From patchwork Thu Dec 12 09:38:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chun-Yi Lee X-Patchwork-Id: 11287687 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 0DEF114E3 for ; Thu, 12 Dec 2019 09:38:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E16372467B for ; Thu, 12 Dec 2019 09:38:34 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="aG/ggsb+" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728506AbfLLJia (ORCPT ); Thu, 12 Dec 2019 04:38:30 -0500 Received: from mail-wm1-f65.google.com ([209.85.128.65]:38034 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728501AbfLLJia (ORCPT ); Thu, 12 Dec 2019 04:38:30 -0500 Received: by mail-wm1-f65.google.com with SMTP id p17so1697200wmi.3; Thu, 12 Dec 2019 01:38:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=vG57Kuf3pSbWVOwsmxHL99j6Lgk8c1t98uCSolv4vBY=; b=aG/ggsb+9rAPBe/tSEdowA1xQqx18aYDlDROOtTEjg4OtF6f3rOa9Ym3VCiCdwz2ef TyIZyGJ7RLr0R7t97Syy5kbIIzTUf7j3xeTSzm0nebAT4qRjgpAWLTLbra8KGdADmu1M rjSpJyZB0wCFdBBPB2ATCxOmqT1vsasaU4I/JNBfVIFPguob5UMTWKJR8DDnFI2tx9DG 91hORI0/fOe/7y5mfJUogSvK7ZoE0aLvCmq7IpH8oXweRhZOxqJQG7ZVwewip3pZ5RrK aAA1VUd0tNtQEmDN1Kv7qVWHiROYjVDtV4b+5kJXCVjvqurU96k1g4Rc0udgsPVz+141 KsxQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=vG57Kuf3pSbWVOwsmxHL99j6Lgk8c1t98uCSolv4vBY=; b=acIeUG8vKjqzODOv9IA8C0ik+IkQBqykVPx/0yKjA23cVwzHNuAyCybNNVvEjHzxJH ldiqsAAelmc+VlnVf/CV8Pr4w6NGRxGSmVPoN1SE2wysm4FkCckvHbUP5z39st+8M8q+ JxavjUU4nS6BermkE6sFL5yak/ewNjGrICY5wGYbIBYUe40L1af60CjbzwoXFf9DIp3A LkQyB48MYoOWTyCtWhRol6kNbzHtF+CXavs0lMI99hh3VF+39GGSGw85ZNwGoCHUCtDR 0D0aAACKmSq/rkughQByX4I2rDF3AWbhPvJOhn8prqDVmHbCTLYD4pmLafxuLVMQCcFB Zg3Q== X-Gm-Message-State: APjAAAXH8rQUIvxvI66KSWbmhM2dVDSgrZC3GopeQiP6ahBKDzD7Y0zK yiJZgJ0PxAClAiHfjL+sptw= X-Google-Smtp-Source: APXvYqwLDb+l30V/1iZNd89lIDmqGBqTOCiHxXD83bqzQ52GzAg5J93583tp3e2DcaYl+py1p9xdxA== X-Received: by 2002:a1c:1941:: with SMTP id 62mr1705929wmz.111.1576143508263; Thu, 12 Dec 2019 01:38:28 -0800 (PST) Received: from linux-691t.suse.de ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id z8sm5471508wrq.22.2019.12.12.01.38.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Dec 2019 01:38:27 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: Ard Biesheuvel , James Morris , "Serge E . Hallyn" , David Howells , Josh Boyer , Nayna Jain , Mimi Zohar Cc: linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH 1/2] efi: add a function for transferring status to string Date: Thu, 12 Dec 2019 17:38:11 +0800 Message-Id: <20191212093812.10518-2-jlee@suse.com> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20191212093812.10518-1-jlee@suse.com> References: <20191212093812.10518-1-jlee@suse.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: This function can be used to transfer EFI status code to string to improve the readability of debug log. Signed-off-by: "Lee, Chun-Yi" --- include/linux/efi.h | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/include/linux/efi.h b/include/linux/efi.h index d87acf62958e..08daf4cdd807 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -42,6 +42,32 @@ #define EFI_ABORTED (21 | (1UL << (BITS_PER_LONG-1))) #define EFI_SECURITY_VIOLATION (26 | (1UL << (BITS_PER_LONG-1))) +#define EFI_STATUS_STR(_status) \ + case EFI_##_status: \ + return "EFI_" __stringify(_status); + +static inline char * +efi_status_to_str(unsigned long status) +{ + switch (status) { + EFI_STATUS_STR(SUCCESS) + EFI_STATUS_STR(LOAD_ERROR) + EFI_STATUS_STR(INVALID_PARAMETER) + EFI_STATUS_STR(UNSUPPORTED) + EFI_STATUS_STR(BAD_BUFFER_SIZE) + EFI_STATUS_STR(BUFFER_TOO_SMALL) + EFI_STATUS_STR(NOT_READY) + EFI_STATUS_STR(DEVICE_ERROR) + EFI_STATUS_STR(WRITE_PROTECTED) + EFI_STATUS_STR(OUT_OF_RESOURCES) + EFI_STATUS_STR(NOT_FOUND) + EFI_STATUS_STR(ABORTED) + EFI_STATUS_STR(SECURITY_VIOLATION) + } + + return ""; +} + typedef unsigned long efi_status_t; typedef u8 efi_bool_t; typedef u16 efi_char16_t; /* UNICODE character */ From patchwork Thu Dec 12 09:38:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chun-Yi Lee X-Patchwork-Id: 11287689 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3DEA914E3 for ; Thu, 12 Dec 2019 09:38:41 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1267A2465B for ; Thu, 12 Dec 2019 09:38:41 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iu2oujS4" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728398AbfLLJig (ORCPT ); Thu, 12 Dec 2019 04:38:36 -0500 Received: from mail-wm1-f66.google.com ([209.85.128.66]:40884 "EHLO mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728348AbfLLJig (ORCPT ); Thu, 12 Dec 2019 04:38:36 -0500 Received: by mail-wm1-f66.google.com with SMTP id t14so1693194wmi.5; Thu, 12 Dec 2019 01:38:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=6OFVz1V+QdSxenYGCYriudr4690ZB5/L3ueHTeHO5JI=; b=iu2oujS4uBIC/mGVXZwBCITYwmhwoIVD6SU1up0d6MC7GsNBgB+Z3YWAqFTe0eJxkW Lge/MLAolwiBpQQ5aZ0cny62Sio7aJRyVus+9FxgcSPI7Z83uP/UzO/OaXcOzhsJJOoQ jivVmjILRdZoEYu8QP2sFw2tDnMZvRQwBkuGFTuGxB6U4XnUUutywaJNXmrdl6wB4Yag KdJR0qDnI9dCeRTPgpUY/3UWw2J6mROXYmxACs5YY5D5cMkO746Kj/Nfu3BhrVe+p/vg FVwMtfthT/KzZVUGT/SLq2OZm+/9WGuWXWDTbsEH98ZtVyiXM9DwoVq/eZpDOFYkgo85 7Tgw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=6OFVz1V+QdSxenYGCYriudr4690ZB5/L3ueHTeHO5JI=; b=IysPBZEVq3T9lTCuDjms0SKYya9xmTHEJu4qkRkoK/s1wG+mtOkDZQ27i3f3NuL3Fg BpumcKLCYa/2Cqn+cy8yvKyJbdLXE52+LCQO/fl4UkaL1uQTDs9ivbMsB92cK2qvcE+q OeGTV4KsU93YFE0EE0aogOOwmGpp9bpSBQeyPO73aYBGRe0PgCYNLW8jWvxpPfqY5dt3 YA+LCe70AzXolXXuqsiJz38cNlRh/Z3wt5UaAm+wOA6iOs0wrVNEJ9YX6+0gZ7qhVQlS vsaXAdH0gvKMBKcjQ2QnfT7tDhfVj1RUNj21p6L9zUa0YGjW3lW5iqJj58K16B1mHf6h GuaQ== X-Gm-Message-State: APjAAAURFF5cjLu0oarCjgxhf6D8B6Qjnj2gTHjH+LqucxInCNELJK7t r5svR6qB0fVYWFKPrm9Q1F8= X-Google-Smtp-Source: APXvYqxi1X9dzmpuNKwm/hSxvBMNS9eiNkE+auH0j6TmmuDBUFABS5sZvv0wUWSaTe0yPaK5o6dWDA== X-Received: by 2002:a1c:4e10:: with SMTP id g16mr5310900wmh.94.1576143514424; Thu, 12 Dec 2019 01:38:34 -0800 (PST) Received: from linux-691t.suse.de ([124.11.22.254]) by smtp.gmail.com with ESMTPSA id z8sm5471508wrq.22.2019.12.12.01.38.