beenull/linux-surface
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
linux-surface/pkg/debian/kernel/0001-Revert-integrity-Only-use-machine-keyring-when-uefi_.patch
Maximilian Luz 5837443f11
fixup! Update Debian kernel to v6.3.1
2023-05-11 16:10:32 +02:00

103 lines
3.7 KiB
Diff
Raw Blame History

From e79c4bebdeeb42325394c95fa13f36042f9a34fa Mon Sep 17 00:00:00 2001
From: Maximilian Luz <luzmaximilian@gmail.com>
Date: Fri, 26 Aug 2022 21:24:36 +0200
Subject: [PATCH] Revert "integrity: Only use machine keyring when
uefi_check_trust_mok_keys is true"
This reverts commit 3d6ae1a5d0c2019d274284859f556dcb64aa98a7.
MokListTrustedRT doesn't seem to be set by the Shim version used by
Ubuntu and Debian. Therefore, these systems don't trust the MOK keys on
newer kernels. While pre-5.19 kernels silently disregard the untrusted
keys and (without signature enforcement enabled) still load external
modules (tainting the kernel), on 5.19 kernels, this breaks module
loading. Therefore, revert this change.
See https://github.com/linux-surface/linux-surface/issues/906.
---
security/integrity/digsig.c | 2 +-
security/integrity/integrity.h | 5 -----
.../integrity/platform_certs/keyring_handler.c | 2 +-
.../integrity/platform_certs/machine_keyring.c | 16 ----------------
4 files changed, 2 insertions(+), 23 deletions(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index f2193c531f4a4..4a1d0bb2ffd42 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -113,7 +113,7 @@ static int __init __integrity_init_keyring(const unsigned int id,
} else {
if (id == INTEGRITY_KEYRING_PLATFORM)
set_platform_trusted_keys(keyring[id]);
- if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist())
+ if (id == INTEGRITY_KEYRING_MACHINE)
set_machine_trusted_keys(keyring[id]);
if (id == INTEGRITY_KEYRING_IMA)
load_module_cert(keyring[id]);
diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
index 7167a6e99bdc0..1dbb494c86c07 100644
--- a/security/integrity/integrity.h
+++ b/security/integrity/integrity.h
@@ -320,14 +320,9 @@ static inline void __init add_to_platform_keyring(const char *source,
#ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
-bool __init trust_moklist(void);
#else
static inline void __init add_to_machine_keyring(const char *source,
const void *data, size_t len)
{
}
-static inline bool __init trust_moklist(void)
-{
- return false;
-}
#endif
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
index 8a1124e4d7696..b22e0125a4833 100644
--- a/security/integrity/platform_certs/keyring_handler.c
+++ b/security/integrity/platform_certs/keyring_handler.c
@@ -61,7 +61,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
{
if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
- if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())
+ if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
return add_to_machine_keyring;
else
return add_to_platform_keyring;
diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
index 7aaed7950b6e3..09fd8f20c7560 100644
--- a/security/integrity/platform_certs/machine_keyring.c
+++ b/security/integrity/platform_certs/machine_keyring.c
@@ -8,8 +8,6 @@
#include <linux/efi.h>
#include "../integrity.h"
-static bool trust_mok;
-
static __init int machine_keyring_init(void)
{
int rc;
@@ -61,17 +59,3 @@ static __init bool uefi_check_trust_mok_keys(void)
return false;
}
-
-bool __init trust_moklist(void)
-{
- static bool initialized;
-
- if (!initialized) {
- initialized = true;
-
- if (uefi_check_trust_mok_keys())
- trust_mok = true;
- }
-
- return trust_mok;
-}
--
2.40.1
Reference in a new issue View git blame Copy permalink