian. Therefore, these systems don't trust the MOK keys on
|
||
|
newer kernels. While pre-5.19 kernels silently disregard the untrusted
|
||
|
keys and (without signature enforcement enabled) still load external
|
||
|
modules (tainting the kernel), on 5.19 kernels, this breaks module
|
||
|
loading. Therefore, revert this change.
|
||
|
|
||
|
See https://github.com/linux-surface/linux-surface/issues/906.
|
||
|
---
|
||
|
security/integrity/digsig.c | 2 +-
|
||
|
security/integrity/integrity.h | 5 -----
|
||
|
.../integrity/platform_certs/keyring_handler.c | 2 +-
|
||
|
.../integrity/platform_certs/machine_keyring.c | 16 ----------------
|
||
|
4 files changed, 2 insertions(+), 23 deletions(-)
|
||
|
|
||
|
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
|
||
|
index 8a82a6c7f48a..c0c2fd0a6c71 100644
|
||
|
--- a/security/integrity/digsig.c
|
||
|
+++ b/security/integrity/digsig.c
|
||
|
@@ -113,7 +113,7 @@ static int __init __integrity_init_keyring(const unsigned int id,
|
||
|
} else {
|
||
|
if (id == INTEGRITY_KEYRING_PLATFORM)
|
||
|
set_platform_trusted_keys(keyring[id]);
|
||
|
- if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist())
|
||
|
+ if (id == INTEGRITY_KEYRING_MACHINE)
|
||
|
set_machine_trusted_keys(keyring[id]);
|
||
|
if (id == INTEGRITY_KEYRING_IMA)
|
||
|
load_module_cert(keyring[id]);
|
||
|
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
|
||
|
index 7167a6e99bdc..1dbb494c86c0 100644
|
||
|
--- a/security/integrity/integrity.h
|
||
|
+++ b/security/integrity/integrity.h
|
||
|
@@ -320,14 +320,9 @@ static inline void __init add_to_platform_keyring(const char *source,
|
||
|
|
||
|
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
|
||
|
void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
|
||
|
-bool __init trust_moklist(void);
|
||
|
#else
|
||
|
static inline void __init add_to_machine_keyring(const char *source,
|
||
|
const void *data, size_t len)
|
||
|
{
|
||
|
}
|
||
|
-static inline bool __init trust_moklist(void)
|
||
|
-{
|
||
|
- return false;
|
||
|
-}
|
||
|
#endif
|
||
|
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
|
||
|
index 8a1124e4d769..b22e0125a483 100644
|
||
|
--- a/security/integrity/platform_certs/keyring_handler.c
|
||
|
+++ b/security/integrity/platform_certs/keyring_handler.c
|
||
|
@@ -61,7 +61,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
|
||
|
__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
|
||
|
{
|
||
|
if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
|
||
|
- if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())
|
||
|
+ if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
|
||
|
return add_to_machine_keyring;
|
||
|
else
|
||
|
return add_to_platform_keyring;
|
||
|
diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
|
||
|
index 7aaed7950b6e..09fd8f20c756 100644
|
||
|
--- a/security/integrity/platform_certs/machine_keyring.c
|
||
|
+++ b/security/integrity/platform_certs/machine_keyring.c
|
||
|
@@ -8,8 +8,6 @@
|
||
|
#include <linux/efi.h>
|
||
|
#include "../integrity.h"
|
||
|
|
||
|
-static bool trust_mok;
|
||
|
-
|
||
|
static __init int machine_keyring_init(void)
|
||
|
{
|
||
|
int rc;
|
||
|
@@ -61,17 +59,3 @@ static __init bool uefi_check_trust_mok_keys(void)
|
||
|
|
||
|
return false;
|
||
|
}
|
||
|
-
|
||
|
-bool __init trust_moklist(void)
|
||
|
-{
|
||
|
- static bool initialized;
|
||
|
-
|
||
|
- if (!initialized) {
|
||
|
- initialized = true;
|
||
|
-
|
||
|
- if (uefi_check_trust_mok_keys())
|
||
|
- trust_mok = true;
|
||
|
- }
|
||
|
-
|
||
|
- return trust_mok;
|
||
|
-}
|
||
|
--
|
||
|
2.37.2
|
||
|
|