Re: [PATCH] integrity: Do not load MOK and MOKx when secure boot be disabled
From: Mimi Zohar
Date: Tue Dec 21 2021 - 07:56:20 EST
Hi Joey,
On Sat, 2021-12-18 at 10:09 +0800, Lee, Chun-Yi wrote:
> The security of Machine Owner Key (MOK) relies on secure boot. When
> secure boot is disabled, EFI firmware will not verify binary code. Then
> arbitrary efi binary code can modify MOK when rebooting.
>
> This patch prevents MOK/MOKx be loaded when secure boot be disabled.
>
> Signed-off-by: "Lee, Chun-Yi" <jlee@xxxxxxxx>
Sorry for the delay in testing this patch. I got the booster Friday
and am still suffering from fever spikes, chills, and headaches. The
kexec selftest might need to be updated as well.
thanks,
Mimi
> ---
> security/integrity/platform_certs/load_uefi.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
> index f290f78c3f30..08b6d12f99b4 100644
> --- a/security/integrity/platform_certs/load_uefi.c
> +++ b/security/integrity/platform_certs/load_uefi.c
> @@ -6,6 +6,7 @@
> #include <linux/err.h>
> #include <linux/efi.h>
> #include <linux/slab.h>
> +#include <linux/ima.h>
> #include <keys/asymmetric-type.h>
> #include <keys/system_keyring.h>
> #include "../integrity.h"
> @@ -176,6 +177,10 @@ static int __init load_uefi_certs(void)
> kfree(dbx);
> }
>
> + /* the MOK/MOKx can not be trusted when secure boot is disabled */
> + if (!arch_ima_get_secureboot())
> + return 0;
> +
> mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
> if (!mokx) {
> if (status == EFI_NOT_FOUND)