|
 |
18c8249 |
From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001
|
|
|
6a91557 |
From: Dave Howells <dhowells@redhat.com>
|
|
|
6a91557 |
Date: Tue, 23 Oct 2012 09:36:28 -0400
|
|
|
18c8249 |
Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
|
|
|
6a91557 |
|
|
|
6a91557 |
X.509 certificates are loaded into the specified keyring as asymmetric type
|
|
|
6a91557 |
keys.
|
|
|
6a91557 |
|
|
|
6a91557 |
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
|
6a91557 |
---
|
|
|
6a91557 |
crypto/asymmetric_keys/Kconfig | 8 +++
|
|
|
6a91557 |
crypto/asymmetric_keys/Makefile | 1 +
|
|
|
6a91557 |
crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++
|
|
|
6a91557 |
include/linux/efi.h | 4 ++
|
|
|
6a91557 |
4 files changed, 122 insertions(+)
|
|
|
6a91557 |
create mode 100644 crypto/asymmetric_keys/efi_parser.c
|
|
|
6a91557 |
|
|
|
6a91557 |
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
|
|
|
6a91557 |
index 4870f28403f5..4a1b50d73b80 100644
|
|
|
6a91557 |
--- a/crypto/asymmetric_keys/Kconfig
|
|
|
6a91557 |
+++ b/crypto/asymmetric_keys/Kconfig
|
|
|
6a91557 |
@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION
|
|
|
6a91557 |
This option provides support for verifying the signature(s) on a
|
|
|
6a91557 |
signed PE binary.
|
|
|
6a91557 |
|
|
|
6a91557 |
+config EFI_SIGNATURE_LIST_PARSER
|
|
|
6a91557 |
+ bool "EFI signature list parser"
|
|
|
6a91557 |
+ depends on EFI
|
|
|
6a91557 |
+ select X509_CERTIFICATE_PARSER
|
|
|
6a91557 |
+ help
|
|
|
6a91557 |
+ This option provides support for parsing EFI signature lists for
|
|
|
6a91557 |
+ X.509 certificates and turning them into keys.
|
|
|
6a91557 |
+
|
|
|
6a91557 |
endif # ASYMMETRIC_KEY_TYPE
|
|
|
6a91557 |
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
|
|
|
18c8249 |
index cd1406f9b14a..d9db380bbe53 100644
|
|
|
6a91557 |
--- a/crypto/asymmetric_keys/Makefile
|
|
|
6a91557 |
+++ b/crypto/asymmetric_keys/Makefile
|
|
|
1e6dda8 |
@@ -7,5 +7,6 @@ asymmetric_keys-y := asymmetric_type.o signature.o
|
|
|
6a91557 |
|
|
|
6a91557 |
obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
|
|
|
6a91557 |
+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
|
|
|
6a91557 |
|
|
|
6a91557 |
#
|
|
|
6a91557 |
# X.509 Certificate handling
|
|
|
6a91557 |
diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
|
|
|
6a91557 |
new file mode 100644
|
|
|
6a91557 |
index 000000000000..424896a0b169
|
|
|
6a91557 |
--- /dev/null
|
|
|
6a91557 |
+++ b/crypto/asymmetric_keys/efi_parser.c
|
|
|
6a91557 |
@@ -0,0 +1,109 @@
|
|
|
6a91557 |
+/* EFI signature/key/certificate list parser
|
|
|
6a91557 |
+ *
|
|
|
6a91557 |
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
|
|
6a91557 |
+ * Written by David Howells (dhowells@redhat.com)
|
|
|
6a91557 |
+ *
|
|
|
6a91557 |
+ * This program is free software; you can redistribute it and/or
|
|
|
6a91557 |
+ * modify it under the terms of the GNU General Public Licence
|
|
|
6a91557 |
+ * as published by the Free Software Foundation; either version
|
|
|
6a91557 |
+ * 2 of the Licence, or (at your option) any later version.
