release/5.2.41/efi-Only-print-errors-about-failing-to-get-certs-if-.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From 2ee6bf893733a521cd7b009bacdc24710dbe8700 Mon Sep 17 00:00:00 2001
 From: Javier Martinez Canillas <javierm@redhat.com>
 Date: Mon, 17 Feb 2020 12:39:47 +0100
 Subject: [PATCH] efi: Only print errors about failing to get certs if EFI vars
  are found

 commit 3be54d558c75562e42bc83d665df024bd79d399b upstream.

 If CONFIG_LOAD_UEFI_KEYS is enabled, the kernel attempts to load the certs
 from the db, dbx and MokListRT EFI variables into the appropriate keyrings.

 But it just assumes that the variables will be present and prints an error
 if the certs can't be loaded, even when is possible that the variables may
 not exist. For example the MokListRT variable will only be present if shim
 is used.

 So only print an error message about failing to get the certs list from an
 EFI variable if this is found. Otherwise these printed errors just pollute
 the kernel log ring buffer with confusing messages like the following:

 [    5.427251] Couldn't get size: 0x800000000000000e
 [    5.427261] MODSIGN: Couldn't get UEFI db list
 [    5.428012] Couldn't get size: 0x800000000000000e
 [    5.428023] Couldn't get UEFI MokListRT

 Reported-by: Hans de Goede <hdegoede@redhat.com>
 Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
 Tested-by: Hans de Goede <hdegoede@redhat.com>
 Acked-by: Ard Biesheuvel <ardb@kernel.org>
 Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
 index 81b19c52832b..020fc7a11ef0 100644
 --- a/security/integrity/platform_certs/load_uefi.c
 +++ b/security/integrity/platform_certs/load_uefi.c
 @@ -39,16 +39,18 @@ static __init bool uefi_check_ignore_db(void)
   * Get a certificate list blob from the named EFI variable.
   */
  static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
 -				  unsigned long *size)
 +				  unsigned long *size, efi_status_t *status)
  {
 -	efi_status_t status;
  	unsigned long lsize = 4;
  	unsigned long tmpdb[4];
  	void *db;

 -	status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
 -	if (status != EFI_BUFFER_TOO_SMALL) {
 -		pr_err("Couldn't get size: 0x%lx\n", status);
 +	*status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
 +	if (*status == EFI_NOT_FOUND)
 +		return NULL;
 +
 +	if (*status != EFI_BUFFER_TOO_SMALL) {
 +		pr_err("Couldn't get size: 0x%lx\n", *status);
  		return NULL;
  	}

 @@ -56,10 +58,10 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
  	if (!db)
  		return NULL;

 -	status = efi.get_variable(name, guid, NULL, &lsize, db);
 -	if (status != EFI_SUCCESS) {
 +	*status = efi.get_variable(name, guid, NULL, &lsize, db);
 +	if (*status != EFI_SUCCESS) {
  		kfree(db);
 -		pr_err("Error reading db var: 0x%lx\n", status);
 +		pr_err("Error reading db var: 0x%lx\n", *status);
  		return NULL;
  	}

 @@ -144,6 +146,7 @@ static int __init load_uefi_certs(void)
  	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
  	void *db = NULL, *dbx = NULL, *mok = NULL;
  	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
 +	efi_status_t status;
  	int rc = 0;

  	if (!efi.get_variable)
 @@ -153,9 +156,12 @@ static int __init load_uefi_certs(void)
  	 * an error if we can't get them.
  	 */
  	if (!uefi_check_ignore_db()) {
 -		db = get_cert_list(L"db", &secure_var, &dbsize);
 +		db = get_cert_list(L"db", &secure_var, &dbsize, &status);
  		if (!db) {
 -			pr_err("MODSIGN: Couldn't get UEFI db list\n");
 +			if (status == EFI_NOT_FOUND)
 +				pr_debug("MODSIGN: db variable wasn't found\n");
 +			else
 +				pr_err("MODSIGN: Couldn't get UEFI db list\n");
  		} else {
  			rc = parse_efi_signature_list("UEFI:db",
  					db, dbsize, get_handler_for_db);
 @@ -166,9 +172,12 @@ static int __init load_uefi_certs(void)
  		}
  	}

 -	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
 +	mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
  	if (!mok) {
 -		pr_info("Couldn't get UEFI MokListRT\n");
 +		if (status == EFI_NOT_FOUND)
 +			pr_debug("MokListRT variable wasn't found\n");
 +		else
 +			pr_info("Couldn't get UEFI MokListRT\n");
  	} else {
  		rc = parse_efi_signature_list("UEFI:MokListRT",
  					      mok, moksize, get_handler_for_db);
 @@ -177,9 +186,12 @@ static int __init load_uefi_certs(void)
  		kfree(mok);
  	}

 -	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
 +	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
  	if (!dbx) {
 -		pr_info("Couldn't get UEFI dbx list\n");
 +		if (status == EFI_NOT_FOUND)
 +			pr_debug("dbx variable wasn't found\n");
 +		else
 +			pr_info("Couldn't get UEFI dbx list\n");
  	} else {
  		rc = parse_efi_signature_list("UEFI:dbx",
  					      dbx, dbxsize,
 --
 2.7.4
	From 2ee6bf893733a521cd7b009bacdc24710dbe8700 Mon Sep 17 00:00:00 2001
	From: Javier Martinez Canillas <javierm@redhat.com>
	Date: Mon, 17 Feb 2020 12:39:47 +0100
	Subject: [PATCH] efi: Only print errors about failing to get certs if EFI vars
	are found

	commit 3be54d558c75562e42bc83d665df024bd79d399b upstream.

