kernel/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch

247 lines
7.3 KiB
Diff
Raw Normal View History

From 8a4535bcfe24d317be675e53cdc8c61d22fdc7f3 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:42:16 -0400
Subject: [PATCH 18/20] MODSIGN: Import certificates from UEFI Secure Boot
Secure Boot stores a list of allowed certificates in the 'db' variable.
This imports those certificates into the system trusted keyring. This
allows for a third party signing certificate to be used in conjunction
with signed modules. By importing the public certificate into the 'db'
variable, a user can allow a module signed with that certificate to
load. The shim UEFI bootloader has a similar certificate list stored
in the 'MokListRT' variable. We import those as well.
In the opposite case, Secure Boot maintains a list of disallowed
certificates in the 'dbx' variable. We load those certificates into
the newly introduced system blacklist keyring and forbid any module
signed with those from loading.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
certs/system_keyring.c | 13 ++++++
include/keys/system_keyring.h | 1 +
init/Kconfig | 9 ++++
kernel/Makefile | 3 ++
kernel/modsign_uefi.c | 99 +++++++++++++++++++++++++++++++++++++++++++
5 files changed, 125 insertions(+)
create mode 100644 kernel/modsign_uefi.c
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 787eeead2f57..4d9123ed5c07 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -30,6 +30,19 @@ extern __initconst const u8 system_certificate_list[];
extern __initconst const unsigned long system_certificate_list_size;
/**
+ * get_system_keyring - Return a pointer to the system keyring
+ *
+ */
+struct key *get_system_keyring(void)
+{
+ struct key *system_keyring = NULL;
+
+ system_keyring = builtin_trusted_keys;
+ return system_keyring;
+}
+EXPORT_SYMBOL_GPL(get_system_keyring);
+
+/**
* restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
*
* Restrict the addition of keys into a keyring based on the key-to-be-added
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 359c2f9..e7160a6 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -39,14 +39,26 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
extern int mark_hash_blacklisted(const char *hash);
extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
const char *type);
+extern struct key *blacklist_keyring;
+
+static inline struct key *get_blacklist_keyring(void)
+{
+ return blacklist_keyring;
+}
#else
static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
const char *type)
{
2017-05-04 17:24:40 +00:00
return 0;
}
+static inline struct key *get_blacklist_keyring(void)
+{
+ return NULL;
+}
#endif
+extern struct key *get_system_keyring(void);
+
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
extern struct key *ima_blacklist_keyring;
diff --git a/init/Kconfig b/init/Kconfig
index 461ad575a608..93646fd7b1c8 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -2009,6 +2009,15 @@ config MODULE_SIG_ALL
comment "Do not forget to sign required modules with scripts/sign-file"
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
+config MODULE_SIG_UEFI
+ bool "Allow modules signed with certs stored in UEFI"
+ depends on MODULE_SIG && SYSTEM_BLACKLIST_KEYRING && EFI
+ select EFI_SIGNATURE_LIST_PARSER
+ help
+ This will import certificates stored in UEFI and allow modules
+ signed with those to be loaded. It will also disallow loading
+ of modules stored in the UEFI dbx variable.
+
choice
prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG
diff --git a/kernel/Makefile b/kernel/Makefile
index eb26e12c6c2a..e0c2268cb97e 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -57,6 +57,7 @@ endif
obj-$(CONFIG_UID16) += uid16.o
obj-$(CONFIG_MODULES) += module.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o
+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o
obj-$(CONFIG_KALLSYMS) += kallsyms.o
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
2015-09-11 14:10:27 +00:00
obj-$(CONFIG_KEXEC_CORE) += kexec_core.o
@@ -113,6 +114,8 @@ obj-$(CONFIG_MEMBARRIER) += membarrier.o
obj-$(CONFIG_HAS_IOMEM) += memremap.o
+$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar
+
$(obj)/configs.o: $(obj)/config_data.h
2016-12-15 19:27:26 +00:00
targets += config_data.gz
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
new file mode 100644
index 000000000000..fe4a6f2bf10a
--- /dev/null
+++ b/kernel/modsign_uefi.c
@@ -0,0 +1,101 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/cred.h>
+#include <linux/err.h>
+#include <linux/efi.h>
+#include <linux/slab.h>
+#include <keys/asymmetric-type.h>
+#include <keys/system_keyring.h>
+#include "module-internal.h"
+
+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
+{
+ efi_status_t status;
+ unsigned long lsize = 4;
+ unsigned long tmpdb[4];
+ void *db = NULL;
+
+ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
+ if (status != EFI_BUFFER_TOO_SMALL) {
+ pr_err("Couldn't get size: 0x%lx\n", status);
+ return NULL;
+ }
+
+ db = kmalloc(lsize, GFP_KERNEL);
+ if (!db) {
+ pr_err("Couldn't allocate memory for uefi cert list\n");
+ goto out;
+ }
+
+ status = efi.get_variable(name, guid, NULL, &lsize, db);
+ if (status != EFI_SUCCESS) {
+ kfree(db);
+ db = NULL;
+ pr_err("Error reading db var: 0x%lx\n", status);
+ }
+out:
+ *size = lsize;
+ return db;
+}
+
+/*
+ * * Load the certs contained in the UEFI databases
+ * */
+static int __init load_uefi_certs(void)
+{
+ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
+ void *db = NULL, *dbx = NULL, *mok = NULL;
+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+ int rc = 0;
+ struct key *keyring = NULL;
+ struct key *blacklist = NULL;
+
+ /* Check if SB is enabled and just return if not */
+ if (!efi_enabled(EFI_SECURE_BOOT))
+ return 0;
+
+ keyring = get_system_keyring();
+ if (!keyring) {
+ pr_err("MODSIGN: Couldn't get system keyring\n");
+ return -EINVAL;
+ }
+
+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't
+ * an error if we can't get them.
+ */
+ db = get_cert_list(L"db", &secure_var, &dbsize);
+ if (!db) {
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
+ } else {
+ rc = parse_efi_signature_list(db, dbsize, keyring);
+ if (rc)
+ pr_err("Couldn't parse db signatures: %d\n", rc);
+ kfree(db);
+ }
+
+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+ if (!mok) {
+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
+ } else {
+ rc = parse_efi_signature_list(mok, moksize, keyring);
+ if (rc)
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
+ kfree(mok);
+ }
+
+ blacklist = get_blacklist_keyring();
+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
+ if (!dbx) {
+ pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
+ } else {
+ rc = parse_efi_signature_list(dbx, dbxsize,
+ blacklist);
+ if (rc)
+ pr_err("Couldn't parse dbx signatures: %d\n", rc);
+ kfree(dbx);
+ }
+
+ return rc;
+}
+late_initcall(load_uefi_certs);
--
2.9.3
diff --git a/certs/blacklist.c b/certs/blacklist.c
index 3eddce0..bd9324c 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -21,7 +21,7 @@
#include <keys/system_keyring.h>
#include "blacklist.h"
-static struct key *blacklist_keyring;
+struct key *blacklist_keyring;
/*
* The description must be a type prefix, a colon and then an even number of