Re: [PATCH] efi: libstub: check Shim mode using MokSBStateRT

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Sep 21, 2022 at 05:52:31PM +0200, Ilias Apalodimas wrote:
> Hi Ard
> 
> On Tue, 20 Sept 2022 at 17:37, Ard Biesheuvel <ardb@xxxxxxxxxx> wrote:
> >
> > We currently check the MokSBState variable to decide whether we should
> > treat UEFI secure boot as being disabled, even if the firmware thinks
> > otherwise. This is used by shim to indicate that it is not checking
> > signatures on boot images. In the kernel, we use this to relax lockdown
> > policies.
> >
> > However, in cases where shim is not even being used, we don't want this
> > variable to interfere with lockdown, given that the variable is
> > non-volatile variable and therefore persists across a reboot. This means
> > setting it once will persistently disable lockdown checks on a given
> > system.
> >
> > So switch to the mirrored version of this variable, called MokSBStateRT,
> > which is supposed to be volatile, and this is something we can check.
> >
> 
> Just out of curiosity was the mirroring implemented at the same time
> in SHIM? IOW does MokSBState guarantee the presence of the -RT?
> Regardless of the answer this fixes an actual problem, so fwiw

Yes, since 2016.

Reviewed-by: Peter Jones <pjones@xxxxxxxxxx>

> Reviewed-by: Ilias Apalodimas <ilias.apalodimas@xxxxxxxxxx>
> 
> > Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
> > ---
> >  arch/x86/xen/efi.c                        | 5 +++--
> >  drivers/firmware/efi/libstub/secureboot.c | 8 ++++----
> >  2 files changed, 7 insertions(+), 6 deletions(-)
> >
> > diff --git a/arch/x86/xen/efi.c b/arch/x86/xen/efi.c
> > index 7d7ffb9c826a..8bd65f2900b9 100644
> > --- a/arch/x86/xen/efi.c
> > +++ b/arch/x86/xen/efi.c
> > @@ -100,6 +100,7 @@ static enum efi_secureboot_mode xen_efi_get_secureboot(void)
> >         enum efi_secureboot_mode mode;
> >         efi_status_t status;
> >         u8 moksbstate;
> > +       u32 attr;
> >         unsigned long size;
> >
> >         mode = efi_get_secureboot_mode(efi.get_variable);
> > @@ -113,13 +114,13 @@ static enum efi_secureboot_mode xen_efi_get_secureboot(void)
> >         /* See if a user has put the shim into insecure mode. */
> >         size = sizeof(moksbstate);
> >         status = efi.get_variable(L"MokSBStateRT", &shim_guid,
> > -                                 NULL, &size, &moksbstate);
> > +                                 &attr, &size, &moksbstate);
> >
> >         /* If it fails, we don't care why. Default to secure. */
> >         if (status != EFI_SUCCESS)
> >                 goto secure_boot_enabled;
> >
> > -       if (moksbstate == 1)
> > +       if (!(attr & EFI_VARIABLE_NON_VOLATILE) && moksbstate == 1)
> >                 return efi_secureboot_mode_disabled;
> >
> >   secure_boot_enabled:
> > diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c
> > index 8a18930f3eb6..516f4f0069bd 100644
> > --- a/drivers/firmware/efi/libstub/secureboot.c
> > +++ b/drivers/firmware/efi/libstub/secureboot.c
> > @@ -14,7 +14,7 @@
> >
> >  /* SHIM variables */
> >  static const efi_guid_t shim_guid = EFI_SHIM_LOCK_GUID;
> > -static const efi_char16_t shim_MokSBState_name[] = L"MokSBState";
> > +static const efi_char16_t shim_MokSBState_name[] = L"MokSBStateRT";
> >
> >  static efi_status_t get_var(efi_char16_t *name, efi_guid_t *vendor, u32 *attr,
> >                             unsigned long *data_size, void *data)
> > @@ -43,8 +43,8 @@ enum efi_secureboot_mode efi_get_secureboot(void)
> >
> >         /*
> >          * See if a user has put the shim into insecure mode. If so, and if the
> > -        * variable doesn't have the runtime attribute set, we might as well
> > -        * honor that.
> > +        * variable doesn't have the non-volatile attribute set, we might as
> > +        * well honor that.
> >          */
> >         size = sizeof(moksbstate);
> >         status = get_efi_var(shim_MokSBState_name, &shim_guid,
> > @@ -53,7 +53,7 @@ enum efi_secureboot_mode efi_get_secureboot(void)
> >         /* If it fails, we don't care why. Default to secure */
> >         if (status != EFI_SUCCESS)
> >                 goto secure_boot_enabled;
> > -       if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS) && moksbstate == 1)
> > +       if (!(attr & EFI_VARIABLE_NON_VOLATILE) && moksbstate == 1)
> >                 return efi_secureboot_mode_disabled;
> >
> >  secure_boot_enabled:
> > --
> > 2.35.1
> >
> 

-- 
        Peter




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux