81 lines
2.5 KiB
Diff
81 lines
2.5 KiB
Diff
From: Josh Boyer <jwboyer@fedoraproject.org>
|
|
Date: Thu, 3 Oct 2013 10:14:23 -0400
|
|
Subject: [PATCH] MODSIGN: Support not importing certs from db
|
|
|
|
If a user tells shim to not use the certs/hashes in the UEFI db variable
|
|
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
|
|
Have the uefi import code look for this and not import things from the db
|
|
variable.
|
|
|
|
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
|
---
|
|
kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++---------
|
|
1 file changed, 31 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
|
|
index 94b0eb38a284..ae28b974d49a 100644
|
|
--- a/kernel/modsign_uefi.c
|
|
+++ b/kernel/modsign_uefi.c
|
|
@@ -8,6 +8,23 @@
|
|
#include <keys/system_keyring.h>
|
|
#include "module-internal.h"
|
|
|
|
+static __init int check_ignore_db(void)
|
|
+{
|
|
+ efi_status_t status;
|
|
+ unsigned int db = 0;
|
|
+ unsigned long size = sizeof(db);
|
|
+ efi_guid_t guid = EFI_SHIM_LOCK_GUID;
|
|
+
|
|
+ /* Check and see if the MokIgnoreDB variable exists. If that fails
|
|
+ * then we don't ignore DB. If it succeeds, we do.
|
|
+ */
|
|
+ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
|
|
+ if (status != EFI_SUCCESS)
|
|
+ return 0;
|
|
+
|
|
+ return 1;
|
|
+}
|
|
+
|
|
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
|
|
{
|
|
efi_status_t status;
|
|
@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
|
|
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
|
|
void *db = NULL, *dbx = NULL, *mok = NULL;
|
|
unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
|
- int rc = 0;
|
|
+ int ignore_db, rc = 0;
|
|
|
|
/* Check if SB is enabled and just return if not */
|
|
if (!efi_enabled(EFI_SECURE_BOOT))
|
|
return 0;
|
|
|
|
+ /* See if the user has setup Ignore DB mode */
|
|
+ ignore_db = check_ignore_db();
|
|
+
|
|
/* Get db, MokListRT, and dbx. They might not exist, so it isn't
|
|
* an error if we can't get them.
|
|
*/
|
|
- db = get_cert_list(L"db", &secure_var, &dbsize);
|
|
- if (!db) {
|
|
- pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
|
- } else {
|
|
- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
|
- if (rc)
|
|
- pr_err("Couldn't parse db signatures: %d\n", rc);
|
|
- kfree(db);
|
|
+ if (!ignore_db) {
|
|
+ db = get_cert_list(L"db", &secure_var, &dbsize);
|
|
+ if (!db) {
|
|
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
|
+ } else {
|
|
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
|
+ if (rc)
|
|
+ pr_err("Couldn't parse db signatures: %d\n", rc);
|
|
+ kfree(db);
|
|
+ }
|
|
}
|
|
|
|
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
|