1 #include <linux/kernel.h>
2 #include <linux/sched.h>
3 #include <linux/cred.h>
6 #include <linux/slab.h>
7 #include <keys/asymmetric-type.h>
8 #include <keys/system_keyring.h>
11 static __initdata efi_guid_t efi_cert_x509_guid
= EFI_CERT_X509_GUID
;
12 static __initdata efi_guid_t efi_cert_x509_sha256_guid
= EFI_CERT_X509_SHA256_GUID
;
13 static __initdata efi_guid_t efi_cert_sha256_guid
= EFI_CERT_SHA256_GUID
;
16 * Look to see if a UEFI variable called MokIgnoreDB exists and return true if
19 * This UEFI variable is set by the shim if a user tells the shim to not use
20 * the certs/hashes in the UEFI db variable for verification purposes. If it
21 * is set, we should ignore the db variable also and the true return indicates
24 static __init
bool uefi_check_ignore_db(void)
28 unsigned long size
= sizeof(db
);
29 efi_guid_t guid
= EFI_SHIM_LOCK_GUID
;
31 status
= efi
.get_variable(L
"MokIgnoreDB", &guid
, NULL
, &size
, &db
);
32 return status
== EFI_SUCCESS
;
36 * Get a certificate list blob from the named EFI variable.
38 static __init
void *get_cert_list(efi_char16_t
*name
, efi_guid_t
*guid
,
42 unsigned long lsize
= 4;
43 unsigned long tmpdb
[4];
46 status
= efi
.get_variable(name
, guid
, NULL
, &lsize
, &tmpdb
);
47 if (status
!= EFI_BUFFER_TOO_SMALL
) {
48 pr_err("Couldn't get size: 0x%lx\n", status
);
52 db
= kmalloc(lsize
, GFP_KERNEL
);
54 pr_err("Couldn't allocate memory for uefi cert list\n");
58 status
= efi
.get_variable(name
, guid
, NULL
, &lsize
, db
);
59 if (status
!= EFI_SUCCESS
) {
61 pr_err("Error reading db var: 0x%lx\n", status
);
70 * Blacklist an X509 TBS hash.
72 static __init
void uefi_blacklist_x509_tbs(const char *source
,
73 const void *data
, size_t len
)
77 hash
= kmalloc(4 + len
* 2 + 1, GFP_KERNEL
);
80 p
= memcpy(hash
, "tbs:", 4);
82 bin2hex(p
, data
, len
);
86 mark_hash_blacklisted(hash
);
91 * Blacklist the hash of an executable.
93 static __init
void uefi_blacklist_binary(const char *source
,
94 const void *data
, size_t len
)
98 hash
= kmalloc(4 + len
* 2 + 1, GFP_KERNEL
);
101 p
= memcpy(hash
, "bin:", 4);
103 bin2hex(p
, data
, len
);
107 mark_hash_blacklisted(hash
);
112 * Return the appropriate handler for particular signature list types found in
113 * the UEFI db and MokListRT tables.
115 static __init efi_element_handler_t
get_handler_for_db(const efi_guid_t
*sig_type
)
117 if (efi_guidcmp(*sig_type
, efi_cert_x509_guid
) == 0)
118 return add_trusted_secondary_key
;
123 * Return the appropriate handler for particular signature list types found in
124 * the UEFI dbx and MokListXRT tables.
126 static __init efi_element_handler_t
get_handler_for_dbx(const efi_guid_t
*sig_type
)
128 if (efi_guidcmp(*sig_type
, efi_cert_x509_sha256_guid
) == 0)
129 return uefi_blacklist_x509_tbs
;
130 if (efi_guidcmp(*sig_type
, efi_cert_sha256_guid
) == 0)
131 return uefi_blacklist_binary
;
136 * Load the certs contained in the UEFI databases into the secondary trusted
137 * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
140 static int __init
load_uefi_certs(void)
142 efi_guid_t secure_var
= EFI_IMAGE_SECURITY_DATABASE_GUID
;
143 efi_guid_t mok_var
= EFI_SHIM_LOCK_GUID
;
144 void *db
= NULL
, *dbx
= NULL
, *mok
= NULL
;
145 unsigned long dbsize
= 0, dbxsize
= 0, moksize
= 0;
148 if (!efi
.get_variable
)
151 /* Get db, MokListRT, and dbx. They might not exist, so it isn't
152 * an error if we can't get them.
154 if (!uefi_check_ignore_db()) {
155 db
= get_cert_list(L
"db", &secure_var
, &dbsize
);
157 pr_err("MODSIGN: Couldn't get UEFI db list\n");
159 rc
= parse_efi_signature_list("UEFI:db",
160 db
, dbsize
, get_handler_for_db
);
162 pr_err("Couldn't parse db signatures: %d\n", rc
);
167 mok
= get_cert_list(L
"MokListRT", &mok_var
, &moksize
);
169 pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
171 rc
= parse_efi_signature_list("UEFI:MokListRT",
172 mok
, moksize
, get_handler_for_db
);
174 pr_err("Couldn't parse MokListRT signatures: %d\n", rc
);
178 dbx
= get_cert_list(L
"dbx", &secure_var
, &dbxsize
);
180 pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
182 rc
= parse_efi_signature_list("UEFI:dbx",
184 get_handler_for_dbx
);
186 pr_err("Couldn't parse dbx signatures: %d\n", rc
);
192 late_initcall(load_uefi_certs
);