1 | // SPDX-License-Identifier: GPL-2.0 |
2 | |
3 | #include <linux/kernel.h> |
4 | #include <linux/sched.h> |
5 | #include <linux/cred.h> |
6 | #include <linux/err.h> |
7 | #include <linux/efi.h> |
8 | #include <linux/slab.h> |
9 | #include <keys/asymmetric-type.h> |
10 | #include <keys/system_keyring.h> |
11 | #include "../integrity.h" |
12 | #include "keyring_handler.h" |
13 | |
14 | static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID; |
15 | static efi_guid_t efi_cert_x509_sha256_guid __initdata = |
16 | EFI_CERT_X509_SHA256_GUID; |
17 | static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID; |
18 | |
19 | /* |
20 | * Blacklist an X509 TBS hash. |
21 | */ |
22 | static __init void uefi_blacklist_x509_tbs(const char *source, |
23 | const void *data, size_t len) |
24 | { |
25 | mark_hash_blacklisted(hash: data, hash_len: len, hash_type: BLACKLIST_HASH_X509_TBS); |
26 | } |
27 | |
28 | /* |
29 | * Blacklist the hash of an executable. |
30 | */ |
31 | static __init void uefi_blacklist_binary(const char *source, |
32 | const void *data, size_t len) |
33 | { |
34 | mark_hash_blacklisted(hash: data, hash_len: len, hash_type: BLACKLIST_HASH_BINARY); |
35 | } |
36 | |
37 | /* |
38 | * Add an X509 cert to the revocation list. |
39 | */ |
40 | static __init void uefi_revocation_list_x509(const char *source, |
41 | const void *data, size_t len) |
42 | { |
43 | add_key_to_revocation_list(data, size: len); |
44 | } |
45 | |
46 | /* |
47 | * Return the appropriate handler for particular signature list types found in |
48 | * the UEFI db tables. |
49 | */ |
50 | __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) |
51 | { |
52 | if (efi_guidcmp(left: *sig_type, right: efi_cert_x509_guid) == 0) |
53 | return add_to_platform_keyring; |
54 | return NULL; |
55 | } |
56 | |
57 | /* |
58 | * Return the appropriate handler for particular signature list types found in |
59 | * the MokListRT tables. |
60 | */ |
61 | __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) |
62 | { |
63 | if (efi_guidcmp(left: *sig_type, right: efi_cert_x509_guid) == 0) { |
64 | if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && |
65 | imputed_trust_enabled()) |
66 | return add_to_machine_keyring; |
67 | else |
68 | return add_to_platform_keyring; |
69 | } |
70 | return NULL; |
71 | } |
72 | |
73 | __init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) |
74 | { |
75 | if (efi_guidcmp(left: *sig_type, right: efi_cert_x509_guid) == 0) |
76 | return add_to_machine_keyring; |
77 | |
78 | return NULL; |
79 | } |
80 | |
81 | __init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type) |
82 | { |
83 | if (efi_guidcmp(left: *sig_type, right: efi_cert_x509_guid) == 0) |
84 | return add_to_secondary_keyring; |
85 | |
86 | return NULL; |
87 | } |
88 | |
89 | /* |
90 | * Return the appropriate handler for particular signature list types found in |
91 | * the UEFI dbx and MokListXRT tables. |
92 | */ |
93 | __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type) |
94 | { |
95 | if (efi_guidcmp(left: *sig_type, right: efi_cert_x509_sha256_guid) == 0) |
96 | return uefi_blacklist_x509_tbs; |
97 | if (efi_guidcmp(left: *sig_type, right: efi_cert_sha256_guid) == 0) |
98 | return uefi_blacklist_binary; |
99 | if (efi_guidcmp(left: *sig_type, right: efi_cert_x509_guid) == 0) |
100 | return uefi_revocation_list_x509; |
101 | return NULL; |
102 | } |
103 | |