Tree - rpms/kernel - src.fedoraproject.org

rpms / kernel

Blame MODSIGN-Support-not-importing-certs-from-db.patch

Blob History Raw

		dbc4a9b	`From: Josh Boyer <jwboyer@fedoraproject.org>`
		dbc4a9b	`Date: Thu, 3 Oct 2013 10:14:23 -0400`
		dbc4a9b	`Subject: [PATCH] MODSIGN: Support not importing certs from db`
		dbc4a9b
		dbc4a9b	`If a user tells shim to not use the certs/hashes in the UEFI db variable`
		dbc4a9b	`for verification purposes, shim will set a UEFI variable called MokIgnoreDB.`
		dbc4a9b	`Have the uefi import code look for this and not import things from the db`
		dbc4a9b	`variable.`
		dbc4a9b
		dbc4a9b	`Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>`
		dbc4a9b	`---`
		dbc4a9b	`kernel/modsign_uefi.c \| 40 +++++++++++++++++++++++++++++++---------`
		dbc4a9b	`1 file changed, 31 insertions(+), 9 deletions(-)`
		dbc4a9b
		dbc4a9b	`diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c`
		dbc4a9b	`index 94b0eb38a284..ae28b974d49a 100644`
		dbc4a9b	`--- a/kernel/modsign_uefi.c`
		dbc4a9b	`+++ b/kernel/modsign_uefi.c`
		dbc4a9b	`@@ -8,6 +8,23 @@`
		dbc4a9b	`#include <keys/system_keyring.h>`
		dbc4a9b	`#include "module-internal.h"`
		dbc4a9b
		dbc4a9b	`+static __init int check_ignore_db(void)`
		dbc4a9b	`+{`
		dbc4a9b	`+ efi_status_t status;`
		dbc4a9b	`+ unsigned int db = 0;`
		dbc4a9b	`+ unsigned long size = sizeof(db);`
		dbc4a9b	`+ efi_guid_t guid = EFI_SHIM_LOCK_GUID;`
		dbc4a9b	`+`
		dbc4a9b	`+ /* Check and see if the MokIgnoreDB variable exists. If that fails`
		dbc4a9b	`+ * then we don't ignore DB. If it succeeds, we do.`
		dbc4a9b	`+ */`
		dbc4a9b	`+ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);`
		dbc4a9b	`+ if (status != EFI_SUCCESS)`
		dbc4a9b	`+ return 0;`
		dbc4a9b	`+`
		dbc4a9b	`+ return 1;`
		dbc4a9b	`+}`
		dbc4a9b	`+`
		dbc4a9b	`static __init void get_cert_list(efi_char16_t name, efi_guid_t guid, unsigned long size)`
		dbc4a9b	`{`
		dbc4a9b	`efi_status_t status;`
		dbc4a9b	`@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)`
		dbc4a9b	`efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;`
		dbc4a9b	`void db = NULL, dbx = NULL, *mok = NULL;`
		dbc4a9b	`unsigned long dbsize = 0, dbxsize = 0, moksize = 0;`
		dbc4a9b	`- int rc = 0;`
		dbc4a9b	`+ int ignore_db, rc = 0;`
		dbc4a9b
		dbc4a9b	`/* Check if SB is enabled and just return if not */`
		dbc4a9b	`if (!efi_enabled(EFI_SECURE_BOOT))`
		dbc4a9b	`return 0;`
		dbc4a9b
		dbc4a9b	`+ /* See if the user has setup Ignore DB mode */`
		dbc4a9b	`+ ignore_db = check_ignore_db();`
		dbc4a9b	`+`
		dbc4a9b	`/* Get db, MokListRT, and dbx. They might not exist, so it isn't`
		dbc4a9b	`* an error if we can't get them.`
		dbc4a9b	`*/`
		dbc4a9b	`- db = get_cert_list(L"db", &secure_var, &dbsize);`
		dbc4a9b	`- if (!db) {`
		dbc4a9b	`- pr_err("MODSIGN: Couldn't get UEFI db list\n");`
		dbc4a9b	`- } else {`
		dbc4a9b	`- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);`
		dbc4a9b	`- if (rc)`
		dbc4a9b	`- pr_err("Couldn't parse db signatures: %d\n", rc);`
		dbc4a9b	`- kfree(db);`
		dbc4a9b	`+ if (!ignore_db) {`
		dbc4a9b	`+ db = get_cert_list(L"db", &secure_var, &dbsize);`
		dbc4a9b	`+ if (!db) {`
		dbc4a9b	`+ pr_err("MODSIGN: Couldn't get UEFI db list\n");`
		dbc4a9b	`+ } else {`
		dbc4a9b	`+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);`
		dbc4a9b	`+ if (rc)`
		dbc4a9b	`+ pr_err("Couldn't parse db signatures: %d\n", rc);`
		dbc4a9b	`+ kfree(db);`
		dbc4a9b	`+ }`
		dbc4a9b	`}`
		dbc4a9b
		dbc4a9b	`mok = get_cert_list(L"MokListRT", &mok_var, &moksize);`
		dbc4a9b	`--`
		dbc4a9b	`1.9.3`
		dbc4a9b

rpms / kernel

Source Code

Blame MODSIGN-Support-not-importing-certs-from-db.patch