From patchwork Fri Oct  1 15:44:17 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
X-Patchwork-Id: 1535381
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=j5sTOJji;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HLZDp2VMjz9t0T
	for <incoming@patchwork.ozlabs.org>; Sat,  2 Oct 2021 01:44:58 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1mWKiS-0007vh-Ci; Fri, 01 Oct 2021 15:44:52 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <dimitri.ledkov@canonical.com>) id 1mWKiQ-0007vG-IO
 for kernel-team@lists.ubuntu.com; Fri, 01 Oct 2021 15:44:50 +0000
Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com
 [209.85.221.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 6A8A5407A9
 for <kernel-team@lists.ubuntu.com>; Fri,  1 Oct 2021 15:44:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1633103090;
 bh=8u7Kk8LLb9hjoI/c8FYT4Yka/TycbTjfFzVhzed+GY4=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=j5sTOJjiIZ0v/zf/3mqLgeHN7J+ZTOegcQ3p57qeBzNYlPbcrQ/uqlnB4rEuP7GUY
 arP6pD19aOPvcFhDNJi0trj41S7+OUH4noL6FSPOhwaxGPtdmldoe0O7Bmk3L146zm
 uaXbEXSi+f0jwapp47REJlySW04OXYLigo2bmF6l6L0RXL/CkZggA68GZIBgPqmqS8
 bzfls3jSc6Qt7Zw/W/Wj3xeA5/9YvwPOtt8ZDFo/fAk0tkVus+XnZAexfUofN8xuAd
 wrcHPc/PAmIOEjAgbUvJz8NJb3XsnCg7y2Vd8OHroJGy6wYbQ1eZ1gTwZXTL0QwySP
 b3+k7myvyN21Q==
Received: by mail-wr1-f72.google.com with SMTP id
 p12-20020a5d4e0c000000b001605e330b62so2980042wrt.5
 for <kernel-team@lists.ubuntu.com>; Fri, 01 Oct 2021 08:44:50 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=8u7Kk8LLb9hjoI/c8FYT4Yka/TycbTjfFzVhzed+GY4=;
 b=DIFiBUxIBiaNQvw0gPEoptK89pEHszMzIgIjPuvuo1ElULU7ZX4TTbV5urK+iX98gz
 VaW4XpOBBhAmuy+9fc95eHE79CM7m5/v2Efe323sHiyGwd9Ff42hqSufGneKQLQtmrYc
 350aE8fGiaIUAe+5GnMkIt+zQlD/E66ZM4yH0tbc0uKyrUwsOW4xZt1Z0YfSlRLItZE3
 m2KyX3H56MOj8Ny1ScnF5nZ26EJoj9+yHQ0nhJly/1mU9umOuixvW2g3wTc8MekgQXVN
 WAHvyPoMHa+ZdoCXATaOtBmb34N7meKmaHykucmqciBc/0pMi1MKXW/b16sVrI0DHJgn
 o4QQ==
X-Gm-Message-State: AOAM5327983kcxD6AfcaJpZrBAEMAARfWl8lhPOrik4ZrXr7jZ3tY6yD
 gZaEkZxiOqEy+TaXtIzG6xv9915u+I4vIW0oJ4FzkChHtbxKToukjAdiULaCtoG0uEyiKKoMFdx
 6xH5uBRUwjUjtEQIN5suXjs5IeAv+rA2QnqgwQVS5ng==
X-Received: by 2002:a1c:7d56:: with SMTP id y83mr86909wmc.86.1633103089741;
 Fri, 01 Oct 2021 08:44:49 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJyX2ywlotSJegaQ/GR/jjjTLkIxJSEzzJ5l0Q8vRfRW4i0nNV/+3iiP1a2Csqb6id939PtQVA==
X-Received: by 2002:a1c:7d56:: with SMTP id y83mr86883wmc.86.1633103089400;
 Fri, 01 Oct 2021 08:44:49 -0700 (PDT)
Received: from localhost ([2a01:4b00:85fd:d700:dd38:5596:506f:f213])
 by smtp.gmail.com with ESMTPSA id x10sm4641841wmk.42.2021.10.01.08.44.48
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 01 Oct 2021 08:44:49 -0700 (PDT)
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][FOCAL][PATCH 01/16] Revert "UBUNTU: SAUCE: (lockdown) Make
 get_cert_list() not complain about cert lists that aren't present."
Date: Fri,  1 Oct 2021 16:44:17 +0100
Message-Id: <20211001154432.20287-2-dimitri.ledkov@canonical.com>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20211001154432.20287-1-dimitri.ledkov@canonical.com>
References: <20211001154432.20287-1-dimitri.ledkov@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

BugLink: https://bugs.launchpad.net/bugs/1932029

This partially reverts commit f32d73b5b9b4d8cb8e64bf51091c971d05116d48.

The reverted commit fixed stray warnings, and changed get_cert_list()
function prototype (return rc, pass cert-list by reference). The stray
warnings fix was incomplete, and was done again in mainline with a
different change of get_cert_list() function prototype (return
cert-list pointer, pass EFI error status by reference), which got also
cherrypicked into Ubuntu kernel ending up with passing both cert-list
& efi error status by reference.

Cherrypicking both get_cert_list() function prototype changes is
redundant, and prevents clean cherrypicks from mainline. Revert the
get_cert_list() function prototype to the one in mainline.

Fixes: d946de8ee5 ("efi: Only print errors about failing to get certs if EFI vars are found")
Fixes: 46357ca172 ("UBUNTU: SAUCE: (lockdown) Make get_cert_list() use efi_status_to_str() to print error messages.")
Fixes: f32d73b5b9 ("UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain about cert lists that aren't present.")
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
---
 security/integrity/platform_certs/load_uefi.c | 39 ++++++++-----------
 1 file changed, 17 insertions(+), 22 deletions(-)

diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 9eaf3a3c0b..4e783f6c6c 100644
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -34,42 +34,37 @@ static __init bool uefi_check_ignore_db(void)
 /*
  * Get a certificate list blob from the named EFI variable.
  */
-static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid,
-				  unsigned long *size , void **cert_list,
-				  efi_status_t *status)
+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+				  unsigned long *size, efi_status_t *status)
 {
 	unsigned long lsize = 4;
 	unsigned long tmpdb[4];
 	void *db;
 
 	*status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
-	if (*status == EFI_NOT_FOUND) {
-		*size = 0;
-		*cert_list = NULL;
-		return 0;
-	}
+	if (*status == EFI_NOT_FOUND)
+		return NULL;
 
 	if (*status != EFI_BUFFER_TOO_SMALL) {
 		pr_err("Couldn't get size: %s (0x%lx)\n",
 		       efi_status_to_str(*status), *status);
-		return efi_status_to_err(*status);
+		return NULL;
 	}
 
 	db = kmalloc(lsize, GFP_KERNEL);
 	if (!db)
-		return -ENOMEM;
+		return NULL;
 
 	*status = efi.get_variable(name, guid, NULL, &lsize, db);
 	if (*status != EFI_SUCCESS) {
 		kfree(db);
 		pr_err("Error reading db var: %s (0x%lx)\n",
 		       efi_status_to_str(*status), *status);
-		return efi_status_to_err(*status);
+		return NULL;
 	}
 
 	*size = lsize;
-	*cert_list = db;
-	return 0;
+	return db;
 }
 
 /*
@@ -93,13 +88,13 @@ static int __init load_uefi_certs(void)
 	 * an error if we can't get them.
 	 */
 	if (!uefi_check_ignore_db()) {
-		rc = get_cert_list(L"db", &secure_var, &dbsize, &db, &status);
-		if (rc < 0) {
+		db = get_cert_list(L"db", &secure_var, &dbsize, &status);
+		if (!db) {
 			if (status == EFI_NOT_FOUND)
 				pr_debug("MODSIGN: db variable wasn't found\n");
 			else
 				pr_err("MODSIGN: Couldn't get UEFI db list\n");
-		} else if (dbsize != 0) {
+		} else {
 			rc = parse_efi_signature_list("UEFI:db",
 					db, dbsize, get_handler_for_db);
 			if (rc)
@@ -109,13 +104,13 @@ static int __init load_uefi_certs(void)
 		}
 	}
 
-	rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok, &status);
-	if (rc < 0) {
+	mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
+	if (!mok) {
 		if (status == EFI_NOT_FOUND)
 			pr_debug("MokListRT variable wasn't found\n");
 		else
 			pr_info("Couldn't get UEFI MokListRT\n");
-	} else if (moksize != 0) {
+	} else {
 		rc = parse_efi_signature_list("UEFI:MokListRT",
 					      mok, moksize, get_handler_for_db);
 		if (rc)
@@ -123,13 +118,13 @@ static int __init load_uefi_certs(void)
 		kfree(mok);
 	}
 
-	rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx, &status);
-	if (rc < 0) {
+	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
+	if (!dbx) {
 		if (status == EFI_NOT_FOUND)
 			pr_debug("dbx variable wasn't found\n");
 		else
 			pr_info("Couldn't get UEFI dbx list\n");
-	} else if (dbxsize != 0) {
+	} else {
 		rc = parse_efi_signature_list("UEFI:dbx",
 					      dbx, dbxsize,
 					      get_handler_for_dbx);