[PATCH 19/20] MODSIGN: Support not importing certs from db

Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> · Tue, 25 Oct 2016 13:24:20 -0400

If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
Have the uefi import code look for this and not import things from the db
variable.

Signed-off-by: Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx>
---
 kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++---------
 1 file changed, 31 insertions(+), 9 deletions(-)

diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
index fe4a6f2bf10a..a41da14b1ffd 100644
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -8,6 +8,23 @@
 #include <keys/system_keyring.h>
 #include "module-internal.h"
 
+static __init int check_ignore_db(void)
+{
+	efi_status_t status;
+	unsigned int db = 0;
+	unsigned long size = sizeof(db);
+	efi_guid_t guid = EFI_SHIM_LOCK_GUID;
+
+	/* Check and see if the MokIgnoreDB variable exists.  If that fails
+	 * then we don't ignore DB.  If it succeeds, we do.
+	 */
+	status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
+	if (status != EFI_SUCCESS)
+		return 0;
+
+	return 1;
+}
+
 static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
 {
 	efi_status_t status;
@@ -47,7 +64,7 @@ static int __init load_uefi_certs(void)
 	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
 	void *db = NULL, *dbx = NULL, *mok = NULL;
 	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
-	int rc = 0;
+	int ignore_db, rc = 0;
 	struct key *keyring = NULL;
 
 	/* Check if SB is enabled and just return if not */
@@ -60,17 +77,22 @@ static int __init load_uefi_certs(void)
 		return -EINVAL;
 	}
 
+	/* See if the user has setup Ignore DB mode */
+	ignore_db = check_ignore_db();
+
 	/* Get db, MokListRT, and dbx.  They might not exist, so it isn't
 	 * an error if we can't get them.
 	 */
-	db = get_cert_list(L"db", &secure_var, &dbsize);
-	if (!db) {
-		pr_err("MODSIGN: Couldn't get UEFI db list\n");
-	} else {
-		rc = parse_efi_signature_list(db, dbsize, keyring);
-		if (rc)
-			pr_err("Couldn't parse db signatures: %d\n", rc);
-		kfree(db);
+	if (!ignore_db) {
+		db = get_cert_list(L"db", &secure_var, &dbsize);
+		if (!db) {
+			pr_err("MODSIGN: Couldn't get UEFI db list\n");
+		} else {
+			rc = parse_efi_signature_list(db, dbsize, keyring);
+			if (rc)
+				pr_err("Couldn't parse db signatures: %d\n", rc);
+			kfree(db);
+		}
 	}
 
 	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
-- 
2.9.3
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx







