From 0c5837031a4e996877930fd023a5877dd1d615ba Mon Sep 17 00:00:00 2001

From: Matthew Garrett <mjg@redhat.com>

Date: Thu, 20 Sep 2012 10:40:56 -0400

Subject: [PATCH 01/19] Secure boot: Add new capability

Secure boot adds certain policy requirements, including that root must not

be able to do anything that could cause the kernel to execute arbitrary code.

The simplest way to handle this would seem to be to add a new capability

and gate various functionality on that. We'll then strip it from the initial

capability set if required.

Signed-off-by: Matthew Garrett <mjg@redhat.com>

---

 include/uapi/linux/capability.h | 6 +++++-

 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h

index ba478fa..7109e65 100644

--- a/include/uapi/linux/capability.h

+++ b/include/uapi/linux/capability.h

@@ -343,7 +343,11 @@ struct vfs_cap_data {

 #define CAP_BLOCK_SUSPEND    36

-#define CAP_LAST_CAP         CAP_BLOCK_SUSPEND

+/* Allow things that trivially permit root to modify the running kernel */

+

+#define CAP_COMPROMISE_KERNEL  37

+

+#define CAP_LAST_CAP         CAP_COMPROMISE_KERNEL

 #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP)

-- 

1.8.1.2

From 87c8fddbcb3042fc4174b53763adbf66045a12be Mon Sep 17 00:00:00 2001

From: Josh Boyer <jwboyer@redhat.com>

Date: Thu, 20 Sep 2012 10:41:05 -0400

Subject: [PATCH 02/19] SELinux: define mapping for new Secure Boot capability

Add the name of the new Secure Boot capability.  This allows SELinux

policies to properly map CAP_COMPROMISE_KERNEL to the appropriate

capability class.

Signed-off-by: Josh Boyer <jwboyer@redhat.com>

---

 security/selinux/include/classmap.h | 4 ++--

 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h

index 14d04e6..ed99a2d 100644

--- a/security/selinux/include/classmap.h

+++ b/security/selinux/include/classmap.h

@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = {

 	{ "memprotect", { "mmap_zero", NULL } },

 	{ "peer", { "recv", NULL } },

 	{ "capability2",

-	  { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend",

-	    NULL } },

+	  { "mac_override", "mac_admin", "syslog", "wake_alarm",

+	    "block_suspend", "compromise_kernel", NULL } },

 	{ "kernel_service", { "use_as_override", "create_files_as", NULL } },

 	{ "tun_socket",

 	  { COMMON_SOCK_PERMS, "attach_queue", NULL } },

-- 

1.8.1.2

From df14b5319bf3ed2110839e233ac61e6136745be8 Mon Sep 17 00:00:00 2001

From: Josh Boyer <jwboyer@redhat.com>

Date: Thu, 20 Sep 2012 10:41:02 -0400

Subject: [PATCH 03/19] Secure boot: Add a dummy kernel parameter that will

 switch on Secure Boot mode

This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset

in the init_cred struct, which everything else inherits from.  This works on

any machine and can be used to develop even if the box doesn't have UEFI.

Signed-off-by: Josh Boyer <jwboyer@redhat.com>

---

 Documentation/kernel-parameters.txt |  7 +++++++

 kernel/cred.c                       | 17 +++++++++++++++++

 2 files changed, 24 insertions(+)

diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt

index 6c72381..7dffdd5 100644

--- a/Documentation/kernel-parameters.txt

+++ b/Documentation/kernel-parameters.txt

@@ -2654,6 +2654,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.

 			Note: increases power consumption, thus should only be

 			enabled if running jitter sensitive (HPC/RT) workloads.

+	secureboot_enable=

+			[KNL] Enables an emulated UEFI Secure Boot mode.  This

+			locks down various aspects of the kernel guarded by the

+			CAP_COMPROMISE_KERNEL capability.  This includes things

+			like /dev/mem, IO port access, and other areas.  It can

+			be used on non-UEFI machines for testing purposes.

+

 	security=	[SECURITY] Choose a security module to enable at boot.

