]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - kernel/modsign_uefi.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
UBUNTU: Ubuntu-snapdragon-4.4.0-1068.73
[mirror_ubuntu-artful-kernel.git] / kernel / modsign_uefi.c
CommitLineData
89052b26
JB		 1#include <linux/kernel.h>
2#include <linux/sched.h>
3#include <linux/cred.h>
4#include <linux/err.h>
5#include <linux/efi.h>
6#include <linux/slab.h>
7#include <keys/asymmetric-type.h>
8#include <keys/system_keyring.h>
9#include "module-internal.h"
10
d760d063
JB		 11static __init int check_ignore_db(void)
12{
13 efi_status_t status;
14 unsigned int db = 0;
15 unsigned long size = sizeof(db);
16 efi_guid_t guid = EFI_SHIM_LOCK_GUID;
17
18 /* Check and see if the MokIgnoreDB variable exists. If that fails
19 * then we don't ignore DB. If it succeeds, we do.
20 */
21 status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
22 if (status != EFI_SUCCESS)
23 return 0;
24
25 return 1;
26}
27
89052b26
JB		 28static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
29{
30 efi_status_t status;
31 unsigned long lsize = 4;
32 unsigned long tmpdb[4];
33 void *db = NULL;
34
35 status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
36 if (status != EFI_BUFFER_TOO_SMALL) {
37 pr_err("Couldn't get size: 0x%lx\n", status);
38 return NULL;
39 }
40
41 db = kmalloc(lsize, GFP_KERNEL);
42 if (!db) {
43 pr_err("Couldn't allocate memory for uefi cert list\n");
44 goto out;
45 }
46
47 status = efi.get_variable(name, guid, NULL, &lsize, db);
48 if (status != EFI_SUCCESS) {
49 kfree(db);
50 db = NULL;
51 pr_err("Error reading db var: 0x%lx\n", status);
52 }
53out:
54 *size = lsize;
55 return db;
56}
57
58/*
59 * * Load the certs contained in the UEFI databases
60 * */
61static int __init load_uefi_certs(void)
62{
63 efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
64 efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
65 void *db = NULL, *dbx = NULL, *mok = NULL;
66 unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
d760d063 67 int ignore_db, rc = 0;
89052b26
JB		 68
69 /* Check if SB is enabled and just return if not */
70 if (!efi_enabled(EFI_SECURE_BOOT))
71 return 0;
72
d760d063
JB		 73 /* See if the user has setup Ignore DB mode */
74 ignore_db = check_ignore_db();
75
89052b26
JB		 76 /* Get db, MokListRT, and dbx. They might not exist, so it isn't
77 * an error if we can't get them.
78 */
d760d063
JB		 79 if (!ignore_db) {
80 db = get_cert_list(L"db", &secure_var, &dbsize);
81 if (!db) {
82 pr_err("MODSIGN: Couldn't get UEFI db list\n");
83 } else {
84 rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
85 if (rc)
86 pr_err("Couldn't parse db signatures: %d\n", rc);
87 kfree(db);
88 }
89052b26
JB		 89 }
90
91 mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
92 if (!mok) {
93 pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
94 } else {
95 rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
96 if (rc)
97 pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
98 kfree(mok);
99 }
100
101 dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
102 if (!dbx) {
103 pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
104 } else {
105 rc = parse_efi_signature_list(dbx, dbxsize,
106 system_blacklist_keyring);
107 if (rc)
108 pr_err("Couldn't parse dbx signatures: %d\n", rc);
109 kfree(dbx);
110 }
111
112 return rc;
113}
114late_initcall(load_uefi_certs);
Ubuntu Artful kernel mirror