|
|
|
6a91557 |
+ */
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+#define pr_fmt(fmt) "EFI: "fmt
|
|
|
6a91557 |
+#include <linux/module.h>
|
|
|
6a91557 |
+#include <linux/printk.h>
|
|
|
6a91557 |
+#include <linux/err.h>
|
|
|
6a91557 |
+#include <linux/efi.h>
|
|
|
6a91557 |
+#include <keys/asymmetric-type.h>
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID;
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+/**
|
|
|
6a91557 |
+ * parse_efi_signature_list - Parse an EFI signature list for certificates
|
|
|
6a91557 |
+ * @data: The data blob to parse
|
|
|
6a91557 |
+ * @size: The size of the data blob
|
|
|
6a91557 |
+ * @keyring: The keyring to add extracted keys to
|
|
|
6a91557 |
+ */
|
|
|
6a91557 |
+int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring)
|
|
|
6a91557 |
+{
|
|
|
6a91557 |
+ unsigned offs = 0;
|
|
|
6a91557 |
+ size_t lsize, esize, hsize, elsize;
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ pr_devel("-->%s(,%zu)\n", __func__, size);
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ while (size > 0) {
|
|
|
6a91557 |
+ efi_signature_list_t list;
|
|
|
6a91557 |
+ const efi_signature_data_t *elem;
|
|
|
6a91557 |
+ key_ref_t key;
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ if (size < sizeof(list))
|
|
|
6a91557 |
+ return -EBADMSG;
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ memcpy(&list, data, sizeof(list));
|
|
|
6a91557 |
+ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n",
|
|
|
6a91557 |
+ offs,
|
|
|
6a91557 |
+ list.signature_type.b, list.signature_list_size,
|
|
|
6a91557 |
+ list.signature_header_size, list.signature_size);
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ lsize = list.signature_list_size;
|
|
|
6a91557 |
+ hsize = list.signature_header_size;
|
|
|
6a91557 |
+ esize = list.signature_size;
|
|
|
6a91557 |
+ elsize = lsize - sizeof(list) - hsize;
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ if (lsize > size) {
|
|
|
6a91557 |
+ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n",
|
|
|
6a91557 |
+ __func__, offs);
|
|
|
6a91557 |
+ return -EBADMSG;
|
|
|
6a91557 |
+ }
|
|
|
6a91557 |
+ if (lsize < sizeof(list) ||
|
|
|
6a91557 |
+ lsize - sizeof(list) < hsize ||
|
|
|
6a91557 |
+ esize < sizeof(*elem) ||
|
|
|
6a91557 |
+ elsize < esize ||
|
|
|
6a91557 |
+ elsize % esize != 0) {
|
|
|
6a91557 |
+ pr_devel("- bad size combo @%x\n", offs);
|
|
|
6a91557 |
+ return -EBADMSG;
|
|
|
6a91557 |
+ }
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) {
|
|
|
6a91557 |
+ data += lsize;
|
|
|
6a91557 |
+ size -= lsize;
|
|
|
6a91557 |
+ offs += lsize;
|
|
|
6a91557 |
+ continue;
|
|
|
6a91557 |
+ }
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ data += sizeof(list) + hsize;
|
|
|
6a91557 |
+ size -= sizeof(list) + hsize;
|
|
|
6a91557 |
+ offs += sizeof(list) + hsize;
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ for (; elsize > 0; elsize -= esize) {
|
|
|
6a91557 |
+ elem = data;
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ pr_devel("ELEM[%04x]\n", offs);
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ key = key_create_or_update(
|
|
|
6a91557 |
+ make_key_ref(keyring, 1),
|
|
|
6a91557 |
+ "asymmetric",
|
|
|
6a91557 |
+ NULL,
|
|
|
6a91557 |
+ &elem->signature_data,
|
|
|
6a91557 |
+ esize - sizeof(*elem),
|
|
|
6a91557 |
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
|
|
6a91557 |
+ KEY_USR_VIEW,
|
|
|
6a91557 |
+ KEY_ALLOC_NOT_IN_QUOTA |
|
|
|
6a91557 |
+ KEY_ALLOC_TRUSTED);
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ if (IS_ERR(key))
|
|
|
6a91557 |
+ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
|
|
|
6a91557 |
+ PTR_ERR(key));
|
|
|
6a91557 |
+ else
|
|
|
6a91557 |
+ pr_notice("Loaded cert '%s' linked to '%s'\n",
|
|
|
6a91557 |
+ key_ref_to_ptr(key)->description,
|
|
|
6a91557 |
+ keyring->description);
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ data += esize;
|
|
|
6a91557 |
+ size -= esize;
|
|
|
6a91557 |
+ offs += esize;
|
|
|
6a91557 |
+ }
|
|
|
6a91557 |
+ }
|
|
|
6a91557 |
+
|
|
|
6a91557 |
+ return 0;
|
|
|
6a91557 |
+}
|
|
|
6a91557 |
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
|
|
6a50f36 |
index fac43c611614..414c3c3d988d 100644
|
|
|
6a91557 |
--- a/include/linux/efi.h
|
|
|
6a91557 |
+++ b/include/linux/efi.h
|
|
|
6a50f36 |
@@ -941,6 +941,10 @@ extern bool efi_poweroff_required(void);
|
|
|
3fbe156 |
char * __init efi_md_typeattr_format(char *buf, size_t size,
|
|
|
3fbe156 |
const efi_memory_desc_t *md);
|
|
|
6a91557 |
|
|
|
6a91557 |
+struct key;
|
|
|
6a91557 |
+extern int __init parse_efi_signature_list(const void *data, size_t size,
|
|
|
6a91557 |
+ struct key *keyring);
|
|
|
6a91557 |
+
|
|
|
6a91557 |
/**
|
|
|
6a91557 |
* efi_range_is_wc - check the WC bit on an address range
|
|
|
6a91557 |
* @start: starting kvirt address
|
|
|
18c8249 |
--
|
|
|
18c8249 |
2.4.3
|
|
|
18c8249 |
|