 			If this boot parameter is not specified, only the first

 			security module asking for security registration will be

diff --git a/kernel/cred.c b/kernel/cred.c

index e0573a4..c3f4e3e 100644

--- a/kernel/cred.c

+++ b/kernel/cred.c

@@ -565,6 +565,23 @@ void __init cred_init(void)

 				     0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);

 }

+void __init secureboot_enable()

+{

+	pr_info("Secure boot enabled\n");

+	cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL);

+	cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL);

+}

+

+/* Dummy Secure Boot enable option to fake out UEFI SB=1 */

+static int __init secureboot_enable_opt(char *str)

+{

+	int sb_enable = !!simple_strtol(str, NULL, 0);

+	if (sb_enable)

+		secureboot_enable();

+	return 1;

+}

+__setup("secureboot_enable=", secureboot_enable_opt);

+

 /**

  * prepare_kernel_cred - Prepare a set of credentials for a kernel service

  * @daemon: A userspace daemon to be used as a reference

-- 

1.8.1.2

From 49c76a665e8a09da48cbe271ea40266ca1a226c0 Mon Sep 17 00:00:00 2001

From: Matthew Garrett <mjg@redhat.com>

Date: Thu, 20 Sep 2012 10:41:03 -0400

Subject: [PATCH 04/19] efi: Enable secure boot lockdown automatically when

 enabled in firmware

The firmware has a set of flags that indicate whether secure boot is enabled

and enforcing. Use them to indicate whether the kernel should lock itself

down.  We also indicate the machine is in secure boot mode by adding the

EFI_SECURE_BOOT bit for use with efi_enabled.

Signed-off-by: Matthew Garrett <mjg@redhat.com>

Signed-off-by: Josh Boyer <jwboyer@redhat.com>

---

 Documentation/x86/zero-page.txt       |  2 ++

 arch/x86/boot/compressed/eboot.c      | 32 ++++++++++++++++++++++++++++++++

 arch/x86/include/uapi/asm/bootparam.h |  3 ++-

 arch/x86/kernel/setup.c               |  7 +++++++

 include/linux/cred.h                  |  2 ++

 include/linux/efi.h                   |  1 +

 6 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt

index 199f453..ff651d3 100644

--- a/Documentation/x86/zero-page.txt

+++ b/Documentation/x86/zero-page.txt

@@ -30,6 +30,8 @@ Offset	Proto	Name		Meaning

 1E9/001	ALL	eddbuf_entries	Number of entries in eddbuf (below)

 1EA/001	ALL	edd_mbr_sig_buf_entries	Number of entries in edd_mbr_sig_buffer

 				(below)

+1EB/001	ALL	kbd_status	Numlock is enabled

+1EC/001	ALL	secure_boot	Kernel should enable secure boot lockdowns

 1EF/001	ALL	sentinel	Used to detect broken bootloaders

 290/040	ALL	edd_mbr_sig_buffer EDD MBR signatures

 2D0/A00	ALL	e820_map	E820 memory map table

diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c

index f8fa411..96bd86b 100644

--- a/arch/x86/boot/compressed/eboot.c

+++ b/arch/x86/boot/compressed/eboot.c

@@ -849,6 +849,36 @@ fail:

 	return status;

 }

+static int get_secure_boot(efi_system_table_t *_table)

+{

+	u8 sb, setup;

+	unsigned long datasize = sizeof(sb);

+	efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID;

+	efi_status_t status;

+

+	status = efi_call_phys5(sys_table->runtime->get_variable,

+				L"SecureBoot", &var_guid, NULL, &datasize, &sb);

+

+	if (status != EFI_SUCCESS)

+		return 0;

+

+	if (sb == 0)

+		return 0;

+

+

+	status = efi_call_phys5(sys_table->runtime->get_variable,

+				L"SetupMode", &var_guid, NULL, &datasize,

+				&setup);

+

+	if (status != EFI_SUCCESS)

+		return 0;

+

+	if (setup == 1)

+		return 0;

+

+	return 1;

+}

+

 /*

  * Because the x86 boot code expects to be passed a boot_params we

  * need to create one ourselves (usually the bootloader would create

@@ -1143,6 +1173,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table,

 	if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE)

 		goto fail;

+	boot_params->secure_boot = get_secure_boot(sys_table);

+

 	setup_graphics(boot_params);

 	setup_efi_pci(boot_params);

diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h

index c15ddaf..85d7685 100644

--- a/arch/x86/include/uapi/asm/bootparam.h

+++ b/arch/x86/include/uapi/asm/bootparam.h

@@ -131,7 +131,8 @@ struct boot_params {

 	__u8  eddbuf_entries;				/* 0x1e9 */

 	__u8  edd_mbr_sig_buf_entries;			/* 0x1ea */

 	__u8  kbd_status;				/* 0x1eb */

-	__u8  _pad5[3];					/* 0x1ec */

+	__u8  secure_boot;				/* 0x1ec */

+	__u8  _pad5[2];					/* 0x1ed */

 	/*

 	 * The sentinel is set to a nonzero value (0xff) in header.S.

