Re: [PATCH 8/9] MODSIGN: Import certificates from UEFI Secure Boot

[James Bottomley]

On Mon, 2016-11-21 at 11:25 -0500, Josh Boyer wrote:
> On Mon, Nov 21, 2016 at 11:16 AM, Ard Biesheuvel
> <ard.biesheuvel@xxxxxxxxxx> wrote:
> > On 16 November 2016 at 18:11, David Howells <dhowells@xxxxxxxxxx>
> > wrote:
> > > From: Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx>
> > > 
> > > Secure Boot stores a list of allowed certificates in the 'db' 
> > > variable. This imports those certificates into the system trusted 
> > > keyring.   This allows for a third party signing certificate to 
> > > be used in conjunction with signed modules.  By importing the 
> > > public certificate into the 'db' variable, a user can allow a 
> > > module signed with that certificate to load.  The shim UEFI 
> > > bootloader has a similar certificate list stored in the
> > > 'MokListRT' variable.  We import those as well.
> > > 
> > 
> > This sounds like a bad idea to me. For the standard databases like 
> > db and dbx, we can rely on the firmware to ensure that they are 
> > what you expect. For MokListRt, not so much: anyone with sufficient
> > capabilities can generate such a variable from userland, and not 
> > every arch/distro combo will be using shim and/or mokmanager. (The
> > debates are still ongoing, but my position is that there is no need 
> > for shim at all on ARM given that the M$ problem only exists on
> > x86)
> 
> In order for MokListRT to be modified, the user has to have physical
> access and boot into Mok and complete the enrollment.  That is no
> different than simply enrolling in db or dbx.  I don't see a
> difference in security under the thread model that Secure Boot is
> attempting to protect against.

Isn't a potential attack to write to MokListRT and then force a kexec? 
 That means shim doesn't validate the variable yet you treat it as
though it has been validated.

James