efi: Allow the "db" UEFI variable to be suppressed

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called
MokIgnoreDB. Have the uefi import code look for this and ignore the db
variable if it is found.

[zohar@linux.ibm.com: removed reference to "secondary" keyring comment]
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Nayna Jain <nayna@linux.ibm.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Reviewed-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

authored by

Josh Boyer and committed by

Mimi Zohar 7 years ago 386b49f5 15ea0e1e

+35 -10

1 changed file

expand all

security

integrity

platform_certs

load_uefi.c

+35 -10

security/integrity/platform_certs/load_uefi.c

··· 16 16 static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID; 17 17 18 18 /* 19 + * Look to see if a UEFI variable called MokIgnoreDB exists and return true if 20 + * it does. 21 + * 22 + * This UEFI variable is set by the shim if a user tells the shim to not use 23 + * the certs/hashes in the UEFI db variable for verification purposes. If it 24 + * is set, we should ignore the db variable also and the true return indicates 25 + * this. 26 + */ 27 + static __init bool uefi_check_ignore_db(void) 28 + { 29 + efi_status_t status; 30 + unsigned int db = 0; 31 + unsigned long size = sizeof(db); 32 + efi_guid_t guid = EFI_SHIM_LOCK_GUID; 33 + 34 + status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); 35 + return status == EFI_SUCCESS; 36 + } 37 + 38 + /* 19 39 * Get a certificate list blob from the named EFI variable. 20 40 */ 21 41 static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, ··· 134 114 } 135 115 136 116 /* 137 - * Load the certs contained in the UEFI databases 117 + * Load the certs contained in the UEFI databases into the platform trusted 118 + * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist 119 + * keyring. 138 120 */ 139 121 static int __init load_uefi_certs(void) 140 122 { ··· 152 130 /* Get db, MokListRT, and dbx. They might not exist, so it isn't 153 131 * an error if we can't get them. 154 132 */ 155 - db = get_cert_list(L"db", &secure_var, &dbsize); 156 - if (!db) { 157 - pr_err("Couldn't get UEFI db list\n"); 158 - } else { 159 - rc = parse_efi_signature_list("UEFI:db", 160 - db, dbsize, get_handler_for_db); 161 - if (rc) 162 - pr_err("Couldn't parse db signatures: %d\n", rc); 163 - kfree(db); 133 + if (!uefi_check_ignore_db()) { 134 + db = get_cert_list(L"db", &secure_var, &dbsize); 135 + if (!db) { 136 + pr_err("MODSIGN: Couldn't get UEFI db list\n"); 137 + } else { 138 + rc = parse_efi_signature_list("UEFI:db", 139 + db, dbsize, get_handler_for_db); 140 + if (rc) 141 + pr_err("Couldn't parse db signatures: %d\n", 142 + rc); 143 + kfree(db); 144 + } 164 145 } 165 146 166 147 mok = get_cert_list(L"MokListRT", &mok_var, &moksize);