Re: [PATCH v3 RESEND] efi: Do not import certificates from UEFI Secure Boot for T2 Macs
From: Mimi Zohar
Date: Tue Apr 12 2022 - 11:14:43 EST
On Tue, 2022-04-12 at 14:13 +0000, Aditya Garg wrote:
> >> @@ -138,6 +181,11 @@ static int __init load_uefi_certs(void)
> >> unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0;
> >> efi_status_t status;
> >> int rc = 0;
> >> + const struct dmi_system_id *dmi_id;
> >> +
> >> + dmi_id = dmi_first_match(uefi_skip_cert);
> >> + if (dmi_id)
> >> + return 0;
> >
> > uefi_check_ignore_db(), get_cert_list(), uefi_check_ignore_db(), and
> > /load_moklist_certs() are all defined all static and are gated here by
> > this dmi_first_match(). There's probably no need for any of the other
> > calls to dmi_first_match().
> I couldn’t get you here. Could you elaborate?
dmi_first_match() is called here at the beginning of load_uefi_certs().
Only if it succeeds would uefi_check_ignore_db(), get_cert_list(),
uefi_check_ignore_db(), or
load_moklist_certs() be called. Is there a need for adding a call to
dmi_first_match() in any of these other functions?
thanks,
Mimi
> >
> > Like in all the other cases, there should be some sort of message. At
> > minimum, there should be a pr_info().
> >
> >>
> >> if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
> >> return false;
> >