	If CONFIG_LOAD_UEFI_KEYS is enabled, the kernel attempts to load the certs
	from the db, dbx and MokListRT EFI variables into the appropriate keyrings.

	But it just assumes that the variables will be present and prints an error
	if the certs can't be loaded, even when is possible that the variables may
	not exist. For example the MokListRT variable will only be present if shim
	is used.

	So only print an error message about failing to get the certs list from an
	EFI variable if this is found. Otherwise these printed errors just pollute
	the kernel log ring buffer with confusing messages like the following:

	[ 5.427251] Couldn't get size: 0x800000000000000e
	[ 5.427261] MODSIGN: Couldn't get UEFI db list
	[ 5.428012] Couldn't get size: 0x800000000000000e
	[ 5.428023] Couldn't get UEFI MokListRT

	Reported-by: Hans de Goede <hdegoede@redhat.com>
	Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
	Tested-by: Hans de Goede <hdegoede@redhat.com>
	Acked-by: Ard Biesheuvel <ardb@kernel.org>
	Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
	index 81b19c52832b..020fc7a11ef0 100644
	--- a/security/integrity/platform_certs/load_uefi.c
	+++ b/security/integrity/platform_certs/load_uefi.c
	@@ -39,16 +39,18 @@ static __init bool uefi_check_ignore_db(void)
	* Get a certificate list blob from the named EFI variable.
	*/
	static __init void get_cert_list(efi_char16_t name, efi_guid_t *guid,
	- unsigned long *size)
	+ unsigned long size, efi_status_t status)
	{
	- efi_status_t status;
	unsigned long lsize = 4;
	unsigned long tmpdb[4];
	void *db;

	- status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
	- if (status != EFI_BUFFER_TOO_SMALL) {
	- pr_err("Couldn't get size: 0x%lx\n", status);
	+ *status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
	+ if (*status == EFI_NOT_FOUND)
	+ return NULL;
	+
	+ if (*status != EFI_BUFFER_TOO_SMALL) {
	+ pr_err("Couldn't get size: 0x%lx\n", *status);
	return NULL;
	}

	@@ -56,10 +58,10 @@ static __init void get_cert_list(efi_char16_t name, efi_guid_t *guid,
	if (!db)
	return NULL;

	- status = efi.get_variable(name, guid, NULL, &lsize, db);
	- if (status != EFI_SUCCESS) {
	+ *status = efi.get_variable(name, guid, NULL, &lsize, db);
	+ if (*status != EFI_SUCCESS) {
	kfree(db);
	- pr_err("Error reading db var: 0x%lx\n", status);
	+ pr_err("Error reading db var: 0x%lx\n", *status);
	return NULL;
	}

	@@ -144,6 +146,7 @@ static int __init load_uefi_certs(void)
	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
	void db = NULL, dbx = NULL, *mok = NULL;
	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
	+ efi_status_t status;
	int rc = 0;

	if (!efi.get_variable)
	@@ -153,9 +156,12 @@ static int __init load_uefi_certs(void)
	* an error if we can't get them.
	*/
	if (!uefi_check_ignore_db()) {
	- db = get_cert_list(L"db", &secure_var, &dbsize);
	+ db = get_cert_list(L"db", &secure_var, &dbsize, &status);
	if (!db) {
	- pr_err("MODSIGN: Couldn't get UEFI db list\n");
	+ if (status == EFI_NOT_FOUND)
	+ pr_debug("MODSIGN: db variable wasn't found\n");
	+ else
	+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
	} else {
	rc = parse_efi_signature_list("UEFI:db",
	db, dbsize, get_handler_for_db);
	@@ -166,9 +172,12 @@ static int __init load_uefi_certs(void)
	}
	}

	- mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
	+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
	if (!mok) {
	- pr_info("Couldn't get UEFI MokListRT\n");
	+ if (status == EFI_NOT_FOUND)
	+ pr_debug("MokListRT variable wasn't found\n");
	+ else
	+ pr_info("Couldn't get UEFI MokListRT\n");
	} else {
	rc = parse_efi_signature_list("UEFI:MokListRT",
	mok, moksize, get_handler_for_db);
	@@ -177,9 +186,12 @@ static int __init load_uefi_certs(void)
	kfree(mok);
	}

	- dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
	+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
	if (!dbx) {
	- pr_info("Couldn't get UEFI dbx list\n");
	+ if (status == EFI_NOT_FOUND)
	+ pr_debug("dbx variable wasn't found\n");
	+ else
	+ pr_info("Couldn't get UEFI dbx list\n");
	} else {
	rc = parse_efi_signature_list("UEFI:dbx",
	dbx, dbxsize,
	--
	2.7.4