This patch adds the logic to load the blacklisted hash and certificates from MOKx which is maintained by shim bootloader. Cc: David Howells <dhowells@xxxxxxxxxx> Cc: Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> Cc: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> Signed-off-by: "Lee, Chun-Yi" <jlee@xxxxxxxx> --- certs/load_uefi.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/certs/load_uefi.c b/certs/load_uefi.c index f2f372b..dc66a79 100644 --- a/certs/load_uefi.c +++ b/certs/load_uefi.c @@ -164,8 +164,8 @@ static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; - void *db = NULL, *dbx = NULL, *mok = NULL; - unsigned long dbsize = 0, dbxsize = 0, moksize = 0; + void *db = NULL, *dbx = NULL, *mok = NULL, *mokx = NULL; + unsigned long dbsize = 0, dbxsize = 0, moksize = 0, mokxsize = 0; int rc = 0; if (!efi.get_variable) @@ -195,7 +195,7 @@ static int __init load_uefi_certs(void) kfree(dbx); } - /* the MOK can not be trusted when secure boot is disabled */ + /* the MOK and MOKx can not be trusted when secure boot is disabled */ if (!efi_enabled(EFI_SECURE_BOOT)) return 0; @@ -208,6 +208,16 @@ static int __init load_uefi_certs(void) kfree(mok); } + mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize); + if (mokx) { + rc = parse_efi_signature_list("UEFI:mokx", + mokx, mokxsize, + get_handler_for_dbx); + if (rc) + pr_err("Couldn't parse MokListXRT signatures: %d\n", rc); + kfree(mokx); + } + return rc; } late_initcall(load_uefi_certs); -- 2.10.2 -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html