From: Josh Boyer Date: Thu, 3 Oct 2013 10:14:23 -0400 Subject: [PATCH] MODSIGN: Support not importing certs from db If a user tells shim to not use the certs/hashes in the UEFI db variable for verification purposes, shim will set a UEFI variable called MokIgnoreDB. Have the uefi import code look for this and not import things from the db variable. Signed-off-by: Josh Boyer --- kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c index 94b0eb38a284..ae28b974d49a 100644 --- a/kernel/modsign_uefi.c +++ b/kernel/modsign_uefi.c @@ -8,6 +8,23 @@ #include #include "module-internal.h" +static __init int check_ignore_db(void) +{ + efi_status_t status; + unsigned int db = 0; + unsigned long size = sizeof(db); + efi_guid_t guid = EFI_SHIM_LOCK_GUID; + + /* Check and see if the MokIgnoreDB variable exists. If that fails + * then we don't ignore DB. If it succeeds, we do. + */ + status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); + if (status != EFI_SUCCESS) + return 0; + + return 1; +} + static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) { efi_status_t status; @@ -47,23 +64,28 @@ static int __init load_uefi_certs(void) efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; void *db = NULL, *dbx = NULL, *mok = NULL; unsigned long dbsize = 0, dbxsize = 0, moksize = 0; - int rc = 0; + int ignore_db, rc = 0; /* Check if SB is enabled and just return if not */ if (!efi_enabled(EFI_SECURE_BOOT)) return 0; + /* See if the user has setup Ignore DB mode */ + ignore_db = check_ignore_db(); + /* Get db, MokListRT, and dbx. They might not exist, so it isn't * an error if we can't get them. */ - db = get_cert_list(L"db", &secure_var, &dbsize); - if (!db) { - pr_err("MODSIGN: Couldn't get UEFI db list\n"); - } else { - rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); - if (rc) - pr_err("Couldn't parse db signatures: %d\n", rc); - kfree(db); + if (!ignore_db) { + db = get_cert_list(L"db", &secure_var, &dbsize); + if (!db) { + pr_err("MODSIGN: Couldn't get UEFI db list\n"); + } else { + rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); + if (rc) + pr_err("Couldn't parse db signatures: %d\n", rc); + kfree(db); + } } mok = get_cert_list(L"MokListRT", &mok_var, &moksize);