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 12 Dec 2019 01:38:33 -0800 (PST) From: "Lee, Chun-Yi" X-Google-Original-From: "Lee, Chun-Yi" To: Ard Biesheuvel , James Morris , "Serge E . Hallyn" , David Howells , Josh Boyer , Nayna Jain , Mimi Zohar Cc: linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org, "Lee, Chun-Yi" Subject: [PATCH 2/2] efi: show error messages only when loading certificates is failed Date: Thu, 12 Dec 2019 17:38:12 +0800 Message-Id: <20191212093812.10518-3-jlee@suse.com> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20191212093812.10518-1-jlee@suse.com> References: <20191212093812.10518-1-jlee@suse.com> Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: When loading certificates list from EFI variables, the error message and efi status code always be emitted to dmesg. It looks ugly: [ 2.335031] Couldn't get size: 0x800000000000000e [ 2.335032] Couldn't get UEFI MokListRT [ 2.339985] Couldn't get size: 0x800000000000000e [ 2.339987] Couldn't get UEFI dbx list This cosmetic patch moved the messages to the error handling code path. And, it also shows the corresponding status string of status code. Signed-off-by: "Lee, Chun-Yi" --- security/integrity/platform_certs/load_uefi.c | 41 ++++++++++++++------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 81b19c52832b..3b766831d2c5 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -1,4 +1,5 @@ // SPDX-License-Identifier: GPL-2.0 +#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt #include #include @@ -39,7 +40,7 @@ static __init bool uefi_check_ignore_db(void) * Get a certificate list blob from the named EFI variable. */ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, - unsigned long *size) + unsigned long *size, const char *source) { efi_status_t status; unsigned long lsize = 4; @@ -48,23 +49,31 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); if (status != EFI_BUFFER_TOO_SMALL) { - pr_err("Couldn't get size: 0x%lx\n", status); - return NULL; + if (status == EFI_NOT_FOUND) { + pr_debug("%s list was not found\n", source); + return NULL; + } + goto err; } db = kmalloc(lsize, GFP_KERNEL); - if (!db) - return NULL; + if (!db) { + status = EFI_OUT_OF_RESOURCES; + goto err; + } status = efi.get_variable(name, guid, NULL, &lsize, db); if (status != EFI_SUCCESS) { kfree(db); - pr_err("Error reading db var: 0x%lx\n", status); - return NULL; + goto err; } *size = lsize; return db; +err: + pr_err("Couldn't get %s list: %s (0x%lx)\n", + source, efi_status_to_str(status), status); + return NULL; } /* @@ -153,10 +162,8 @@ static int __init load_uefi_certs(void) * an error if we can't get them. */ if (!uefi_check_ignore_db()) { - db = get_cert_list(L"db", &secure_var, &dbsize); - if (!db) { - pr_err("MODSIGN: Couldn't get UEFI db list\n"); - } else { + db = get_cert_list(L"db", &secure_var, &dbsize, "UEFI:db"); + if (db) { rc = parse_efi_signature_list("UEFI:db", db, dbsize, get_handler_for_db); if (rc) @@ -166,10 +173,8 @@ static int __init load_uefi_certs(void) } } - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); - if (!mok) { - pr_info("Couldn't get UEFI MokListRT\n"); - } else { + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, "UEFI:MokListRT"); + if (mok) { rc = parse_efi_signature_list("UEFI:MokListRT", mok, moksize, get_handler_for_db); if (rc) @@ -177,10 +182,8 @@ static int __init load_uefi_certs(void) kfree(mok); } - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); - if (!dbx) { - pr_info("Couldn't get UEFI dbx list\n"); - } else { + dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, "UEFI:dbx"); + if (dbx) { rc = parse_efi_signature_list("UEFI:dbx", dbx, dbxsize, get_handler_for_dbx);