 	 *

diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c

index 8b24289..d74b441 100644

--- a/arch/x86/kernel/setup.c

+++ b/arch/x86/kernel/setup.c

@@ -1042,6 +1042,13 @@ void __init setup_arch(char **cmdline_p)

 	io_delay_init();

+	if (boot_params.secure_boot) {

+#ifdef CONFIG_EFI

+		set_bit(EFI_SECURE_BOOT, &x86_efi_facility);

+#endif

+		secureboot_enable();

+	}

+

 	/*

 	 * Parse the ACPI tables for possible boot-time SMP configuration.

 	 */

diff --git a/include/linux/cred.h b/include/linux/cred.h

index 04421e8..9e69542 100644

--- a/include/linux/cred.h

+++ b/include/linux/cred.h

@@ -156,6 +156,8 @@ extern int set_security_override_from_ctx(struct cred *, const char *);

 extern int set_create_files_as(struct cred *, struct inode *);

 extern void __init cred_init(void);

+extern void secureboot_enable(void);

+

 /*

  * check for validity of credentials

  */

diff --git a/include/linux/efi.h b/include/linux/efi.h

index 7a9498a..1ae16b6 100644

--- a/include/linux/efi.h

+++ b/include/linux/efi.h

@@ -627,6 +627,7 @@ extern int __init efi_setup_pcdp_console(char *);

 #define EFI_RUNTIME_SERVICES	3	/* Can we use runtime services? */

 #define EFI_MEMMAP		4	/* Can we use EFI memory map? */

 #define EFI_64BIT		5	/* Is the firmware 64-bit? */

+#define EFI_SECURE_BOOT	6	/* Are we in Secure Boot mode? */

 #ifdef CONFIG_EFI

 # ifdef CONFIG_X86

-- 

1.8.1.2

From d4d1b3ad3e1a553c807b4ecafcbde4bf816e4db2 Mon Sep 17 00:00:00 2001

From: Dave Howells <dhowells@redhat.com>

Date: Tue, 23 Oct 2012 09:30:54 -0400

Subject: [PATCH 05/19] Add EFI signature data types

Add the data types that are used for containing hashes, keys and certificates

for cryptographic verification.

Signed-off-by: David Howells <dhowells@redhat.com>

---

 include/linux/efi.h | 20 ++++++++++++++++++++

 1 file changed, 20 insertions(+)

diff --git a/include/linux/efi.h b/include/linux/efi.h

index 1ae16b6..de7021d 100644

--- a/include/linux/efi.h

+++ b/include/linux/efi.h

@@ -388,6 +388,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules,

 #define EFI_FILE_SYSTEM_GUID \

     EFI_GUID(  0x964e5b22, 0x6459, 0x11d2, 0x8e, 0x39, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b )

+#define EFI_CERT_SHA256_GUID \

+    EFI_GUID(  0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 )

+

+#define EFI_CERT_X509_GUID \

+    EFI_GUID(  0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 )

+

 typedef struct {

 	efi_guid_t guid;

 	u64 table;

@@ -523,6 +529,20 @@ typedef struct {

 #define EFI_INVALID_TABLE_ADDR		(~0UL)

+typedef struct  {

+	efi_guid_t signature_owner;

+	u8 signature_data[];

+} efi_signature_data_t;

+

+typedef struct {

+	efi_guid_t signature_type;

+	u32 signature_list_size;

+	u32 signature_header_size;

+	u32 signature_size;

+	u8 signature_header[];

+	/* efi_signature_data_t signatures[][] */

+} efi_signature_list_t;

+

 /*

  * All runtime access to EFI goes through this structure:

  */

-- 

1.8.1.2

From 3cffca89eadf7e0f0a266c370f8034f33723831a Mon Sep 17 00:00:00 2001

From: Dave Howells <dhowells@redhat.com>

Date: Tue, 23 Oct 2012 09:36:28 -0400

Subject: [PATCH 06/19] Add an EFI signature blob parser and key loader.

X.509 certificates are loaded into the specified keyring as asymmetric type

keys.

