]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - kernel/modsign_uefi.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
KVM: arm64: vgic-v3: Add ICV_IAR1_EL1 handler
[mirror_ubuntu-zesty-kernel.git] / kernel / modsign_uefi.c
1 #include <linux/kernel.h>
2 #include <linux/sched.h>
3 #include <linux/cred.h>
4 #include <linux/err.h>
5 #include <linux/efi.h>
6 #include <linux/slab.h>
7 #include <keys/asymmetric-type.h>
8 #include <keys/system_keyring.h>
9 #include "module-internal.h"
10
11 static __init int check_ignore_db(void)
12 {
13 efi_status_t status;
14 unsigned int db = 0;
15 unsigned long size = sizeof(db);
16 efi_guid_t guid = EFI_SHIM_LOCK_GUID;
17
18 /* Check and see if the MokIgnoreDB variable exists. If that fails
19 * then we don't ignore DB. If it succeeds, we do.
20 */
21 status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
22 if (status != EFI_SUCCESS)
23 return 0;
24
25 return 1;
26 }
27
28 static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
29 {
30 efi_status_t status;
31 unsigned long lsize = 4;
32 unsigned long tmpdb[4];
33 void *db = NULL;
34
35 status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
36 if (status != EFI_BUFFER_TOO_SMALL) {
37 pr_err("Couldn't get size: 0x%lx\n", status);
38 return NULL;
39 }
40
41 db = kmalloc(lsize, GFP_KERNEL);
42 if (!db) {
43 pr_err("Couldn't allocate memory for uefi cert list\n");
44 goto out;
45 }
46
47 status = efi.get_variable(name, guid, NULL, &lsize, db);
48 if (status != EFI_SUCCESS) {
49 kfree(db);
50 db = NULL;
51 pr_err("Error reading db var: 0x%lx\n", status);
52 }
53 out:
54 *size = lsize;
55 return db;
56 }
57
58 /*
59 * * Load the certs contained in the UEFI databases
60 * */
61 static int __init load_uefi_certs(void)
62 {
63 efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
64 efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
65 void *db = NULL, *dbx = NULL, *mok = NULL;
66 unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
67 int ignore_db, rc = 0;
68 struct key *keyring = NULL;
69
70 /* Check if SB is enabled and just return if not */
71 if (!efi_enabled(EFI_SECURE_BOOT))
72 return 0;
73
74 keyring = get_system_keyring();
75 if (!keyring) {
76 pr_err("MODSIGN: Couldn't get system keyring\n");
77 return -EINVAL;
78 }
79
80 /* See if the user has setup Ignore DB mode */
81 ignore_db = check_ignore_db();
82
83 /* Get db, MokListRT, and dbx. They might not exist, so it isn't
84 * an error if we can't get them.
85 */
86 if (!ignore_db) {
87 db = get_cert_list(L"db", &secure_var, &dbsize);
88 if (!db) {
89 pr_err("MODSIGN: Couldn't get UEFI db list\n");
90 } else {
91 rc = parse_efi_signature_list(db, dbsize, keyring);
92 if (rc)
93 pr_err("Couldn't parse db signatures: %d\n", rc);
94 kfree(db);
95 }
96 }
97
98 mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
99 if (!mok) {
100 pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
101 } else {
102 rc = parse_efi_signature_list(mok, moksize, keyring);
103 if (rc)
104 pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
105 kfree(mok);
106 }
107
108 dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
109 if (!dbx) {
110 pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
111 } else {
112 rc = parse_efi_signature_list(dbx, dbxsize,
113 system_blacklist_keyring);
114 if (rc)
115 pr_err("Couldn't parse dbx signatures: %d\n", rc);
116 kfree(dbx);
117 }
118
119 return rc;
120 }
121 late_initcall(load_uefi_certs);
ubuntu-zesty-kernel mirror