Re: [PATCH v2 1/2] efi: add secure boot get helper

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Chester,

Thanks for looking into this.

Some comments below.

On Wed, 14 Oct 2020 at 12:41, Chester Lin <clin@xxxxxxxx> wrote:
>
> Separate the get_sb_mode() from arch/x86 and treat it as a common function
> [rename to efi_get_secureboot_mode] so all EFI-based architectures can
> reuse the same logic.
>
> Signed-off-by: Chester Lin <clin@xxxxxxxx>
> ---
>  arch/x86/kernel/ima_arch.c | 47 ++------------------------------------
>  drivers/firmware/efi/efi.c | 43 ++++++++++++++++++++++++++++++++++
>  include/linux/efi.h        |  5 ++++
>  3 files changed, 50 insertions(+), 45 deletions(-)
>
> diff --git a/arch/x86/kernel/ima_arch.c b/arch/x86/kernel/ima_arch.c
> index 7dfb1e808928..ed4623ecda6e 100644
> --- a/arch/x86/kernel/ima_arch.c
> +++ b/arch/x86/kernel/ima_arch.c
> @@ -8,49 +8,6 @@
>
>  extern struct boot_params boot_params;
>
> -static enum efi_secureboot_mode get_sb_mode(void)
> -{
> -       efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
> -       efi_status_t status;
> -       unsigned long size;
> -       u8 secboot, setupmode;
> -
> -       size = sizeof(secboot);
> -
> -       if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
> -               pr_info("ima: secureboot mode unknown, no efi\n");
> -               return efi_secureboot_mode_unknown;
> -       }
> -
> -       /* Get variable contents into buffer */
> -       status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
> -                                 NULL, &size, &secboot);
> -       if (status == EFI_NOT_FOUND) {
> -               pr_info("ima: secureboot mode disabled\n");
> -               return efi_secureboot_mode_disabled;
> -       }
> -
> -       if (status != EFI_SUCCESS) {
> -               pr_info("ima: secureboot mode unknown\n");
> -               return efi_secureboot_mode_unknown;
> -       }
> -
> -       size = sizeof(setupmode);
> -       status = efi.get_variable(L"SetupMode", &efi_variable_guid,
> -                                 NULL, &size, &setupmode);
> -
> -       if (status != EFI_SUCCESS)      /* ignore unknown SetupMode */
> -               setupmode = 0;
> -
> -       if (secboot == 0 || setupmode == 1) {
> -               pr_info("ima: secureboot mode disabled\n");
> -               return efi_secureboot_mode_disabled;
> -       }
> -
> -       pr_info("ima: secureboot mode enabled\n");
> -       return efi_secureboot_mode_enabled;
> -}
> -
>  bool arch_ima_get_secureboot(void)
>  {
>         static enum efi_secureboot_mode sb_mode;
> @@ -60,7 +17,7 @@ bool arch_ima_get_secureboot(void)
>                 sb_mode = boot_params.secure_boot;
>
>                 if (sb_mode == efi_secureboot_mode_unset)
> -                       sb_mode = get_sb_mode();
> +                       sb_mode = efi_get_secureboot_mode();
>                 initialized = true;
>         }
>
> @@ -70,7 +27,7 @@ bool arch_ima_get_secureboot(void)
>                 return false;
>  }
>
> -/* secureboot arch rules */
> +/* secure and trusted boot arch rules */
>  static const char * const sb_arch_rules[] = {
>  #if !IS_ENABLED(CONFIG_KEXEC_SIG)
>         "appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig",
> diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
> index 5e5480a0a32d..68ffa6a069c0 100644
> --- a/drivers/firmware/efi/efi.c
> +++ b/drivers/firmware/efi/efi.c
> @@ -1022,3 +1022,46 @@ static int __init register_update_efi_random_seed(void)
>  }
>  late_initcall(register_update_efi_random_seed);
>  #endif
> +
> +enum efi_secureboot_mode efi_get_secureboot_mode(void)
> +{
> +       efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
> +       efi_status_t status;
> +       unsigned long size;
> +       u8 secboot, setupmode;
> +
> +       size = sizeof(secboot);
> +
> +       if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) {
> +               pr_info("ima: secureboot mode unknown, no efi\n");

These prints don't belong here anymore.

Also, it would be useful if we could reuse this logic in the EFI stub
as well, which is built as a separate executable, and does not provide
efi.get_variable().

So, you could you please break this up into

static inline
enum efi_secureboot_mode efi_get_secureboot_mode(efi_get_variable_t *get_var)
{
}

placed into include/linux/efi.h, which encapsulates the core logic,
but using get_var(), and without the prints.

Then, we could put something like

bool efi_ima_get_secureboot(void)
{
}

in drivers/firmware/efi/efi.c (guarded by #ifdef CONFIG_IMA_xxx),
which performs the
efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) check, calls
efi_get_secureboot_mode(efi.get_variable), and implements the logic.

And actually, if the logic is identical between x86 and arm64, I
wonder if it wouldn't be better to put the whole thing into

drivers/firmware/efi/efi-ima.c

or

security/integrity/ima/ima-efi.c

with the only difference being the boot_params->secure_boot access for
x86, which we can factor out to a static inline helper.

Mimi, any thoughts here?



> +               return efi_secureboot_mode_unknown;
> +       }
> +
> +       /* Get variable contents into buffer */
> +       status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
> +                                 NULL, &size, &secboot);
> +       if (status == EFI_NOT_FOUND) {
> +               pr_info("ima: secureboot mode disabled\n");
> +               return efi_secureboot_mode_disabled;
> +       }
> +
> +       if (status != EFI_SUCCESS) {
> +               pr_info("ima: secureboot mode unknown\n");
> +               return efi_secureboot_mode_unknown;
> +       }
> +
> +       size = sizeof(setupmode);
> +       status = efi.get_variable(L"SetupMode", &efi_variable_guid,
> +                                 NULL, &size, &setupmode);
> +
> +       if (status != EFI_SUCCESS)      /* ignore unknown SetupMode */
> +               setupmode = 0;
> +
> +       if (secboot == 0 || setupmode == 1) {
> +               pr_info("ima: secureboot mode disabled\n");
> +               return efi_secureboot_mode_disabled;
> +       }
> +
> +       pr_info("ima: secureboot mode enabled\n");
> +       return efi_secureboot_mode_enabled;
> +}
> diff --git a/include/linux/efi.h b/include/linux/efi.h
> index d7c0e73af2b9..a73e5ae04672 100644
> --- a/include/linux/efi.h
> +++ b/include/linux/efi.h
> @@ -1076,8 +1076,13 @@ static inline int efi_runtime_map_copy(void *buf, size_t bufsz)
>
>  #ifdef CONFIG_EFI
>  extern bool efi_runtime_disabled(void);
> +extern enum efi_secureboot_mode efi_get_secureboot_mode(void);
>  #else
>  static inline bool efi_runtime_disabled(void) { return true; }
> +static inline enum efi_secureboot_mode efi_get_secureboot_mode(void)
> +{
> +       return efi_secureboot_mode_disabled;
> +}
>  #endif
>
>  extern void efi_call_virt_check_flags(unsigned long flags, const char *call);
> --
> 2.26.1
>



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux