security/integrity/platform_certs/keyring_handler.c

   1 // SPDX-License-Identifier: GPL-2.0
   2
   3 #include <linux/kernel.h>
   4 #include <linux/sched.h>
   5 #include <linux/cred.h>
   6 #include <linux/err.h>
   7 #include <linux/efi.h>
   8 #include <linux/slab.h>
   9 #include <keys/asymmetric-type.h>
  10 #include <keys/system_keyring.h>
  11 #include "../integrity.h"
  12
  13 static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
  14 static efi_guid_t efi_cert_x509_sha256_guid __initdata =
  15         EFI_CERT_X509_SHA256_GUID;
  16 static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
  17
  18 /*
  19  * Blacklist a hash.
  20  */
  21 static __init void uefi_blacklist_hash(const char *source, const void *data,
  22                                        size_t len, const char *type,
  23                                        size_t type_len)
  24 {
  25         char *hash, *p;
  26
  27         hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL);
  28         if (!hash)
  29                 return;
  30         p = memcpy(hash, type, type_len);
  31         p += type_len;
  32         bin2hex(p, data, len);
  33         p += len * 2;
  34         *p = 0;
  35
  36         mark_hash_blacklisted(hash);
  37         kfree(hash);
  38 }
  39
  40 /*
  41  * Blacklist an X509 TBS hash.
  42  */
  43 static __init void uefi_blacklist_x509_tbs(const char *source,
  44                                            const void *data, size_t len)
  45 {
  46         uefi_blacklist_hash(source, data, len, "tbs:", 4);
  47 }
  48
  49 /*
  50  * Blacklist the hash of an executable.
  51  */
  52 static __init void uefi_blacklist_binary(const char *source,
  53                                          const void *data, size_t len)
  54 {
  55         uefi_blacklist_hash(source, data, len, "bin:", 4);
  56 }
  57
  58 /*
  59  * Return the appropriate handler for particular signature list types found in
  60  * the UEFI db and MokListRT tables.
  61  */
  62 __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
  63 {
  64         if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
  65                 return add_to_platform_keyring;
  66         return 0;
  67 }
  68
  69 /*
  70  * Return the appropriate handler for particular signature list types found in
  71  * the UEFI dbx and MokListXRT tables.
  72  */
  73 __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
  74 {
  75         if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
  76                 return uefi_blacklist_x509_tbs;
  77         if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
  78                 return uefi_blacklist_binary;
  79         return 0;
  80 }