Signed-off-by: David Howells <dhowells@redhat.com>

---

 crypto/asymmetric_keys/Kconfig      |   8 +++

 crypto/asymmetric_keys/Makefile     |   1 +

 crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++

 include/linux/efi.h                 |   4 ++

 4 files changed, 121 insertions(+)

 create mode 100644 crypto/asymmetric_keys/efi_parser.c

diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig

index 6d2c2ea..ace9c30 100644

--- a/crypto/asymmetric_keys/Kconfig

+++ b/crypto/asymmetric_keys/Kconfig

@@ -35,4 +35,12 @@ config X509_CERTIFICATE_PARSER

 	  data and provides the ability to instantiate a crypto key from a

 	  public key packet found inside the certificate.

+config EFI_SIGNATURE_LIST_PARSER

+	bool "EFI signature list parser"

+	depends on EFI

+	select X509_CERTIFICATE_PARSER

+	help

+	  This option provides support for parsing EFI signature lists for

+	  X.509 certificates and turning them into keys.

+

 endif # ASYMMETRIC_KEY_TYPE

diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile

index 0727204..cd8388e 100644

--- a/crypto/asymmetric_keys/Makefile

+++ b/crypto/asymmetric_keys/Makefile

@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o

 obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o

 obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o

+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o

 #

 # X.509 Certificate handling

diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c

new file mode 100644

index 0000000..636feb1

--- /dev/null

+++ b/crypto/asymmetric_keys/efi_parser.c

@@ -0,0 +1,108 @@

+/* EFI signature/key/certificate list parser

+ *

+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.

+ * Written by David Howells (dhowells@redhat.com)

+ *

+ * This program is free software; you can redistribute it and/or

+ * modify it under the terms of the GNU General Public Licence

+ * as published by the Free Software Foundation; either version

+ * 2 of the Licence, or (at your option) any later version.

+ */

+

+#define pr_fmt(fmt) "EFI: "fmt

+#include <linux/module.h>

+#include <linux/printk.h>

+#include <linux/err.h>

+#include <linux/efi.h>

+#include <keys/asymmetric-type.h>

+

+static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID;

+

+/**

+ * parse_efi_signature_list - Parse an EFI signature list for certificates

+ * @data: The data blob to parse

+ * @size: The size of the data blob

+ * @keyring: The keyring to add extracted keys to

+ */

+int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring)

+{

+	unsigned offs = 0;

+	size_t lsize, esize, hsize, elsize;

+

+	pr_devel("-->%s(,%zu)\n", __func__, size);

+

+	while (size > 0) {

+		efi_signature_list_t list;

+		const efi_signature_data_t *elem;

+		key_ref_t key;

+

+		if (size < sizeof(list))

+			return -EBADMSG;

+

+		memcpy(&list, data, sizeof(list));

+		pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n",

+			 offs,

+			 list.signature_type.b, list.signature_list_size,

+			 list.signature_header_size, list.signature_size);

+

+		lsize = list.signature_list_size;

+		hsize = list.signature_header_size;

+		esize = list.signature_size;

+		elsize = lsize - sizeof(list) - hsize;

+

+		if (lsize > size) {

+			pr_devel("<--%s() = -EBADMSG [overrun @%x]\n",

+				 __func__, offs);

+			return -EBADMSG;

+		}

+		if (lsize < sizeof(list) ||

+		    lsize - sizeof(list) < hsize ||

+		    esize < sizeof(*elem) ||

+		    elsize < esize ||

+		    elsize % esize != 0) {

+			pr_devel("- bad size combo @%x\n", offs);

+			return -EBADMSG;

+		}

+

+		if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) {

+			data += lsize;

+			size -= lsize;

+			offs += lsize;

+			continue;

+		}

+

+		data += sizeof(list) + hsize;

+		size -= sizeof(list) + hsize;

+		offs += sizeof(list) + hsize;

+

+		for (; elsize > 0; elsize -= esize) {

+			elem = data;

+

+			pr_devel("ELEM[%04x]\n", offs);

+

+			key = key_create_or_update(

+				make_key_ref(keyring, 1),

+				"asymmetric",

+				NULL,

+				&elem->signature_data,

+				esize - sizeof(*elem),

+				(KEY_POS_ALL & ~KEY_POS_SETATTR) |

+				KEY_USR_VIEW,

+				KEY_ALLOC_NOT_IN_QUOTA);

+

+			if (IS_ERR(key))

+				pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",

+				       PTR_ERR(key));

+			else

+				pr_notice("Loaded cert '%s' linked to '%s'\n",

+					  key_ref_to_ptr(key)->description,

+					  keyring->description);

