1 #include <linux/kernel.h>
2 #include <linux/sched.h>
3 #include <linux/cred.h>
6 #include <linux/slab.h>
7 #include <keys/asymmetric-type.h>
8 #include <keys/system_keyring.h>
9 #include "module-internal.h"
11 static __init
int check_ignore_db(void)
15 unsigned long size
= sizeof(db
);
16 efi_guid_t guid
= EFI_SHIM_LOCK_GUID
;
18 /* Check and see if the MokIgnoreDB variable exists. If that fails
19 * then we don't ignore DB. If it succeeds, we do.
21 status
= efi
.get_variable(L
"MokIgnoreDB", &guid
, NULL
, &size
, &db
);
22 if (status
!= EFI_SUCCESS
)
28 static __init
void *get_cert_list(efi_char16_t
*name
, efi_guid_t
*guid
, unsigned long *size
)
31 unsigned long lsize
= 4;
32 unsigned long tmpdb
[4];
35 status
= efi
.get_variable(name
, guid
, NULL
, &lsize
, &tmpdb
);
36 if (status
!= EFI_BUFFER_TOO_SMALL
) {
37 pr_err("Couldn't get size: 0x%lx\n", status
);
41 db
= kmalloc(lsize
, GFP_KERNEL
);
43 pr_err("Couldn't allocate memory for uefi cert list\n");
47 status
= efi
.get_variable(name
, guid
, NULL
, &lsize
, db
);
48 if (status
!= EFI_SUCCESS
) {
51 pr_err("Error reading db var: 0x%lx\n", status
);
59 * * Load the certs contained in the UEFI databases
61 static int __init
load_uefi_certs(void)
63 efi_guid_t secure_var
= EFI_IMAGE_SECURITY_DATABASE_GUID
;
64 efi_guid_t mok_var
= EFI_SHIM_LOCK_GUID
;
65 void *db
= NULL
, *dbx
= NULL
, *mok
= NULL
;
66 unsigned long dbsize
= 0, dbxsize
= 0, moksize
= 0;
67 int ignore_db
, rc
= 0;
68 struct key
*keyring
= NULL
;
70 /* Check if SB is enabled and just return if not */
71 if (!efi_enabled(EFI_SECURE_BOOT
))
74 keyring
= get_system_keyring();
76 pr_err("MODSIGN: Couldn't get system keyring\n");
80 /* See if the user has setup Ignore DB mode */
81 ignore_db
= check_ignore_db();
83 /* Get db, MokListRT, and dbx. They might not exist, so it isn't
84 * an error if we can't get them.
87 db
= get_cert_list(L
"db", &secure_var
, &dbsize
);
89 pr_err("MODSIGN: Couldn't get UEFI db list\n");
91 rc
= parse_efi_signature_list(db
, dbsize
, keyring
);
93 pr_err("Couldn't parse db signatures: %d\n", rc
);
98 mok
= get_cert_list(L
"MokListRT", &mok_var
, &moksize
);
100 pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
102 rc
= parse_efi_signature_list(mok
, moksize
, keyring
);
104 pr_err("Couldn't parse MokListRT signatures: %d\n", rc
);
108 dbx
= get_cert_list(L
"dbx", &secure_var
, &dbxsize
);
110 pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
112 rc
= parse_efi_signature_list(dbx
, dbxsize
,
113 system_blacklist_keyring
);
115 pr_err("Couldn't parse dbx signatures: %d\n", rc
);
121 late_initcall(load_uefi_certs
);