Commit 386b49f5 authored by Josh Boyer's avatar Josh Boyer Committed by Mimi Zohar
Browse files

efi: Allow the "db" UEFI variable to be suppressed 



If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called
MokIgnoreDB. Have the uefi import code look for this and ignore the db
variable if it is found.

[zohar@linux.ibm.com: removed reference to "secondary" keyring comment]
Signed-off-by: default avatarJosh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Acked-by: default avatarNayna Jain <nayna@linux.ibm.com>
Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
Reviewed-by: default avatarJames Morris <james.morris@microsoft.com>
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent 15ea0e1e

security/integrity/platform_certs/load_uefi.c

+35 −10
Original line number Diff line number Diff line
@@ -15,6 +15,26 @@ static efi_guid_t efi_cert_x509_sha256_guid __initdata = 
	EFI_CERT_X509_SHA256_GUID;

static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;



/*

 * Look to see if a UEFI variable called MokIgnoreDB exists and return true if

 * it does.

 *

 * This UEFI variable is set by the shim if a user tells the shim to not use

 * the certs/hashes in the UEFI db variable for verification purposes.  If it

 * is set, we should ignore the db variable also and the true return indicates

 * this.

 */

static __init bool uefi_check_ignore_db(void)

{

	efi_status_t status;

	unsigned int db = 0;

	unsigned long size = sizeof(db);

	efi_guid_t guid = EFI_SHIM_LOCK_GUID;



	status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);

	return status == EFI_SUCCESS;

}



/*

 * Get a certificate list blob from the named EFI variable.

 */
@@ -114,7 +134,9 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t * 
}



/*

 * Load the certs contained in the UEFI databases

 * Load the certs contained in the UEFI databases into the platform trusted

 * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist

 * keyring.

 */

static int __init load_uefi_certs(void)

{
@@ -130,16 +152,19 @@ static int __init load_uefi_certs(void) 
	/* Get db, MokListRT, and dbx.  They might not exist, so it isn't

	 * an error if we can't get them.

	 */

	if (!uefi_check_ignore_db()) {

		db = get_cert_list(L"db", &secure_var, &dbsize);

		if (!db) {

		pr_err("Couldn't get UEFI db list\n");

			pr_err("MODSIGN: Couldn't get UEFI db list\n");

		} else {

			rc = parse_efi_signature_list("UEFI:db",

					db, dbsize, get_handler_for_db);

			if (rc)

			pr_err("Couldn't parse db signatures: %d\n", rc);

				pr_err("Couldn't parse db signatures: %d\n",

				       rc);

			kfree(db);

		}

	}



	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);

	if (!mok) {

CRA Git | Maintained and supported by SUSTech CRA and CCSE