+

+			data += esize;

+			size -= esize;

+			offs += esize;

+		}

+	}

+

+	return 0;

+}

diff --git a/include/linux/efi.h b/include/linux/efi.h

index de7021d..64b3e55 100644

--- a/include/linux/efi.h

+++ b/include/linux/efi.h

@@ -612,6 +612,10 @@ extern int efi_set_rtc_mmss(unsigned long nowtime);

 extern void efi_reserve_boot_services(void);

 extern struct efi_memory_map memmap;

+struct key;

+extern int __init parse_efi_signature_list(const void *data, size_t size,

+					   struct key *keyring);

+

 /**

  * efi_range_is_wc - check the WC bit on an address range

  * @start: starting kvirt address

-- 

1.8.1.2

From 89ea7424726ae4f7265ab84e703cf2da77acda57 Mon Sep 17 00:00:00 2001

From: Josh Boyer <jwboyer@redhat.com>

Date: Fri, 26 Oct 2012 12:36:24 -0400

Subject: [PATCH 07/19] MODSIGN: Add module certificate blacklist keyring

This adds an additional keyring that is used to store certificates that

are blacklisted.  This keyring is searched first when loading signed modules

and if the module's certificate is found, it will refuse to load.  This is

useful in cases where third party certificates are used for module signing.

Signed-off-by: Josh Boyer <jwboyer@redhat.com>

---

 init/Kconfig             |  8 ++++++++

 kernel/modsign_pubkey.c  | 14 ++++++++++++++

 kernel/module-internal.h |  3 +++

 kernel/module_signing.c  | 12 ++++++++++++

 4 files changed, 37 insertions(+)

diff --git a/init/Kconfig b/init/Kconfig

index be8b7f5..d972b77 100644

--- a/init/Kconfig

+++ b/init/Kconfig

@@ -1665,6 +1665,14 @@ config MODULE_SIG_FORCE

 	  Reject unsigned modules or signed modules for which we don't have a

 	  key.  Without this, such modules will simply taint the kernel.

+config MODULE_SIG_BLACKLIST

+	bool "Support for blacklisting module signature certificates"

+	depends on MODULE_SIG

+	help

+	  This adds support for keeping a blacklist of certificates that

+	  should not pass module signature verification.  If a module is

+	  signed with something in this keyring, the load will be rejected.

+

 choice

 	prompt "Which hash algorithm should modules be signed with?"

 	depends on MODULE_SIG

diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c

index 2b6e699..4cd408d 100644

--- a/kernel/modsign_pubkey.c

+++ b/kernel/modsign_pubkey.c

@@ -17,6 +17,9 @@

 #include "module-internal.h"

 struct key *modsign_keyring;

+#ifdef CONFIG_MODULE_SIG_BLACKLIST

+struct key *modsign_blacklist;

+#endif

 extern __initdata const u8 modsign_certificate_list[];

 extern __initdata const u8 modsign_certificate_list_end[];

@@ -43,6 +46,17 @@ static __init int module_verify_init(void)

 	if (IS_ERR(modsign_keyring))

 		panic("Can't allocate module signing keyring\n");

+#ifdef CONFIG_MODULE_SIG_BLACKLIST

+	modsign_blacklist = keyring_alloc(".modsign_blacklist",

+				    KUIDT_INIT(0), KGIDT_INIT(0),

+				    current_cred(),

+				    (KEY_POS_ALL & ~KEY_POS_SETATTR) |

+				    KEY_USR_VIEW | KEY_USR_READ,

+				    KEY_ALLOC_NOT_IN_QUOTA, NULL);

+	if (IS_ERR(modsign_blacklist))

+		panic("Can't allocate module signing blacklist keyring\n");

+#endif

+

 	return 0;

 }

diff --git a/kernel/module-internal.h b/kernel/module-internal.h

index 24f9247..51a8380 100644

--- a/kernel/module-internal.h

+++ b/kernel/module-internal.h

@@ -10,5 +10,8 @@

  */

 extern struct key *modsign_keyring;

+#ifdef CONFIG_MODULE_SIG_BLACKLIST

+extern struct key *modsign_blacklist;

+#endif

 extern int mod_verify_sig(const void *mod, unsigned long *_modlen);

diff --git a/kernel/module_signing.c b/kernel/module_signing.c

index f2970bd..5423195 100644

--- a/kernel/module_signing.c

+++ b/kernel/module_signing.c

@@ -157,6 +157,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len,

 	pr_debug("Look up: \"%s\"\n", id);

