Hi Ard, First! Thanks for your review!
On Tue, Mar 13, 2018 at 05:25:30PM +0000, Ard Biesheuvel wrote: > On 13 March 2018 at 10:37, Lee, Chun-Yi <joeyli.ker...@gmail.com> wrote: > > The mok can not be trusted when the secure boot is disabled. Which > > means that the kernel embedded certificate is the only trusted key. > > > > Due to db/dbx are authenticated variables, they needs manufacturer's > > KEK for update. So db/dbx are secure when secureboot disabled. > > > > Did you consider the case where secure boot is not implemented? I > don't think db/dbx are secure in that case, although perhaps it may > not matter (a bit more information on the purpose of these patches and > all the shim lingo etc would be appreciated) > The patch 5 in this series checks that the db/dbx must have EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS attribute. But I agree with you that kernel should checks the SecureBoot variable must exist in system. I will add patch to detect it. > > Cc: David Howells <dhowe...@redhat.com> > > Cc: Josh Boyer <jwbo...@fedoraproject.org> > > Cc: James Bottomley <james.bottom...@hansenpartnership.com> > > Signed-off-by: "Lee, Chun-Yi" <j...@suse.com> > > --- > > certs/load_uefi.c | 26 +++++++++++++++----------- > > 1 file changed, 15 insertions(+), 11 deletions(-) > > > > diff --git a/certs/load_uefi.c b/certs/load_uefi.c > > index 3d88459..d6de4d0 100644 > > --- a/certs/load_uefi.c > > +++ b/certs/load_uefi.c > > @@ -164,17 +164,6 @@ static int __init load_uefi_certs(void) > > } > > } > > > > - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); > > Which tree does this apply to? My tree doesn't have get_cert_list() > This patch set is base on the efi-lock-down and keys-uefi branchs in David Howells's linux-fs git tree. https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-uefi Thanks a lot! Joey Lee