integrity/platform_certs/keyring_handler.c

0001 // SPDX-License-Identifier: GPL-2.0
0002
0003 #include <linux/kernel.h>
0004 #include <linux/sched.h>
0005 #include <linux/cred.h>
0006 #include <linux/err.h>
0007 #include <linux/efi.h>
0008 #include <linux/slab.h>
0009 #include <keys/asymmetric-type.h>
0010 #include <keys/system_keyring.h>
0011 #include "../integrity.h"
0012 #include "keyring_handler.h"
0013
0014 static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
0015 static efi_guid_t efi_cert_x509_sha256_guid __initdata =
0016     EFI_CERT_X509_SHA256_GUID;
0017 static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
0018
0019 /*
0020  * Blacklist an X509 TBS hash.
0021  */
0022 static __init void uefi_blacklist_x509_tbs(const char *source,
0023                        const void *data, size_t len)
0024 {
0025     mark_hash_blacklisted(data, len, BLACKLIST_HASH_X509_TBS);
0026 }
0027
0028 /*
0029  * Blacklist the hash of an executable.
0030  */
0031 static __init void uefi_blacklist_binary(const char *source,
0032                      const void *data, size_t len)
0033 {
0034     mark_hash_blacklisted(data, len, BLACKLIST_HASH_BINARY);
0035 }
0036
0037 /*
0038  * Add an X509 cert to the revocation list.
0039  */
0040 static __init void uefi_revocation_list_x509(const char *source,
0041                          const void *data, size_t len)
0042 {
0043     add_key_to_revocation_list(data, len);
0044 }
0045
0046 /*
0047  * Return the appropriate handler for particular signature list types found in
0048  * the UEFI db tables.
0049  */
0050 __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
0051 {
0052     if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
0053         return add_to_platform_keyring;
0054     return NULL;
0055 }
0056
0057 /*
0058  * Return the appropriate handler for particular signature list types found in
0059  * the MokListRT tables.
0060  */
0061 __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
0062 {
0063     if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
0064         if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())
0065             return add_to_machine_keyring;
0066         else
0067             return add_to_platform_keyring;
0068     }
0069     return NULL;
0070 }
0071
0072 /*
0073  * Return the appropriate handler for particular signature list types found in
0074  * the UEFI dbx and MokListXRT tables.
0075  */
0076 __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
0077 {
0078     if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
0079         return uefi_blacklist_x509_tbs;
0080     if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
0081         return uefi_blacklist_binary;
0082     if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
0083         return uefi_revocation_list_x509;
0084     return NULL;
0085 }