Tree - rpms/kernel - CentOS Git server

rpms / kernel

Files

Commit: ae3c9b80899f7051076ac5548d3d97ab943b6174

Blob Blame History Raw

 From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Thu, 3 Oct 2013 10:14:23 -0400
Subject: [PATCH] MODSIGN: Support not importing certs from db
 
If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
Have the uefi import code look for this and not import things from the db
variable.
 
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
 kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 9 deletions(-)
 
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
index 94b0eb38a284..ae28b974d49a 100644
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -8,6 +8,23 @@
 #include <keys/system_keyring.h>
 #include "module-internal.h"
 
+static __init int check_ignore_db(void)
+{
+	efi_status_t status;
+	unsigned int db = 0;
+	unsigned long size = sizeof(db);
+	efi_guid_t guid = EFI_SHIM_LOCK_GUID;
+
+	/* Check and see if the MokIgnoreDB variable exists.  If that fails
+	 * then we don't ignore DB.  If it succeeds, we do.
+	 */
+	status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
+	if (status != EFI_SUCCESS)
+		return 0;
+
+	return 1;
+}
+
 static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
 {
 	efi_status_t status;
@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
 	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
 	void *db = NULL, *dbx = NULL, *mok = NULL;
 	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
-	int rc = 0;
+	int ignore_db, rc = 0;
 
 	/* Check if SB is enabled and just return if not */
 	if (!efi_enabled(EFI_SECURE_BOOT))
 		return 0;
 
+	/* See if the user has setup Ignore DB mode */
+	ignore_db = check_ignore_db();
+
 	/* Get db, MokListRT, and dbx.  They might not exist, so it isn't
 	 * an error if we can't get them.
 	 */
-	db = get_cert_list(L"db", &secure_var, &dbsize);
-	if (!db) {
-		pr_err("MODSIGN: Couldn't get UEFI db list\n");
-	} else {
-		rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
-		if (rc)
-			pr_err("Couldn't parse db signatures: %d\n", rc);
-		kfree(db);
+	if (!ignore_db) {
+		db = get_cert_list(L"db", &secure_var, &dbsize);
+		if (!db) {
+			pr_err("MODSIGN: Couldn't get UEFI db list\n");
+		} else {
+			rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
+			if (rc)
+				pr_err("Couldn't parse db signatures: %d\n", rc);
+			kfree(db);
+		}
 	}
 
 	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
-- 
2.1.0

	From: Josh Boyer <jwboyer@fedoraproject.org>
	Date: Thu, 3 Oct 2013 10:14:23 -0400
	Subject: [PATCH] MODSIGN: Support not importing certs from db

	If a user tells shim to not use the certs/hashes in the UEFI db variable
	for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
	Have the uefi import code look for this and not import things from the db
	variable.

	Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
	---
	kernel/modsign_uefi.c \| 40 +++++++++++++++++++++++++++++++---------
	1 file changed, 31 insertions(+), 9 deletions(-)

	diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
	index 94b0eb38a284..ae28b974d49a 100644
	--- a/kernel/modsign_uefi.c
	+++ b/kernel/modsign_uefi.c
	@@ -8,6 +8,23 @@
	#include <keys/system_keyring.h>
	#include "module-internal.h"

	+static __init int check_ignore_db(void)
	+{
	+ efi_status_t status;
	+ unsigned int db = 0;
	+ unsigned long size = sizeof(db);
	+ efi_guid_t guid = EFI_SHIM_LOCK_GUID;
	+
	+ /* Check and see if the MokIgnoreDB variable exists. If that fails
	+ * then we don't ignore DB. If it succeeds, we do.
	+ */
	+ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
	+ if (status != EFI_SUCCESS)
	+ return 0;
	+
	+ return 1;
	+}
	+
	static __init void get_cert_list(efi_char16_t name, efi_guid_t guid, unsigned long size)
	{
	efi_status_t status;
	@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
	void db = NULL, dbx = NULL, *mok = NULL;
	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
	- int rc = 0;
	+ int ignore_db, rc = 0;

	/* Check if SB is enabled and just return if not */
	if (!efi_enabled(EFI_SECURE_BOOT))
	return 0;

	+ /* See if the user has setup Ignore DB mode */
	+ ignore_db = check_ignore_db();
	+
	/* Get db, MokListRT, and dbx. They might not exist, so it isn't
	* an error if we can't get them.
	*/
	- db = get_cert_list(L"db", &secure_var, &dbsize);
	- if (!db) {
	- pr_err("MODSIGN: Couldn't get UEFI db list\n");
	- } else {
	- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
	- if (rc)
	- pr_err("Couldn't parse db signatures: %d\n", rc);
	- kfree(db);
	+ if (!ignore_db) {
	+ db = get_cert_list(L"db", &secure_var, &dbsize);
	+ if (!db) {
	+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
	+ } else {
	+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
	+ if (rc)
	+ pr_err("Couldn't parse db signatures: %d\n", rc);
	+ kfree(db);
	+ }
	}

	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
	--
	2.1.0

rpms / kernel

Source Code

Files