mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-11 21:38:32 +08:00
56c5812623
This fixes CVE-2020-26541. The Secure Boot Forbidden Signature Database, dbx, contains a list of now revoked signatures and keys previously approved to boot with UEFI Secure Boot enabled. The dbx is capable of containing any number of EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID entries. Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are skipped. Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID is found, it is added as an asymmetrical key to the .blacklist keyring. Anytime the .platform keyring is used, the keys in the .blacklist keyring are referenced, if a matching key is found, the key will be rejected. [DH: Made the following changes: - Added to have a config option to enable the facility. This allows a Kconfig solution to make sure that pkcs7_validate_trust() is enabled.[1][2] - Moved the functions out from the middle of the blacklist functions. - Added kerneldoc comments.] Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> cc: Randy Dunlap <rdunlap@infradead.org> cc: Mickaël Salaün <mic@digikod.net> cc: Arnd Bergmann <arnd@kernel.org> cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/20200901165143.10295-1-eric.snowberg@oracle.com/ # rfc Link: https://lore.kernel.org/r/20200909172736.73003-1-eric.snowberg@oracle.com/ # v2 Link: https://lore.kernel.org/r/20200911182230.62266-1-eric.snowberg@oracle.com/ # v3 Link: https://lore.kernel.org/r/20200916004927.64276-1-eric.snowberg@oracle.com/ # v4 Link: https://lore.kernel.org/r/20210122181054.32635-2-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428672051.677100.11064981943343605138.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433310942.902181.4901864302675874242.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529605075.163428.14625520893961300757.stgit@warthog.procyon.org.uk/ # v3 Link: https://lore.kernel.org/r/bc2c24e3-ed68-2521-0bf4-a1f6be4a895d@infradead.org/ [1] Link: https://lore.kernel.org/r/20210225125638.1841436-1-arnd@kernel.org/ [2]
91 lines
2.3 KiB
C
91 lines
2.3 KiB
C
/* SPDX-License-Identifier: GPL-2.0-or-later */
|
|
/* System keyring containing trusted public keys.
|
|
*
|
|
* Copyright (C) 2013 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*/
|
|
|
|
#ifndef _KEYS_SYSTEM_KEYRING_H
|
|
#define _KEYS_SYSTEM_KEYRING_H
|
|
|
|
#include <linux/key.h>
|
|
|
|
#ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
|
|
|
|
extern int restrict_link_by_builtin_trusted(struct key *keyring,
|
|
const struct key_type *type,
|
|
const union key_payload *payload,
|
|
struct key *restriction_key);
|
|
|
|
#else
|
|
#define restrict_link_by_builtin_trusted restrict_link_reject
|
|
#endif
|
|
|
|
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
|
|
extern int restrict_link_by_builtin_and_secondary_trusted(
|
|
struct key *keyring,
|
|
const struct key_type *type,
|
|
const union key_payload *payload,
|
|
struct key *restriction_key);
|
|
#else
|
|
#define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
|
|
#endif
|
|
|
|
extern struct pkcs7_message *pkcs7;
|
|
#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
|
extern int mark_hash_blacklisted(const char *hash);
|
|
extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
|
|
const char *type);
|
|
extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
|
|
#else
|
|
static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
|
|
const char *type)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
|
|
{
|
|
return 0;
|
|
}
|
|
#endif
|
|
|
|
#ifdef CONFIG_SYSTEM_REVOCATION_LIST
|
|
extern int add_key_to_revocation_list(const char *data, size_t size);
|
|
extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
|
|
#else
|
|
static inline int add_key_to_revocation_list(const char *data, size_t size)
|
|
{
|
|
return 0;
|
|
}
|
|
static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
|
|
{
|
|
return -ENOKEY;
|
|
}
|
|
#endif
|
|
|
|
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
|
|
extern struct key *ima_blacklist_keyring;
|
|
|
|
static inline struct key *get_ima_blacklist_keyring(void)
|
|
{
|
|
return ima_blacklist_keyring;
|
|
}
|
|
#else
|
|
static inline struct key *get_ima_blacklist_keyring(void)
|
|
{
|
|
return NULL;
|
|
}
|
|
#endif /* CONFIG_IMA_BLACKLIST_KEYRING */
|
|
|
|
#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && \
|
|
defined(CONFIG_SYSTEM_TRUSTED_KEYRING)
|
|
extern void __init set_platform_trusted_keys(struct key *keyring);
|
|
#else
|
|
static inline void set_platform_trusted_keys(struct key *keyring)
|
|
{
|
|
}
|
|
#endif
|
|
|
|
#endif /* _KEYS_SYSTEM_KEYRING_H */
|