x86/efi: move common keyring handler functions to new file
[ Upstream commit ad723674d6 ]
The handlers to add the keys to the .platform keyring and blacklisted
hashes to the .blacklist keyring is common for both the uefi and powerpc
mechanisms of loading the keys/hashes from the firmware.
This patch moves the common code from load_uefi.c to keyring_handler.c
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Acked-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/1573441836-3632-4-git-send-email-nayna@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Nayna Jain
Sasha Levin
parent
ac7d3f5544
commit
06ab9df09e
|
|
@ -11,7 +11,8 @@ integrity-$(CONFIG_INTEGRITY_SIGNATURE) += digsig.o
|
|||
integrity-$(CONFIG_INTEGRITY_ASYMMETRIC_KEYS) += digsig_asymmetric.o
|
||||
integrity-$(CONFIG_INTEGRITY_PLATFORM_KEYRING) += platform_certs/platform_keyring.o
|
||||
integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \
|
||||
platform_certs/load_uefi.o
|
||||
platform_certs/load_uefi.o \
|
||||
platform_certs/keyring_handler.o
|
||||
integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o
|
||||
|
||||
obj-$(CONFIG_IMA) += ima/
|
||||
|
|
|
|||
|
|
@ -0,0 +1,80 @@
|
|||
// SPDX-License-Identifier: GPL-2.0
|
||||
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/sched.h>
|
||||
#include <linux/cred.h>
|
||||
#include <linux/err.h>
|
||||
#include <linux/efi.h>
|
||||
#include <linux/slab.h>
|
||||
#include <keys/asymmetric-type.h>
|
||||
#include <keys/system_keyring.h>
|
||||
#include "../integrity.h"
|
||||
|
||||
static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
|
||||
static efi_guid_t efi_cert_x509_sha256_guid __initdata =
|
||||
EFI_CERT_X509_SHA256_GUID;
|
||||
static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
|
||||
|
||||
/*
|
||||
* Blacklist a hash.
|
||||
*/
|
||||
static __init void uefi_blacklist_hash(const char *source, const void *data,
|
||||
size_t len, const char *type,
|
||||
size_t type_len)
|
||||
{
|
||||
char *hash, *p;
|
||||
|
||||
hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
|
||||
if (!hash)
|
||||
return;
|
||||
p = memcpy(hash, type, type_len);
|
||||
p += type_len;
|
||||
bin2hex(p, data, len);
|
||||
p += len * 2;
|
||||
*p = 0;
|
||||
|
||||
mark_hash_blacklisted(hash);
|
||||
kfree(hash);
|
||||
}
|
||||
|
||||
/*
|
||||
* Blacklist an X509 TBS hash.
|
||||
*/
|
||||
static __init void uefi_blacklist_x509_tbs(const char *source,
|
||||
const void *data, size_t len)
|
||||
{
|
||||
uefi_blacklist_hash(source, data, len, "tbs:", 4);
|
||||
}
|
||||
|
||||
/*
|
||||
* Blacklist the hash of an executable.
|
||||
*/
|
||||
static __init void uefi_blacklist_binary(const char *source,
|
||||
const void *data, size_t len)
|
||||
{
|
||||
uefi_blacklist_hash(source, data, len, "bin:", 4);
|
||||
}
|
||||
|
||||
/*
|
||||
* Return the appropriate handler for particular signature list types found in
|
||||
* the UEFI db and MokListRT tables.
|
||||
*/
|
||||
__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
|
||||
{
|
||||
if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
|
||||
return add_to_platform_keyring;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Return the appropriate handler for particular signature list types found in
|
||||
* the UEFI dbx and MokListXRT tables.
