Commit 58c90902 authored by Lenny Szubowicz's avatar Lenny Szubowicz Committed by Ard Biesheuvel
Browse files

efi: Support for MOK variable config table 



Because of system-specific EFI firmware limitations, EFI volatile
variables may not be capable of holding the required contents of
the Machine Owner Key (MOK) certificate store when the certificate
list grows above some size. Therefore, an EFI boot loader may pass
the MOK certs via a EFI configuration table created specifically for
this purpose to avoid this firmware limitation.

An EFI configuration table is a much more primitive mechanism
compared to EFI variables and is well suited for one-way passage
of static information from a pre-OS environment to the kernel.

This patch adds initial kernel support to recognize, parse,
and validate the EFI MOK configuration table, where named
entries contain the same data that would otherwise be provided
in similarly named EFI variables.

Additionally, this patch creates a sysfs binary file for each
EFI MOK configuration table entry found. These files are read-only
to root and are provided for use by user space utilities such as
mokutil.

A subsequent patch will load MOK certs into the trusted platform
key ring using this infrastructure.

Signed-off-by: default avatarLenny Szubowicz <lszubowi@redhat.com>
Link: https://lore.kernel.org/r/20200905013107.10457-2-lszubowi@redhat.com


Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
parent 5c4c30f4

arch/x86/kernel/setup.c

+1 −0
Original line number Diff line number Diff line
@@ -1077,6 +1077,7 @@ void __init setup_arch(char **cmdline_p) 
	efi_fake_memmap();

	efi_find_mirror();

	efi_esrt_init();

	efi_mokvar_table_init();



	/*

	 * The EFI specification says that boot service code won't be

arch/x86/platform/efi/efi.c

+3 −0
Original line number Diff line number Diff line
@@ -91,6 +91,9 @@ static const unsigned long * const efi_tables[] = { 
	&efi.tpm_log,

	&efi.tpm_final_log,

	&efi_rng_seed,

#ifdef CONFIG_LOAD_UEFI_KEYS

	&efi.mokvar_table,

#endif

};



u64 efi_setup;		/* efi setup_data physical address */

drivers/firmware/efi/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -28,6 +28,7 @@ obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o 
obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o

obj-$(CONFIG_EFI_RCI2_TABLE)		+= rci2-table.o

obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE)	+= embedded-firmware.o

obj-$(CONFIG_LOAD_UEFI_KEYS)		+= mokvar-table.o



fake_map-y				+= fake_mem.o

fake_map-$(CONFIG_X86)			+= x86_fake_mem.o

drivers/firmware/efi/efi-init.c

+1 −0
Original line number Diff line number Diff line
@@ -236,6 +236,7 @@ void __init efi_init(void) 


	reserve_regions();

	efi_esrt_init();

	efi_mokvar_table_init();



	memblock_reserve(data.phys_map & PAGE_MASK,

			 PAGE_ALIGN(data.size + (data.phys_map & ~PAGE_MASK)));

drivers/firmware/efi/efi.c

+6 −0
Original line number Diff line number Diff line
@@ -43,6 +43,9 @@ struct efi __read_mostly efi = { 
	.esrt			= EFI_INVALID_TABLE_ADDR,

	.tpm_log		= EFI_INVALID_TABLE_ADDR,

	.tpm_final_log		= EFI_INVALID_TABLE_ADDR,

#ifdef CONFIG_LOAD_UEFI_KEYS

	.mokvar_table		= EFI_INVALID_TABLE_ADDR,

#endif

};

EXPORT_SYMBOL(efi);
@@ -516,6 +519,9 @@ static const efi_config_table_type_t common_tables[] __initconst = { 
	{EFI_RT_PROPERTIES_TABLE_GUID,		&rt_prop,		"RTPROP"	},

#ifdef CONFIG_EFI_RCI2_TABLE

	{DELLEMC_EFI_RCI2_TABLE_GUID,		&rci2_table_phys			},

#endif

#ifdef CONFIG_LOAD_UEFI_KEYS

	{LINUX_EFI_MOK_VARIABLE_TABLE_GUID,	&efi.mokvar_table,	"MOKvar"	},

#endif

	{},

};

CRA Git | Maintained and supported by SUSTech CRA and CCSE