+#ifdef CONFIG_MODULE_SIG_BLACKLIST

+	key = keyring_search(make_key_ref(modsign_blacklist, 1),

+				   &key_type_asymmetric, id);

+	if (!IS_ERR(key)) {

+		/* module is signed with a cert in the blacklist.  reject */

+		pr_err("Module key '%s' is in blacklist\n", id);

+		key_ref_put(key);

+		kfree(id);

+		return ERR_PTR(-EKEYREJECTED);

+	}

+#endif

+

 	key = keyring_search(make_key_ref(modsign_keyring, 1),

 			     &key_type_asymmetric, id);

 	if (IS_ERR(key))

-- 

1.8.1.2

From 733a5c25b896d8d5fa0051825a671911b50cb47d Mon Sep 17 00:00:00 2001

From: Josh Boyer <jwboyer@redhat.com>

Date: Fri, 26 Oct 2012 12:42:16 -0400

Subject: [PATCH 08/19] MODSIGN: Import certificates from UEFI Secure Boot

Secure Boot stores a list of allowed certificates in the 'db' variable.

This imports those certificates into the module signing keyring.  This

allows for a third party signing certificate to be used in conjunction

with signed modules.  By importing the public certificate into the 'db'

variable, a user can allow a module signed with that certificate to

load.  The shim UEFI bootloader has a similar certificate list stored

in the 'MokListRT' variable.  We import those as well.

In the opposite case, Secure Boot maintains a list of disallowed

certificates in the 'dbx' variable.  We load those certificates into

the newly introduced module blacklist keyring and forbid any module

signed with those from loading.

Signed-off-by: Josh Boyer <jwboyer@redhat.com>

---

 include/linux/efi.h   |  6 ++++

 init/Kconfig          |  9 ++++++

 kernel/Makefile       |  3 ++

 kernel/modsign_uefi.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++

 4 files changed, 108 insertions(+)

 create mode 100644 kernel/modsign_uefi.c

diff --git a/include/linux/efi.h b/include/linux/efi.h

index 64b3e55..76fe526 100644

--- a/include/linux/efi.h

+++ b/include/linux/efi.h

@@ -394,6 +394,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules,

 #define EFI_CERT_X509_GUID \

     EFI_GUID(  0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 )

+#define EFI_IMAGE_SECURITY_DATABASE_GUID \

+    EFI_GUID(  0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f )

+

+#define EFI_SHIM_LOCK_GUID \

+    EFI_GUID(  0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 )

+

 typedef struct {

 	efi_guid_t guid;

 	u64 table;

diff --git a/init/Kconfig b/init/Kconfig

index d972b77..27e3a82 100644

--- a/init/Kconfig

+++ b/init/Kconfig

@@ -1673,6 +1673,15 @@ config MODULE_SIG_BLACKLIST

 	  should not pass module signature verification.  If a module is

 	  signed with something in this keyring, the load will be rejected.

+config MODULE_SIG_UEFI

+	bool "Allow modules signed with certs stored in UEFI"

+	depends on MODULE_SIG && MODULE_SIG_BLACKLIST && EFI

+	select EFI_SIGNATURE_LIST_PARSER

+	help

+	  This will import certificates stored in UEFI and allow modules

+	  signed with those to be loaded.  It will also disallow loading

+	  of modules stored in the UEFI dbx variable.

+

 choice

 	prompt "Which hash algorithm should modules be signed with?"

 	depends on MODULE_SIG

diff --git a/kernel/Makefile b/kernel/Makefile

index 6c072b6..8848829 100644

--- a/kernel/Makefile

+++ b/kernel/Makefile

@@ -55,6 +55,7 @@ obj-$(CONFIG_PROVE_LOCKING) += spinlock.o

 obj-$(CONFIG_UID16) += uid16.o

 obj-$(CONFIG_MODULES) += module.o

 obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o modsign_certificate.o

+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o

 obj-$(CONFIG_KALLSYMS) += kallsyms.o

 obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o

 obj-$(CONFIG_KEXEC) += kexec.o

@@ -114,6 +115,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o

 $(obj)/configs.o: $(obj)/config_data.h

+$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar

+

 # config_data.h contains the same information as ikconfig.h but gzipped.

 # Info from config_data can be extracted from /proc/config*

 targets += config_data.gz

diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c

new file mode 100644

index 0000000..b9237d7

--- /dev/null

+++ b/kernel/modsign_uefi.c