|
||||
*/
|
||||
__init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
|
||||
{
|
||||
if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
|
||||
return uefi_blacklist_x509_tbs;
|
||||
if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
|
||||
return uefi_blacklist_binary;
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
/* SPDX-License-Identifier: GPL-2.0 */
|
||||
|
||||
#ifndef PLATFORM_CERTS_INTERNAL_H
|
||||
#define PLATFORM_CERTS_INTERNAL_H
|
||||
|
||||
#include <linux/efi.h>
|
||||
|
||||
void blacklist_hash(const char *source, const void *data,
|
||||
size_t len, const char *type,
|
||||
size_t type_len);
|
||||
|
||||
/*
|
||||
* Blacklist an X509 TBS hash.
|
||||
*/
|
||||
void blacklist_x509_tbs(const char *source, const void *data, size_t len);
|
||||
|
||||
/*
|
||||
* Blacklist the hash of an executable.
|
||||
*/
|
||||
void blacklist_binary(const char *source, const void *data, size_t len);
|
||||
|
||||
/*
|
||||
* Return the handler for particular signature list types found in the db.
|
||||
*/
|
||||
efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type);
|
||||
|
||||
/*
|
||||
* Return the handler for particular signature list types found in the dbx.
|
||||
*/
|
||||
efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type);
|
||||
|
||||
#endif
|
||||
|
|
@ -9,6 +9,7 @@
|
|||
#include <keys/asymmetric-type.h>
|
||||
#include <keys/system_keyring.h>
|
||||
#include "../integrity.h"
|
||||
#include "keyring_handler.h"
|
||||
|
||||
static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
|
||||
static efi_guid_t efi_cert_x509_sha256_guid __initdata =
|
||||
|
|
@ -69,72 +70,6 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
|
|||
return db;
|
||||
}
|
||||
|
||||
/*
|
||||
* Blacklist a hash.
|
||||
*/
|
||||
static __init void uefi_blacklist_hash(const char *source, const void *data,
|
||||
size_t len, const char *type,
|
||||
size_t type_len)
|
||||
{
|
||||
char *hash, *p;
|
||||
|
||||
hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
|
||||
if (!hash)
|
||||
return;
|
||||
p = memcpy(hash, type, type_len);
|
||||
p += type_len;
|
||||
bin2hex(p, data, len);
|
||||
p += len * 2;
|
||||
*p = 0;
|
||||
|
||||
mark_hash_blacklisted(hash);
|
||||
kfree(hash);
|
||||
}
|
||||
|
||||
/*
|
||||
* Blacklist an X509 TBS hash.
|
||||
*/
|
||||
static __init void uefi_blacklist_x509_tbs(const char *source,
|
||||
const void *data, size_t len)
|
||||
{
|
||||
uefi_blacklist_hash(source, data, len, "tbs:", 4);
|
||||
}
|
||||
|
||||
/*
|
||||
* Blacklist the hash of an executable.
|
||||
*/
|
||||
static __init void uefi_blacklist_binary(const char *source,
|
||||
const void *data, size_t len)
|
||||
{
|
||||
uefi_blacklist_hash(source, data, len, "bin:", 4);
|
||||
}
|
||||
|
||||
/*
|
||||
* Return the appropriate handler for particular signature list types found in
|
||||
* the UEFI db and MokListRT tables.
|
||||
*/
|
||||
static __init efi_element_handler_t get_handler_for_db(const efi_guid_t *
|
||||
sig_type)
|
||||
{
|
||||
if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
|
||||
return add_to_platform_keyring;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Return the appropriate handler for particular signature list types found in
|
||||
* the UEFI dbx and MokListXRT tables.
|
||||
*/
|
||||
static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *
|
||||
sig_type)
|
||||
{
|
||||
if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
|
||||
return uefi_blacklist_x509_tbs;
|
||||
if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
|
||||
return uefi_blacklist_binary;
|
||||
return 0;
|
||||
}
|
||||
|
||||
/*
|
||||
* Load the certs contained in the UEFI databases into the platform trusted
|
||||
* keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
|
||||
|
|
|
|||
Loading…
Reference in New Issue