1// SPDX-License-Identifier: GPL-2.0 2 3#include <linux/kernel.h> 4#include <linux/sched.h> 5#include <linux/cred.h> 6#include <linux/err.h> 7#include <linux/efi.h> 8#include <linux/slab.h> 9#include <keys/asymmetric-type.h> 10#include <keys/system_keyring.h> 11#include "../integrity.h" 12#include "keyring_handler.h" 13 14static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID; 15static efi_guid_t efi_cert_x509_sha256_guid __initdata = 16 EFI_CERT_X509_SHA256_GUID; 17static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID; 18 19/* 20 * Blacklist an X509 TBS hash. 21 */ 22static __init void uefi_blacklist_x509_tbs(const char *source, 23 const void *data, size_t len) 24{ 25 mark_hash_blacklisted(data, len, BLACKLIST_HASH_X509_TBS); 26} 27 28/* 29 * Blacklist the hash of an executable. 30 */ 31static __init void uefi_blacklist_binary(const char *source, 32 const void *data, size_t len) 33{ 34 mark_hash_blacklisted(data, len, BLACKLIST_HASH_BINARY); 35} 36 37/* 38 * Add an X509 cert to the revocation list. 39 */ 40static __init void uefi_revocation_list_x509(const char *source, 41 const void *data, size_t len) 42{ 43 add_key_to_revocation_list(data, len); 44} 45 46/* 47 * Return the appropriate handler for particular signature list types found in 48 * the UEFI db tables. 49 */ 50__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) 51{ 52 if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) 53 return add_to_platform_keyring; 54 return NULL; 55} 56 57/* 58 * Return the appropriate handler for particular signature list types found in 59 * the MokListRT tables. 60 */ 61__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) 62{ 63 if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { 64 if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && 65 imputed_trust_enabled()) 66 return add_to_machine_keyring; 67 else 68 return add_to_platform_keyring; 69 } 70 return NULL; 71} 72 73__init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type) 74{ 75 if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) 76 return add_to_machine_keyring; 77 78 return NULL; 79} 80 81__init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type) 82{ 83 if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) 84 return add_to_secondary_keyring; 85 86 return NULL; 87} 88 89/* 90 * Return the appropriate handler for particular signature list types found in 91 * the UEFI dbx and MokListXRT tables. 92 */ 93__init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type) 94{ 95 if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0) 96 return uefi_blacklist_x509_tbs; 97 if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0) 98 return uefi_blacklist_binary; 99 if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) 100 return uefi_revocation_list_x509; 101 return NULL; 102} 103