]>
Commit | Line | Data |
---|---|---|
2d2a8d41 JB |
1 | #include <linux/kernel.h> |
2 | #include <linux/sched.h> | |
3 | #include <linux/cred.h> | |
4 | #include <linux/err.h> | |
5 | #include <linux/efi.h> | |
6 | #include <linux/slab.h> | |
7 | #include <keys/asymmetric-type.h> | |
8 | #include <keys/system_keyring.h> | |
9 | #include "internal.h" | |
10 | ||
11 | static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID; | |
12 | static __initdata efi_guid_t efi_cert_x509_sha256_guid = EFI_CERT_X509_SHA256_GUID; | |
13 | static __initdata efi_guid_t efi_cert_sha256_guid = EFI_CERT_SHA256_GUID; | |
14 | ||
ef35a9a6 JB |
15 | /* |
16 | * Look to see if a UEFI variable called MokIgnoreDB exists and return true if | |
17 | * it does. | |
18 | * | |
19 | * This UEFI variable is set by the shim if a user tells the shim to not use | |
20 | * the certs/hashes in the UEFI db variable for verification purposes. If it | |
21 | * is set, we should ignore the db variable also and the true return indicates | |
22 | * this. | |
23 | */ | |
24 | static __init bool uefi_check_ignore_db(void) | |
25 | { | |
26 | efi_status_t status; | |
27 | unsigned int db = 0; | |
28 | unsigned long size = sizeof(db); | |
29 | efi_guid_t guid = EFI_SHIM_LOCK_GUID; | |
30 | ||
31 | status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); | |
32 | return status == EFI_SUCCESS; | |
33 | } | |
34 | ||
2d2a8d41 JB |
35 | /* |
36 | * Get a certificate list blob from the named EFI variable. | |
37 | */ | |
38 | static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, | |
39 | unsigned long *size) | |
40 | { | |
41 | efi_status_t status; | |
42 | unsigned long lsize = 4; | |
43 | unsigned long tmpdb[4]; | |
44 | void *db; | |
45 | ||
46 | status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); | |
47 | if (status != EFI_BUFFER_TOO_SMALL) { | |
48 | pr_err("Couldn't get size: 0x%lx\n", status); | |
49 | return NULL; | |
50 | } | |
51 | ||
52 | db = kmalloc(lsize, GFP_KERNEL); | |
53 | if (!db) { | |
54 | pr_err("Couldn't allocate memory for uefi cert list\n"); | |
55 | return NULL; | |
56 | } | |
57 | ||
58 | status = efi.get_variable(name, guid, NULL, &lsize, db); | |
59 | if (status != EFI_SUCCESS) { | |
60 | kfree(db); | |
61 | pr_err("Error reading db var: 0x%lx\n", status); | |
62 | return NULL; | |
63 | } | |
64 | ||
65 | *size = lsize; | |
66 | return db; | |
67 | } | |
68 | ||
69 | /* | |
70 | * Blacklist an X509 TBS hash. | |
71 | */ | |
72 | static __init void uefi_blacklist_x509_tbs(const char *source, | |
73 | const void *data, size_t len) | |
74 | { | |
75 | char *hash, *p; | |
76 | ||
77 | hash = kmalloc(4 + len * 2 + 1, GFP_KERNEL); | |
78 | if (!hash) | |
79 | return; | |
80 | p = memcpy(hash, "tbs:", 4); | |
81 | p += 4; | |
82 | bin2hex(p, data, len); | |
83 | p += len * 2; | |
84 | *p = 0; | |
85 | ||
86 | mark_hash_blacklisted(hash); | |
87 | kfree(hash); | |
88 | } | |
89 | ||
90 | /* | |
91 | * Blacklist the hash of an executable. | |
92 | */ | |
93 | static __init void uefi_blacklist_binary(const char *source, | |
94 | const void *data, size_t len) | |
95 | { | |
96 | char *hash, *p; | |
97 | ||
98 | hash = kmalloc(4 + len * 2 + 1, GFP_KERNEL); | |
99 | if (!hash) | |
100 | return; | |
101 | p = memcpy(hash, "bin:", 4); | |
102 | p += 4; | |
103 | bin2hex(p, data, len); | |
104 | p += len * 2; | |
105 | *p = 0; | |
106 | ||
107 | mark_hash_blacklisted(hash); | |
108 | kfree(hash); | |
109 | } | |
110 | ||
111 | /* | |
112 | * Return the appropriate handler for particular signature list types found in | |
113 | * the UEFI db and MokListRT tables. | |
114 | */ | |
115 | static __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) | |
116 | { | |
117 | if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) | |
118 | return add_trusted_secondary_key; | |
119 | return 0; | |
120 | } | |
121 | ||
122 | /* | |
123 | * Return the appropriate handler for particular signature list types found in | |
124 | * the UEFI dbx and MokListXRT tables. | |
125 | */ | |
126 | static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type) | |
127 | { | |
128 | if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0) | |
129 | return uefi_blacklist_x509_tbs; | |
130 | if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0) | |
131 | return uefi_blacklist_binary; | |
132 | return 0; | |
133 | } | |
134 | ||
135 | /* | |
ef35a9a6 JB |
136 | * Load the certs contained in the UEFI databases into the secondary trusted |
137 | * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist | |
138 | * keyring. | |
2d2a8d41 JB |
139 | */ |
140 | static int __init load_uefi_certs(void) | |
141 | { | |
142 | efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; | |
143 | efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; | |
144 | void *db = NULL, *dbx = NULL, *mok = NULL; | |
145 | unsigned long dbsize = 0, dbxsize = 0, moksize = 0; | |
146 | int rc = 0; | |
147 | ||
148 | if (!efi.get_variable) | |
149 | return false; | |
150 | ||
151 | /* Get db, MokListRT, and dbx. They might not exist, so it isn't | |
152 | * an error if we can't get them. | |
153 | */ | |
ef35a9a6 JB |
154 | if (!uefi_check_ignore_db()) { |
155 | db = get_cert_list(L"db", &secure_var, &dbsize); | |
156 | if (!db) { | |
157 | pr_err("MODSIGN: Couldn't get UEFI db list\n"); | |
158 | } else { | |
159 | rc = parse_efi_signature_list("UEFI:db", | |
160 | db, dbsize, get_handler_for_db); | |
161 | if (rc) | |
162 | pr_err("Couldn't parse db signatures: %d\n", rc); | |
163 | kfree(db); | |
164 | } | |
2d2a8d41 JB |
165 | } |
166 | ||
167 | mok = get_cert_list(L"MokListRT", &mok_var, &moksize); | |
168 | if (!mok) { | |
169 | pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); | |
170 | } else { | |
171 | rc = parse_efi_signature_list("UEFI:MokListRT", | |
172 | mok, moksize, get_handler_for_db); | |
173 | if (rc) | |
174 | pr_err("Couldn't parse MokListRT signatures: %d\n", rc); | |
175 | kfree(mok); | |
176 | } | |
177 | ||
178 | dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); | |
179 | if (!dbx) { | |
180 | pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); | |
181 | } else { | |
182 | rc = parse_efi_signature_list("UEFI:dbx", | |
183 | dbx, dbxsize, | |
184 | get_handler_for_dbx); | |
185 | if (rc) | |
186 | pr_err("Couldn't parse dbx signatures: %d\n", rc); | |
187 | kfree(dbx); | |
188 | } | |
189 | ||
190 | return rc; | |
191 | } | |
192 | late_initcall(load_uefi_certs); |