@@ -34,42 +34,37 @@ static __init bool uefi_check_ignore_db(void)
/*
* Get a certificate list blob from the named EFI variable.
*/
-static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid,
- unsigned long *size , void **cert_list,
- efi_status_t *status)
+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+ unsigned long *size, efi_status_t *status)
{
unsigned long lsize = 4;
unsigned long tmpdb[4];
void *db;
*status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
- if (*status == EFI_NOT_FOUND) {
- *size = 0;
- *cert_list = NULL;
- return 0;
- }
+ if (*status == EFI_NOT_FOUND)
+ return NULL;
if (*status != EFI_BUFFER_TOO_SMALL) {
pr_err("Couldn't get size: %s (0x%lx)\n",
efi_status_to_str(*status), *status);
- return efi_status_to_err(*status);
+ return NULL;
}
db = kmalloc(lsize, GFP_KERNEL);
if (!db)
- return -ENOMEM;
+ return NULL;
*status = efi.get_variable(name, guid, NULL, &lsize, db);
if (*status != EFI_SUCCESS) {
kfree(db);
pr_err("Error reading db var: %s (0x%lx)\n",
efi_status_to_str(*status), *status);
- return efi_status_to_err(*status);
+ return NULL;
}
*size = lsize;
- *cert_list = db;
- return 0;
+ return db;
}
/*
@@ -93,13 +88,13 @@ static int __init load_uefi_certs(void)
* an error if we can't get them.
*/
if (!uefi_check_ignore_db()) {
- rc = get_cert_list(L"db", &secure_var, &dbsize, &db, &status);
- if (rc < 0) {
+ db = get_cert_list(L"db", &secure_var, &dbsize, &status);
+ if (!db) {
if (status == EFI_NOT_FOUND)
pr_debug("MODSIGN: db variable wasn't found\n");
else
pr_err("MODSIGN: Couldn't get UEFI db list\n");
- } else if (dbsize != 0) {
+ } else {
rc = parse_efi_signature_list("UEFI:db",
db, dbsize, get_handler_for_db);
if (rc)
@@ -109,13 +104,13 @@ static int __init load_uefi_certs(void)
}
}
- rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok, &status);
- if (rc < 0) {
+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
+ if (!mok) {
if (status == EFI_NOT_FOUND)
pr_debug("MokListRT variable wasn't found\n");
else
pr_info("Couldn't get UEFI MokListRT\n");
- } else if (moksize != 0) {
+ } else {
rc = parse_efi_signature_list("UEFI:MokListRT",
mok, moksize, get_handler_for_db);
if (rc)
@@ -123,13 +118,13 @@ static int __init load_uefi_certs(void)
kfree(mok);
}
- rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx, &status);
- if (rc < 0) {
+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
+ if (!dbx) {
if (status == EFI_NOT_FOUND)
pr_debug("dbx variable wasn't found\n");
else
pr_info("Couldn't get UEFI dbx list\n");
- } else if (dbxsize != 0) {
+ } else {
rc = parse_efi_signature_list("UEFI:dbx",
dbx, dbxsize,
get_handler_for_dbx);
BugLink: https://bugs.launchpad.net/bugs/1932029 This partially reverts commit f32d73b5b9b4d8cb8e64bf51091c971d05116d48. The reverted commit fixed stray warnings, and changed get_cert_list() function prototype (return rc, pass cert-list by reference). The stray warnings fix was incomplete, and was done again in mainline with a different change of get_cert_list() function prototype (return cert-list pointer, pass EFI error status by reference), which got also cherrypicked into Ubuntu kernel ending up with passing both cert-list & efi error status by reference. Cherrypicking both get_cert_list() function prototype changes is redundant, and prevents clean cherrypicks from mainline. Revert the get_cert_list() function prototype to the one in mainline. Fixes: d946de8ee5 ("efi: Only print errors about failing to get certs if EFI vars are found") Fixes: 46357ca172 ("UBUNTU: SAUCE: (lockdown) Make get_cert_list() use efi_status_to_str() to print error messages.") Fixes: f32d73b5b9 ("UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain about cert lists that aren't present.") Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> --- security/integrity/platform_certs/load_uefi.c | 39 ++++++++----------- 1 file changed, 17 insertions(+), 22 deletions(-)