1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
Date: Tue, 13 Mar 2018 18:38:01 +0800
Subject: [PATCH 2/4] MODSIGN: load blacklist from MOKx
Origin: https://lore.kernel.org/patchwork/patch/933177/
This patch adds the logic to load the blacklisted hash and
certificates from MOKx which is maintained by shim bootloader.
Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]
---
certs/load_uefi.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
Index: linux/certs/load_uefi.c
===================================================================
--- linux.orig/certs/load_uefi.c
+++ linux/certs/load_uefi.c
@@ -148,8 +148,8 @@ static int __init load_uefi_certs(void)
{
efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
- void *db = NULL, *dbx = NULL, *mok = NULL;
- unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+ void *db = NULL, *dbx = NULL, *mok = NULL, *mokx = NULL;
+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0, mokxsize = 0;
int rc = 0;
if (!efi.get_variable)
@@ -183,7 +183,7 @@ static int __init load_uefi_certs(void)
kfree(dbx);
}
- /* the MOK can not be trusted when secure boot is disabled */
+ /* the MOK and MOKx can not be trusted when secure boot is disabled */
if (!efi_enabled(EFI_SECURE_BOOT))
return 0;
@@ -198,6 +198,18 @@ static int __init load_uefi_certs(void)
kfree(mok);
}
+ rc = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &mokx);
+ if (rc < 0) {
+ pr_info("MODSIGN: Couldn't get UEFI MokListXRT\n");
+ } else if (mokxsize != 0) {
+ rc = parse_efi_signature_list("UEFI:mokx",
+ mokx, mokxsize,
+ get_handler_for_dbx);
+ if (rc)
+ pr_err("Couldn't parse MokListXRT signatures: %d\n", rc);
+ kfree(mokx);
+ }
+
return rc;
}
late_initcall(load_uefi_certs);
|
