From: Lee, Chun-Yi Date: Tue, 13 Mar 2018 10:38:01 +0000 (+0800) Subject: [PATCH 2/4] MODSIGN: load blacklist from MOKx X-Git-Tag: archive/raspbian/5.7.6-1+rpi1^2~20 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=5a38918087bde4ed739aa2d601a2a9231125ce12;p=linux.git [PATCH 2/4] MODSIGN: load blacklist from MOKx Origin: https://lore.kernel.org/patchwork/patch/933177/ This patch adds the logic to load the blacklisted hash and certificates from MOKx which is maintained by shim bootloader. Cc: David Howells Cc: Josh Boyer Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" [Rebased by Luca Boccassi] [bwh: Forward-ported to 5.5.9: - get_cert_list() takes a pointer to status and returns the cert list - Adjust filename] Gbp-Pq: Topic features/all/db-mok-keyring Gbp-Pq: Name 0002-MODSIGN-load-blacklist-from-MOKx.patch --- diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 64909c0868f..4ed15ba1011 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -74,8 +74,8 @@ static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; - void *db = NULL, *dbx = NULL, *mok = NULL; - unsigned long dbsize = 0, dbxsize = 0, moksize = 0; + void *db = NULL, *dbx = NULL, *mok = NULL, *mokx = NULL; + unsigned long dbsize = 0, dbxsize = 0, moksize = 0, mokxsize = 0; efi_status_t status; int rc = 0; @@ -117,7 +117,7 @@ static int __init load_uefi_certs(void) kfree(dbx); } - /* the MOK can not be trusted when secure boot is disabled */ + /* the MOK and MOKx can not be trusted when secure boot is disabled */ if (!efi_enabled(EFI_SECURE_BOOT)) return 0; @@ -135,6 +135,21 @@ static int __init load_uefi_certs(void) kfree(mok); } + mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); + if (!mokx) { + if (status == EFI_NOT_FOUND) + pr_debug("MokListXRT variable wasn't found\n"); + else + pr_info("Couldn't get UEFI MokListXRT\n"); + } else { + rc = parse_efi_signature_list("UEFI:mokx", + mokx, mokxsize, + get_handler_for_dbx); + if (rc) + pr_err("Couldn't parse MokListXRT signatures: %d\n", rc); + kfree(mokx); + } + return rc; } late_initcall(load_uefi_certs);