]>
Commit | Line | Data |
---|---|---|
16eb7765 JB |
1 | #include <linux/kernel.h> |
2 | #include <linux/sched.h> | |
3 | #include <linux/cred.h> | |
4 | #include <linux/err.h> | |
5 | #include <linux/efi.h> | |
6 | #include <linux/slab.h> | |
7 | #include <keys/asymmetric-type.h> | |
8 | #include <keys/system_keyring.h> | |
9 | #include "module-internal.h" | |
10 | ||
6179f402 JB |
11 | static __init int check_ignore_db(void) |
12 | { | |
13 | efi_status_t status; | |
14 | unsigned int db = 0; | |
15 | unsigned long size = sizeof(db); | |
16 | efi_guid_t guid = EFI_SHIM_LOCK_GUID; | |
17 | ||
18 | /* Check and see if the MokIgnoreDB variable exists. If that fails | |
19 | * then we don't ignore DB. If it succeeds, we do. | |
20 | */ | |
21 | status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); | |
22 | if (status != EFI_SUCCESS) | |
23 | return 0; | |
24 | ||
25 | return 1; | |
26 | } | |
27 | ||
16eb7765 JB |
28 | static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) |
29 | { | |
30 | efi_status_t status; | |
31 | unsigned long lsize = 4; | |
32 | unsigned long tmpdb[4]; | |
33 | void *db = NULL; | |
34 | ||
35 | status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); | |
36 | if (status != EFI_BUFFER_TOO_SMALL) { | |
37 | pr_err("Couldn't get size: 0x%lx\n", status); | |
38 | return NULL; | |
39 | } | |
40 | ||
41 | db = kmalloc(lsize, GFP_KERNEL); | |
42 | if (!db) { | |
43 | pr_err("Couldn't allocate memory for uefi cert list\n"); | |
44 | goto out; | |
45 | } | |
46 | ||
47 | status = efi.get_variable(name, guid, NULL, &lsize, db); | |
48 | if (status != EFI_SUCCESS) { | |
49 | kfree(db); | |
50 | db = NULL; | |
51 | pr_err("Error reading db var: 0x%lx\n", status); | |
52 | } | |
53 | out: | |
54 | *size = lsize; | |
55 | return db; | |
56 | } | |
57 | ||
58 | /* | |
59 | * * Load the certs contained in the UEFI databases | |
60 | * */ | |
61 | static int __init load_uefi_certs(void) | |
62 | { | |
63 | efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; | |
64 | efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; | |
65 | void *db = NULL, *dbx = NULL, *mok = NULL; | |
66 | unsigned long dbsize = 0, dbxsize = 0, moksize = 0; | |
6179f402 | 67 | int ignore_db, rc = 0; |
16eb7765 JB |
68 | struct key *keyring = NULL; |
69 | ||
70 | /* Check if SB is enabled and just return if not */ | |
71 | if (!efi_enabled(EFI_SECURE_BOOT)) | |
72 | return 0; | |
73 | ||
74 | keyring = get_system_keyring(); | |
75 | if (!keyring) { | |
76 | pr_err("MODSIGN: Couldn't get system keyring\n"); | |
77 | return -EINVAL; | |
78 | } | |
79 | ||
6179f402 JB |
80 | /* See if the user has setup Ignore DB mode */ |
81 | ignore_db = check_ignore_db(); | |
82 | ||
16eb7765 JB |
83 | /* Get db, MokListRT, and dbx. They might not exist, so it isn't |
84 | * an error if we can't get them. | |
85 | */ | |
6179f402 JB |
86 | if (!ignore_db) { |
87 | db = get_cert_list(L"db", &secure_var, &dbsize); | |
88 | if (!db) { | |
89 | pr_err("MODSIGN: Couldn't get UEFI db list\n"); | |
90 | } else { | |
91 | rc = parse_efi_signature_list(db, dbsize, keyring); | |
92 | if (rc) | |
93 | pr_err("Couldn't parse db signatures: %d\n", rc); | |
94 | kfree(db); | |
95 | } | |
16eb7765 JB |
96 | } |
97 | ||
98 | mok = get_cert_list(L"MokListRT", &mok_var, &moksize); | |
99 | if (!mok) { | |
100 | pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); | |
101 | } else { | |
102 | rc = parse_efi_signature_list(mok, moksize, keyring); | |
103 | if (rc) | |
104 | pr_err("Couldn't parse MokListRT signatures: %d\n", rc); | |
105 | kfree(mok); | |
106 | } | |
107 | ||
108 | dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); | |
109 | if (!dbx) { | |
110 | pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); | |
111 | } else { | |
112 | rc = parse_efi_signature_list(dbx, dbxsize, | |
113 | system_blacklist_keyring); | |
114 | if (rc) | |
115 | pr_err("Couldn't parse dbx signatures: %d\n", rc); | |
116 | kfree(dbx); | |
117 | } | |
118 | ||
119 | return rc; | |
120 | } | |
121 | late_initcall(load_uefi_certs); |