[SRU][FOCAL][PATCH 01/16] Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain about cert lists that aren't present."

Dimitri John Ledkov dimitri.ledkov at canonical.com
Fri Oct 1 15:44:17 UTC 2021


BugLink: https://bugs.launchpad.net/bugs/1932029

This partially reverts commit f32d73b5b9b4d8cb8e64bf51091c971d05116d48.

The reverted commit fixed stray warnings, and changed get_cert_list()
function prototype (return rc, pass cert-list by reference). The stray
warnings fix was incomplete, and was done again in mainline with a
different change of get_cert_list() function prototype (return
cert-list pointer, pass EFI error status by reference), which got also
cherrypicked into Ubuntu kernel ending up with passing both cert-list
& efi error status by reference.

Cherrypicking both get_cert_list() function prototype changes is
redundant, and prevents clean cherrypicks from mainline. Revert the
get_cert_list() function prototype to the one in mainline.

Fixes: d946de8ee5 ("efi: Only print errors about failing to get certs if EFI vars are found")
Fixes: 46357ca172 ("UBUNTU: SAUCE: (lockdown) Make get_cert_list() use efi_status_to_str() to print error messages.")
Fixes: f32d73b5b9 ("UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain about cert lists that aren't present.")
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
---
 security/integrity/platform_certs/load_uefi.c | 39 ++++++++-----------
 1 file changed, 17 insertions(+), 22 deletions(-)

diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 9eaf3a3c0b..4e783f6c6c 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -34,42 +34,37 @@ static __init bool uefi_check_ignore_db(void)
 /*
  * Get a certificate list blob from the named EFI variable.
  */
-static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid,
-				  unsigned long *size , void **cert_list,
-				  efi_status_t *status)
+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+				  unsigned long *size, efi_status_t *status)
 {
 	unsigned long lsize = 4;
 	unsigned long tmpdb[4];
 	void *db;
 
 	*status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
-	if (*status == EFI_NOT_FOUND) {
-		*size = 0;
-		*cert_list = NULL;
-		return 0;
-	}
+	if (*status == EFI_NOT_FOUND)
+		return NULL;
 
 	if (*status != EFI_BUFFER_TOO_SMALL) {
 		pr_err("Couldn't get size: %s (0x%lx)\n",
 		       efi_status_to_str(*status), *status);
-		return efi_status_to_err(*status);
+		return NULL;
 	}
 
 	db = kmalloc(lsize, GFP_KERNEL);
 	if (!db)
-		return -ENOMEM;
+		return NULL;
 
 	*status = efi.get_variable(name, guid, NULL, &lsize, db);
 	if (*status != EFI_SUCCESS) {
 		kfree(db);
 		pr_err("Error reading db var: %s (0x%lx)\n",
 		       efi_status_to_str(*status), *status);
-		return efi_status_to_err(*status);
+		return NULL;
 	}
 
 	*size = lsize;
-	*cert_list = db;
-	return 0;
+	return db;
 }
 
 /*
@@ -93,13 +88,13 @@ static int __init load_uefi_certs(void)
 	 * an error if we can't get them.
 	 */
 	if (!uefi_check_ignore_db()) {
-		rc = get_cert_list(L"db", &secure_var, &dbsize, &db, &status);
-		if (rc < 0) {
+		db = get_cert_list(L"db", &secure_var, &dbsize, &status);
+		if (!db) {
 			if (status == EFI_NOT_FOUND)
 				pr_debug("MODSIGN: db variable wasn't found\n");
 			else
 				pr_err("MODSIGN: Couldn't get UEFI db list\n");
-		} else if (dbsize != 0) {
+		} else {
 			rc = parse_efi_signature_list("UEFI:db",
 					db, dbsize, get_handler_for_db);
 			if (rc)
@@ -109,13 +104,13 @@ static int __init load_uefi_certs(void)
 		}
 	}
 
-	rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok, &status);
-	if (rc < 0) {
+	mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
+	if (!mok) {
 		if (status == EFI_NOT_FOUND)
 			pr_debug("MokListRT variable wasn't found\n");
 		else
 			pr_info("Couldn't get UEFI MokListRT\n");
-	} else if (moksize != 0) {
+	} else {
 		rc = parse_efi_signature_list("UEFI:MokListRT",
 					      mok, moksize, get_handler_for_db);
 		if (rc)
@@ -123,13 +118,13 @@ static int __init load_uefi_certs(void)
 		kfree(mok);
 	}
 
-	rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx, &status);
-	if (rc < 0) {
+	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
+	if (!dbx) {
 		if (status == EFI_NOT_FOUND)
 			pr_debug("dbx variable wasn't found\n");
 		else
 			pr_info("Couldn't get UEFI dbx list\n");
-	} else if (dbxsize != 0) {
+	} else {
 		rc = parse_efi_signature_list("UEFI:dbx",
 					      dbx, dbxsize,
 					      get_handler_for_dbx);
-- 
2.30.2




More information about the kernel-team mailing list