mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-11-28 14:44:10 +08:00
44e69ea538
On secure boot enabled PowerVM LPAR, third party code signing keys are needed during early boot to verify signed third party modules. These third party keys are stored in moduledb object in the Platform KeyStore (PKS). Load third party code signing keys onto .secondary_trusted_keys keyring. Signed-off-by: Nayna Jain <nayna@linux.ibm.com> Reviewed-and-tested-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
103 lines
2.7 KiB
C
103 lines
2.7 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/sched.h>
|
|
#include <linux/cred.h>
|
|
#include <linux/err.h>
|
|
#include <linux/efi.h>
|
|
#include <linux/slab.h>
|
|
#include <keys/asymmetric-type.h>
|
|
#include <keys/system_keyring.h>
|
|
#include "../integrity.h"
|
|
#include "keyring_handler.h"
|
|
|
|
static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
|
|
static efi_guid_t efi_cert_x509_sha256_guid __initdata =
|
|
EFI_CERT_X509_SHA256_GUID;
|
|
static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
|
|
|
|
/*
|
|
* Blacklist an X509 TBS hash.
|
|
*/
|
|
static __init void uefi_blacklist_x509_tbs(const char *source,
|
|
const void *data, size_t len)
|
|
{
|
|
mark_hash_blacklisted(data, len, BLACKLIST_HASH_X509_TBS);
|
|
}
|
|
|
|
/*
|
|
* Blacklist the hash of an executable.
|
|
*/
|
|
static __init void uefi_blacklist_binary(const char *source,
|
|
const void *data, size_t len)
|
|
{
|
|
mark_hash_blacklisted(data, len, BLACKLIST_HASH_BINARY);
|
|
}
|
|
|
|
/*
|
|
* Add an X509 cert to the revocation list.
|
|
*/
|
|
static __init void uefi_revocation_list_x509(const char *source,
|
|
const void *data, size_t len)
|
|
{
|
|
add_key_to_revocation_list(data, len);
|
|
}
|
|
|
|
/*
|
|
* Return the appropriate handler for particular signature list types found in
|
|
* the UEFI db tables.
|
|
*/
|
|
__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
|
|
{
|
|
if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
|
|
return add_to_platform_keyring;
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* Return the appropriate handler for particular signature list types found in
|
|
* the MokListRT tables.
|
|
*/
|
|
__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
|
|
{
|
|
if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
|
|
if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) &&
|
|
imputed_trust_enabled())
|
|
return add_to_machine_keyring;
|
|
else
|
|
return add_to_platform_keyring;
|
|
}
|
|
return NULL;
|
|
}
|
|
|
|
__init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type)
|
|
{
|
|
if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
|
|
return add_to_machine_keyring;
|
|
|
|
return NULL;
|
|
}
|
|
|
|
__init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type)
|
|
{
|
|
if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
|
|
return add_to_secondary_keyring;
|
|
|
|
return NULL;
|
|
}
|
|
|
|
/*
|
|
* Return the appropriate handler for particular signature list types found in
|
|
* the UEFI dbx and MokListXRT tables.
|
|
*/
|
|
__init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
|
|
{
|
|
if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
|
|
return uefi_blacklist_x509_tbs;
|
|
if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
|
|
return uefi_blacklist_binary;
|
|
if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
|
|
return uefi_revocation_list_x509;
|
|
return NULL;
|
|
}
|