6a91557e4c
Do a couple things here: - Split the mega-patches into individual patches. Should help with rebasing. - Make all patches 'git am' acceptable. There should be no functional or actual code differences from before
85 lines
2.6 KiB
Diff
85 lines
2.6 KiB
Diff
From 97810ad51fb090a759a7c56cd860e0a886675945 Mon Sep 17 00:00:00 2001
|
|
From: Josh Boyer <jwboyer@fedoraproject.org>
|
|
Date: Thu, 3 Oct 2013 10:14:23 -0400
|
|
Subject: [PATCH] MODSIGN: Support not importing certs from db
|
|
|
|
If a user tells shim to not use the certs/hashes in the UEFI db variable
|
|
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
|
|
Have the uefi import code look for this and not import things from the db
|
|
variable.
|
|
|
|
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
|
---
|
|
kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++---------
|
|
1 file changed, 31 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
|
|
index 94b0eb38a284..ae28b974d49a 100644
|
|
--- a/kernel/modsign_uefi.c
|
|
+++ b/kernel/modsign_uefi.c
|
|
@@ -8,6 +8,23 @@
|
|
#include <keys/system_keyring.h>
|
|
#include "module-internal.h"
|
|
|
|
+static __init int check_ignore_db(void)
|
|
+{
|
|
+ efi_status_t status;
|
|
+ unsigned int db = 0;
|
|
+ unsigned long size = sizeof(db);
|
|
+ efi_guid_t guid = EFI_SHIM_LOCK_GUID;
|
|
+
|
|
+ /* Check and see if the MokIgnoreDB variable exists. If that fails
|
|
+ * then we don't ignore DB. If it succeeds, we do.
|
|
+ */
|
|
+ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
|
|
+ if (status != EFI_SUCCESS)
|
|
+ return 0;
|
|
+
|
|
+ return 1;
|
|
+}
|
|
+
|
|
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
|
|
{
|
|
efi_status_t status;
|
|
@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
|
|
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
|
|
void *db = NULL, *dbx = NULL, *mok = NULL;
|
|
unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
|
- int rc = 0;
|
|
+ int ignore_db, rc = 0;
|
|
|
|
/* Check if SB is enabled and just return if not */
|
|
if (!efi_enabled(EFI_SECURE_BOOT))
|
|
return 0;
|
|
|
|
+ /* See if the user has setup Ignore DB mode */
|
|
+ ignore_db = check_ignore_db();
|
|
+
|
|
/* Get db, MokListRT, and dbx. They might not exist, so it isn't
|
|
* an error if we can't get them.
|
|
*/
|
|
- db = get_cert_list(L"db", &secure_var, &dbsize);
|
|
- if (!db) {
|
|
- pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
|
- } else {
|
|
- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
|
- if (rc)
|
|
- pr_err("Couldn't parse db signatures: %d\n", rc);
|
|
- kfree(db);
|
|
+ if (!ignore_db) {
|
|
+ db = get_cert_list(L"db", &secure_var, &dbsize);
|
|
+ if (!db) {
|
|
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
|
+ } else {
|
|
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
|
+ if (rc)
|
|
+ pr_err("Couldn't parse db signatures: %d\n", rc);
|
|
+ kfree(db);
|
|
+ }
|
|
}
|
|
|
|
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
|
|
--
|
|
1.9.3
|
|
|