UBUNTU: SAUCE: UEFI: MODSIGN: Support not importing certs from db

If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
Have the uefi import code look for this and not import things from the db
variable.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>

diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
index fe4a6f2bf10ab55e8a64b5434d8dae02495727cc..a41da14b1ffdf9a48f6799f0dcf93fec127f8883 100644 (file)
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -8,6 +8,23 @@
 #include <keys/system_keyring.h>
 #include "module-internal.h"
 
+static __init int check_ignore_db(void)
+{
+       efi_status_t status;
+       unsigned int db = 0;
+       unsigned long size = sizeof(db);
+       efi_guid_t guid = EFI_SHIM_LOCK_GUID;
+
+       /* Check and see if the MokIgnoreDB variable exists.  If that fails
+        * then we don't ignore DB.  If it succeeds, we do.
+        */
+       status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
+       if (status != EFI_SUCCESS)
+               return 0;
+
+       return 1;
+}
+
 static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
 {
        efi_status_t status;
@@ -47,7 +64,7 @@ static int __init load_uefi_certs(void)
        efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
        void *db = NULL, *dbx = NULL, *mok = NULL;
        unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
-       int rc = 0;
+       int ignore_db, rc = 0;
        struct key *keyring = NULL;
 
        /* Check if SB is enabled and just return if not */
@@ -60,17 +77,22 @@ static int __init load_uefi_certs(void)
                return -EINVAL;
        }
 
+       /* See if the user has setup Ignore DB mode */
+       ignore_db = check_ignore_db();
+
        /* Get db, MokListRT, and dbx.  They might not exist, so it isn't
         * an error if we can't get them.
         */
-       db = get_cert_list(L"db", &secure_var, &dbsize);
-       if (!db) {
-               pr_err("MODSIGN: Couldn't get UEFI db list\n");
-       } else {
-               rc = parse_efi_signature_list(db, dbsize, keyring);
-               if (rc)
-                       pr_err("Couldn't parse db signatures: %d\n", rc);
-               kfree(db);
+       if (!ignore_db) {
+               db = get_cert_list(L"db", &secure_var, &dbsize);
+               if (!db) {
+                       pr_err("MODSIGN: Couldn't get UEFI db list\n");
+               } else {
+                       rc = parse_efi_signature_list(db, dbsize, keyring);
+                       if (rc)
+                               pr_err("Couldn't parse db signatures: %d\n", rc);
+                       kfree(db);
+               }
        }
 
        mok = get_cert_list(L"MokListRT", &mok_var, &moksize);