security/integrity/platform_certs/keyring_handler.c

   1 // SPDX-License-Identifier: GPL-2.0
   2
   3 #include <linux/kernel.h>
   4 #include <linux/sched.h>
   5 #include <linux/cred.h>
   6 #include <linux/err.h>
   7 #include <linux/efi.h>
   8 #include <linux/slab.h>
   9 #include <keys/asymmetric-type.h>
  10 #include <keys/system_keyring.h>
  11 #include "../integrity.h"
  12 #include "keyring_handler.h"
  13
  14 static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
  15 static efi_guid_t efi_cert_x509_sha256_guid __initdata =
  16         EFI_CERT_X509_SHA256_GUID;
  17 static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
  18
  19 /*
  20  * Blacklist an X509 TBS hash.
  21  */
  22 static __init void uefi_blacklist_x509_tbs(const char *source,
  23                                            const void *data, size_t len)
  24 {
  25         mark_hash_blacklisted(data, len, BLACKLIST_HASH_X509_TBS);
  26 }
  27
  28 /*
  29  * Blacklist the hash of an executable.
  30  */
  31 static __init void uefi_blacklist_binary(const char *source,
  32                                          const void *data, size_t len)
  33 {
  34         mark_hash_blacklisted(data, len, BLACKLIST_HASH_BINARY);
  35 }
  36
  37 /*
  38  * Add an X509 cert to the revocation list.
  39  */
  40 static __init void uefi_revocation_list_x509(const char *source,
  41                                              const void *data, size_t len)
  42 {
  43         add_key_to_revocation_list(data, len);
  44 }
  45
  46 /*
  47  * Return the appropriate handler for particular signature list types found in
  48  * the UEFI db tables.
  49  */
  50 __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
  51 {
  52         if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
  53                 return add_to_platform_keyring;
  54         return NULL;
  55 }
  56
  57 /*
  58  * Return the appropriate handler for particular signature list types found in
  59  * the MokListRT tables.
  60  */
  61 __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
  62 {
  63         if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
  64                 if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) &&
  65                     imputed_trust_enabled())
  66                         return add_to_machine_keyring;
  67                 else
  68                         return add_to_platform_keyring;
  69         }
  70         return NULL;
  71 }
  72
  73 __init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type)
  74 {
  75         if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
  76                 return add_to_machine_keyring;
  77
  78         return NULL;
  79 }
  80
  81 __init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type)
  82 {
  83         if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
  84                 return add_to_secondary_keyring;
  85
  86         return NULL;
  87 }
  88
  89 /*
  90  * Return the appropriate handler for particular signature list types found in
  91  * the UEFI dbx and MokListXRT tables.
  92  */
  93 __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
  94 {
  95         if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
  96                 return uefi_blacklist_x509_tbs;
  97         if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
  98                 return uefi_blacklist_binary;
  99         if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
 100                 return uefi_revocation_list_x509;
 101         return NULL;
 102 }