diff options
Diffstat (limited to 'security/integrity/platform_certs/load_powerpc.c')
-rw-r--r-- | security/integrity/platform_certs/load_powerpc.c | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c new file mode 100644 index 000000000..c85febca3 --- /dev/null +++ b/security/integrity/platform_certs/load_powerpc.c @@ -0,0 +1,159 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + * + * - loads keys and hashes stored and controlled by the firmware. + */ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/cred.h> +#include <linux/err.h> +#include <linux/slab.h> +#include <asm/secure_boot.h> +#include <asm/secvar.h> +#include "keyring_handler.h" +#include "../integrity.h" + +#define extract_esl(db, data, size, offset) \ + do { db = data + offset; size = size - offset; } while (0) + +/* + * Get a certificate list blob from the named secure variable. + * + * Returns: + * - a pointer to a kmalloc'd buffer containing the cert list on success + * - NULL if the key does not exist + * - an ERR_PTR on error + */ +static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) +{ + int rc; + void *db; + + rc = secvar_ops->get(key, keylen, NULL, size); + if (rc) { + if (rc == -ENOENT) + return NULL; + return ERR_PTR(rc); + } + + db = kmalloc(*size, GFP_KERNEL); + if (!db) + return ERR_PTR(-ENOMEM); + + rc = secvar_ops->get(key, keylen, db, size); + if (rc) { + kfree(db); + return ERR_PTR(rc); + } + + return db; +} + +/* + * Load the certs contained in the keys databases into the platform trusted + * keyring and the blacklisted X.509 cert SHA256 hashes into the blacklist + * keyring. + */ +static int __init load_powerpc_certs(void) +{ + void *db = NULL, *dbx = NULL, *data = NULL; + void *trustedca; + void *moduledb; + u64 dsize = 0; + u64 offset = 0; + int rc = 0; + ssize_t len; + char buf[32]; + + if (!secvar_ops) + return -ENODEV; + + len = secvar_ops->format(buf, sizeof(buf)); + if (len <= 0) + return -ENODEV; + + // Check for known secure boot implementations from OPAL or PLPKS + if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf)) { + pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf); + return -ENODEV; + } + + if (strcmp("ibm,plpks-sb-v1", buf) == 0) + /* PLPKS authenticated variables ESL data is prefixed with 8 bytes of timestamp */ + offset = 8; + + /* + * Get db, and dbx. They might not exist, so it isn't an error if we + * can't get them. + */ + data = get_cert_list("db", 3, &dsize); + if (!data) { + pr_info("Couldn't get db list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading db from firmware: %d\n", rc); + return rc; + } else { + extract_esl(db, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:db", db, dsize, + get_handler_for_db); + if (rc) + pr_err("Couldn't parse db signatures: %d\n", rc); + kfree(data); + } + + data = get_cert_list("dbx", 4, &dsize); + if (!data) { + pr_info("Couldn't get dbx list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading dbx from firmware: %d\n", rc); + return rc; + } else { + extract_esl(dbx, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:dbx", dbx, dsize, + get_handler_for_dbx); + if (rc) + pr_err("Couldn't parse dbx signatures: %d\n", rc); + kfree(data); + } + + data = get_cert_list("trustedcadb", 12, &dsize); + if (!data) { + pr_info("Couldn't get trustedcadb list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading trustedcadb from firmware: %d\n", rc); + } else { + extract_esl(trustedca, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:trustedca", trustedca, dsize, + get_handler_for_ca_keys); + if (rc) + pr_err("Couldn't parse trustedcadb signatures: %d\n", rc); + kfree(data); + } + + data = get_cert_list("moduledb", 9, &dsize); + if (!data) { + pr_info("Couldn't get moduledb list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading moduledb from firmware: %d\n", rc); + } else { + extract_esl(moduledb, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:moduledb", moduledb, dsize, + get_handler_for_code_signing_keys); + if (rc) + pr_err("Couldn't parse moduledb signatures: %d\n", rc); + kfree(data); + } + + return rc; +} +late_initcall(load_powerpc_certs); |