diff options
| -rw-r--r-- | certs/system_keyring.c | 30 | ||||
| -rw-r--r-- | include/keys/system_keyring.h | 4 | ||||
| -rw-r--r-- | security/integrity/platform_certs/keyring_handler.c | 8 | ||||
| -rw-r--r-- | security/integrity/platform_certs/keyring_handler.h | 5 | ||||
| -rw-r--r-- | security/integrity/platform_certs/load_powerpc.c | 17 |
5 files changed, 64 insertions, 0 deletions
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index b348e0898d34a..33841c91f12cc 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -152,6 +152,36 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void return restriction; } + +/** + * add_to_secondary_keyring - Add to secondary keyring. + * @source: Source of key + * @data: The blob holding the key + * @len: The length of the data blob + * + * Add a key to the secondary keyring. The key must be vouched for by a key in the builtin, + * machine or secondary keyring itself. + */ +void __init add_to_secondary_keyring(const char *source, const void *data, size_t len) +{ + key_ref_t key; + key_perm_t perm; + + perm = (KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW; + + key = key_create_or_update(make_key_ref(secondary_trusted_keys, 1), + "asymmetric", + NULL, data, len, perm, + KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(key)) { + pr_err("Problem loading X.509 certificate from %s to secondary keyring %ld\n", + source, PTR_ERR(key)); + return; + } + + pr_notice("Loaded X.509 cert '%s'\n", key_ref_to_ptr(key)->description); + key_ref_put(key); +} #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING void __init set_machine_trusted_keys(struct key *keyring) diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 7e25832088201..8365adf842ef7 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -50,9 +50,13 @@ int restrict_link_by_digsig_builtin_and_secondary(struct key *keyring, const struct key_type *type, const union key_payload *payload, struct key *restriction_key); +void __init add_to_secondary_keyring(const char *source, const void *data, size_t len); #else #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #define restrict_link_by_digsig_builtin_and_secondary restrict_link_by_digsig_builtin +static inline void __init add_to_secondary_keyring(const char *source, const void *data, size_t len) +{ +} #endif #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 586027b9a3f57..13ea172079029 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -78,6 +78,14 @@ __init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) return NULL; } +__init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type) +{ + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return add_to_secondary_keyring; + + return NULL; +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI dbx and MokListXRT tables. diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h index 6f15bb4cc8dcb..f92895cc50f68 100644 --- a/security/integrity/platform_certs/keyring_handler.h +++ b/security/integrity/platform_certs/keyring_handler.h @@ -35,6 +35,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type); efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type); /* + * Return the handler for particular signature list types for code signing keys. + */ +efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type); + +/* * Return the handler for particular signature list types found in the dbx. */ efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type); diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c index 339053d9726d3..c85febca3343e 100644 --- a/security/integrity/platform_certs/load_powerpc.c +++ b/security/integrity/platform_certs/load_powerpc.c @@ -60,6 +60,7 @@ static int __init load_powerpc_certs(void) { void *db = NULL, *dbx = NULL, *data = NULL; void *trustedca; + void *moduledb; u64 dsize = 0; u64 offset = 0; int rc = 0; @@ -137,6 +138,22 @@ static int __init load_powerpc_certs(void) kfree(data); } + data = get_cert_list("moduledb", 9, &dsize); + if (!data) { + pr_info("Couldn't get moduledb list from firmware\n"); + } else if (IS_ERR(data)) { + rc = PTR_ERR(data); + pr_err("Error reading moduledb from firmware: %d\n", rc); + } else { + extract_esl(moduledb, data, dsize, offset); + + rc = parse_efi_signature_list("powerpc:moduledb", moduledb, dsize, + get_handler_for_code_signing_keys); + if (rc) + pr_err("Couldn't parse moduledb signatures: %d\n", rc); + kfree(data); + } + return rc; } late_initcall(load_powerpc_certs); |