1 // SPDX-License-Identifier: GPL-2.0
3 * Copyright (C) 2019 IBM Corporation
6 * - loads keys and hashes stored and controlled by the firmware.
8 #include <linux/kernel.h>
9 #include <linux/sched.h>
10 #include <linux/cred.h>
11 #include <linux/err.h>
12 #include <linux/slab.h>
14 #include <asm/secure_boot.h>
15 #include <asm/secvar.h>
16 #include "keyring_handler.h"
19 * Get a certificate list blob from the named secure variable.
21 static __init void *get_cert_list(u8 *key, unsigned long keylen, uint64_t *size)
26 rc = secvar_ops->get(key, keylen, NULL, size);
28 pr_err("Couldn't get size: %d\n", rc);
32 db = kmalloc(*size, GFP_KERNEL);
36 rc = secvar_ops->get(key, keylen, db, size);
39 pr_err("Error reading %s var: %d\n", key, rc);
47 * Load the certs contained in the keys databases into the platform trusted
48 * keyring and the blacklisted X.509 cert SHA256 hashes into the blacklist
51 static int __init load_powerpc_certs(void)
53 void *db = NULL, *dbx = NULL;
54 uint64_t dbsize = 0, dbxsize = 0;
56 struct device_node *node;
61 /* The following only applies for the edk2-compat backend. */
62 node = of_find_compatible_node(NULL, NULL, "ibm,edk2-compat-v1");
67 * Get db, and dbx. They might not exist, so it isn't an error if we
70 db = get_cert_list("db", 3, &dbsize);
72 pr_err("Couldn't get db list from firmware\n");
74 rc = parse_efi_signature_list("powerpc:db", db, dbsize,
77 pr_err("Couldn't parse db signatures: %d\n", rc);
81 dbx = get_cert_list("dbx", 4, &dbxsize);
83 pr_info("Couldn't get dbx list from firmware\n");
85 rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize,
88 pr_err("Couldn't parse dbx signatures: %d\n", rc);
96 late_initcall(load_powerpc_certs);