Commit 38a1f03a authored by Lenny Szubowicz's avatar Lenny Szubowicz Committed by Ard Biesheuvel

integrity: Move import of MokListRT certs to a separate routine

Move the loading of certs from the UEFI MokListRT into a separate
routine to facilitate additional MokList functionality.

There is no visible functional change as a result of this patch.
Although the UEFI dbx certs are now loaded before the MokList certs,
they are loaded onto different key rings. So the order of the keys
on their respective key rings is the same.
Signed-off-by: default avatarLenny Szubowicz <lszubowi@redhat.com>
Reviewed-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Link: https://lore.kernel.org/r/20200905013107.10457-3-lszubowi@redhat.comSigned-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
parent 58c90902
...@@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, ...@@ -66,6 +66,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
} }
/* /*
* load_moklist_certs() - Load MokList certs
*
* Load the certs contained in the UEFI MokListRT database into the
* platform trusted keyring.
*
* Return: Status
*/
static int __init load_moklist_certs(void)
{
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
void *mok;
unsigned long moksize;
efi_status_t status;
int rc;
/* Get MokListRT. It might not exist, so it isn't an error
* if we can't get it.
*/
mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
if (mok) {
rc = parse_efi_signature_list("UEFI:MokListRT",
mok, moksize, get_handler_for_db);
kfree(mok);
if (rc)
pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
return rc;
}
if (status == EFI_NOT_FOUND)
pr_debug("MokListRT variable wasn't found\n");
else
pr_info("Couldn't get UEFI MokListRT\n");
return 0;
}
/*
* load_uefi_certs() - Load certs from UEFI sources
*
* Load the certs contained in the UEFI databases into the platform trusted * Load the certs contained in the UEFI databases into the platform trusted
* keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
* keyring. * keyring.
...@@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, ...@@ -73,17 +110,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
static int __init load_uefi_certs(void) static int __init load_uefi_certs(void)
{ {
efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; void *db = NULL, *dbx = NULL;
void *db = NULL, *dbx = NULL, *mok = NULL; unsigned long dbsize = 0, dbxsize = 0;
unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
efi_status_t status; efi_status_t status;
int rc = 0; int rc = 0;
if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
return false; return false;
/* Get db, MokListRT, and dbx. They might not exist, so it isn't /* Get db and dbx. They might not exist, so it isn't an error
* an error if we can't get them. * if we can't get them.
*/ */
if (!uefi_check_ignore_db()) { if (!uefi_check_ignore_db()) {
db = get_cert_list(L"db", &secure_var, &dbsize, &status); db = get_cert_list(L"db", &secure_var, &dbsize, &status);
...@@ -102,20 +138,6 @@ static int __init load_uefi_certs(void) ...@@ -102,20 +138,6 @@ static int __init load_uefi_certs(void)
} }
} }
mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
if (!mok) {
if (status == EFI_NOT_FOUND)
pr_debug("MokListRT variable wasn't found\n");
else
pr_info("Couldn't get UEFI MokListRT\n");
} else {
rc = parse_efi_signature_list("UEFI:MokListRT",
mok, moksize, get_handler_for_db);
if (rc)
pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
kfree(mok);
}
dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status); dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
if (!dbx) { if (!dbx) {
if (status == EFI_NOT_FOUND) if (status == EFI_NOT_FOUND)
...@@ -131,6 +153,9 @@ static int __init load_uefi_certs(void) ...@@ -131,6 +153,9 @@ static int __init load_uefi_certs(void)
kfree(dbx); kfree(dbx);
} }
/* Load the MokListRT certs */
rc = load_moklist_certs();
return rc; return rc;
} }
late_initcall(load_uefi_certs); late_initcall(load_uefi_certs);
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment