[PATCH 2/2] MODSIGN: load hash blacklist of modules from MOKx
joeyli
jlee at suse.com
Thu Dec 12 04:57:54 UTC 2013
於 三,2013-12-11 於 11:15 -0500,Josh Boyer 提到:
> On Wed, Dec 11, 2013 at 03:26:17PM +0800, Lee, Chun-Yi wrote:
> > This patch add the support to load blacklisted hash or public key from
...
> > +static int __init signature_blacklist_func(efi_guid_t efi_cert_guid,
> > + const efi_signature_data_t *elem)
> > +{
> > + struct module_hash *module_hash = NULL;
> > + int i;
> > +
> > + for (i = 0; efi_hash_types[i].hash < PKEY_HASH__LAST; i++) {
> > + struct efi_hash_type type = efi_hash_types[i];
> > +
> > + if (efi_guidcmp(efi_cert_guid, type.efi_cert_guid) != 0)
> > + continue;
> > +
> > + module_hash = kzalloc(sizeof(*module_hash) + type.size, GFP_KERNEL);
> > + module_hash->hash = type.hash;
> > + module_hash->hash_name = type.hash_name;
> > + module_hash->size = type.size;
> > + memcpy(module_hash->hash_data, elem->signature_data, type.size);
> > + }
> > +
> > + if (!module_hash) {
> > + pr_err("Problem loading hash of blacklisted module: %pUb\n",
> > + &efi_cert_guid);
> > + return -ENOTSUPP;
>
> Shouldn't this check be moved directly under the kzalloc call? Or I
> suppose a similar check should be added there.
>
Next version patch will hook the hash algorithm of blacklist the same
with kernel module signature. I will simplify this checking code.
> > + data += sizeof(list) + hsize;
> > + size -= sizeof(list) + hsize;
> > + offs += sizeof(list) + hsize;
> > +
> > + for (; elsize > 0; elsize -= esize) {
> > + elem = data;
> > +
> > + pr_debug("ELEM[%04x]\n", offs);
> > + func(efi_cert_guid, elem);
>
> The func call here can fail but there is no return code checking.
>
Thank's for your point out, I will add the return code checking here.
> > + data += esize;
> > + size -= esize;
> > + offs += esize;
> > + }
> > + }
> > +
> > + return 0;
> > +}
> > +
> > +static int __init parse_efi_signature_list_hashs(const void *data, size_t size,
> > + int (*func)(efi_guid_t, const efi_signature_data_t *))
>
> Why do we pass around a function pointer here when there is only one
> place we call this and it always passes the same function?
>
Because the code of parse_efi_signature_list_hash() is almost the same
with parse_efi_signature_list(), so I want pass different functions to
handle the different logic of them.
Sorry for I forgot merge this change to parse_efi_signature_list().
Thanks for your remind, I will do it in next version.
> > /*
> > * * Load the certs contained in the UEFI databases
> > * */
> > @@ -62,8 +194,8 @@ static int __init load_uefi_certs(void)
> > {
> > efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
> > efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
> > - void *db = NULL, *dbx = NULL, *mok = NULL;
> > - unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
> > + void *db = NULL, *dbx = NULL, *mok = NULL, *mokx = NULL;
> > + unsigned long dbsize = 0, dbxsize = 0, moksize = 0, mokxsize = 0;
> > int ignore_db, rc = 0;
> >
> > /* Check if SB is enabled and just return if not */
> > @@ -109,6 +241,20 @@ static int __init load_uefi_certs(void)
> > kfree(dbx);
> > }
> >
> > + mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize);
> > + if (!mokx) {
> > + pr_info("MODSIGN: Couldn't get UEFI MokListXRT\n");
>
> Is there a reason we don't call the hash parsing on dbx itself?
>
Yes, we can, I will add the hash parsing on dbx.
> > + } else {
> > + rc = parse_efi_signature_list(mokx, mokxsize,
> > + system_blacklist_keyring);
> > + if (rc)
> > + pr_err("Couldn't parse MokListXRT signatures: %d\n", rc);
> > + else
> > + parse_efi_signature_list_hashs(mokx, mokxsize,
> > + signature_blacklist_func);
> > + kfree(mokx);
>
> Do we want to only check for hashes if signature parsing fails?
> MokListXRT could contain both hashes and certs, couldn't it?
>
Yes, the signature parsing fail should not effect to the hash parsing. I
will fix it in next version.
Thanks a lot!
Joey Lee
More information about the kernel
mailing list