Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain about cert lists...

BugLink: https://bugs.launchpad.net/bugs/1932029
This partially reverts commit f32d73b5b9b4d8cb8e64bf51091c971d05116d48.

The reverted commit fixed stray warnings, and changed get_cert_list()
function prototype (return rc, pass cert-list by reference). The stray
warnings fix was incomplete, and was done again in mainline with a
different change of get_cert_list() function prototype (return
cert-list pointer, pass EFI error status by reference), which got also
cherrypicked into Ubuntu kernel ending up with passing both cert-list
& efi error status by reference.

Cherrypicking both get_cert_list() function prototype changes is
redundant, and prevents clean cherrypicks from mainline. Revert the
get_cert_list() function prototype to the one in mainline.

Fixes: d946de8ee5 ("efi: Only print errors about failing to get certs if EFI vars are found")
Fixes: 46357ca172 ("UBUNTU: SAUCE: (lockdown) Make get_cert_list() use efi_status_to_str() to print error messages.")
Fixes: f32d73b5b9 ("UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain about cert lists that aren't present.")
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
index 9eaf3a3c0b84b9a79de392a0ba6a8c0d63bcf1a8..4e783f6c6cfb2b45c78bf44d9c831db3b124c80f 100644 (file)
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -34,42 +34,37 @@ static __init bool uefi_check_ignore_db(void)
 /*
  * Get a certificate list blob from the named EFI variable.
  */
-static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid,
-                                 unsigned long *size , void **cert_list,
-                                 efi_status_t *status)
+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
+                                 unsigned long *size, efi_status_t *status)
 {
        unsigned long lsize = 4;
        unsigned long tmpdb[4];
        void *db;
 
        *status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
-       if (*status == EFI_NOT_FOUND) {
-               *size = 0;
-               *cert_list = NULL;
-               return 0;
-       }
+       if (*status == EFI_NOT_FOUND)
+               return NULL;
 
        if (*status != EFI_BUFFER_TOO_SMALL) {
                pr_err("Couldn't get size: %s (0x%lx)\n",
                       efi_status_to_str(*status), *status);
-               return efi_status_to_err(*status);
+               return NULL;
        }
 
        db = kmalloc(lsize, GFP_KERNEL);
        if (!db)
-               return -ENOMEM;
+               return NULL;
 
        *status = efi.get_variable(name, guid, NULL, &lsize, db);
        if (*status != EFI_SUCCESS) {
                kfree(db);
                pr_err("Error reading db var: %s (0x%lx)\n",
                       efi_status_to_str(*status), *status);
-               return efi_status_to_err(*status);
+               return NULL;
        }
 
        *size = lsize;
-       *cert_list = db;
-       return 0;
+       return db;
 }
 
 /*
@@ -93,13 +88,13 @@ static int __init load_uefi_certs(void)
         * an error if we can't get them.
         */
        if (!uefi_check_ignore_db()) {
-               rc = get_cert_list(L"db", &secure_var, &dbsize, &db, &status);
-               if (rc < 0) {
+               db = get_cert_list(L"db", &secure_var, &dbsize, &status);
+               if (!db) {
                        if (status == EFI_NOT_FOUND)
                                pr_debug("MODSIGN: db variable wasn't found\n");
                        else
                                pr_err("MODSIGN: Couldn't get UEFI db list\n");
-               } else if (dbsize != 0) {
+               } else {
                        rc = parse_efi_signature_list("UEFI:db",
                                        db, dbsize, get_handler_for_db);
                        if (rc)
@@ -109,13 +104,13 @@ static int __init load_uefi_certs(void)
                }
        }
 
-       rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok, &status);
-       if (rc < 0) {
+       mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
+       if (!mok) {
                if (status == EFI_NOT_FOUND)
                        pr_debug("MokListRT variable wasn't found\n");
                else
                        pr_info("Couldn't get UEFI MokListRT\n");
-       } else if (moksize != 0) {
+       } else {
                rc = parse_efi_signature_list("UEFI:MokListRT",
                                              mok, moksize, get_handler_for_db);
                if (rc)
@@ -123,13 +118,13 @@ static int __init load_uefi_certs(void)
                kfree(mok);
        }
 
-       rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx, &status);
-       if (rc < 0) {
+       dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
+       if (!dbx) {
                if (status == EFI_NOT_FOUND)
                        pr_debug("dbx variable wasn't found\n");
                else
                        pr_info("Couldn't get UEFI dbx list\n");
-       } else if (dbxsize != 0) {
+       } else {
                rc = parse_efi_signature_list("UEFI:dbx",
                                              dbx, dbxsize,
                                              get_handler_for_dbx);