56 lines
1.6 KiB
Diff
56 lines
1.6 KiB
Diff
Origin: https://lore.kernel.org/patchwork/cover/933178/
|
|
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
|
Subject: [PATCH 2/4] MODSIGN: load blacklist from MOKx
|
|
|
|
This patch adds the logic to load the blacklisted hash and
|
|
certificates from MOKx which is maintained by shim bootloader.
|
|
|
|
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
|
---
|
|
certs/load_uefi.c | 16 +++++++++++++---
|
|
1 file changed, 13 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/certs/load_uefi.c b/certs/load_uefi.c
|
|
index f2f372b..dc66a79 100644
|
|
--- a/certs/load_uefi.c
|
|
+++ b/certs/load_uefi.c
|
|
@@ -148,8 +148,8 @@
|
|
{
|
|
efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
|
|
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
|
|
- void *db = NULL, *dbx = NULL, *mok = NULL;
|
|
- unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
|
+ void *db = NULL, *dbx = NULL, *mok = NULL, *mokx = NULL;
|
|
+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0, mokxsize = 0;
|
|
int rc = 0;
|
|
|
|
if (!efi.get_variable)
|
|
@@ -183,7 +183,7 @@
|
|
kfree(dbx);
|
|
}
|
|
|
|
- /* the MOK can not be trusted when secure boot is disabled */
|
|
+ /* the MOK and MOKx can not be trusted when secure boot is disabled */
|
|
if (!efi_enabled(EFI_SECURE_BOOT))
|
|
return 0;
|
|
|
|
@@ -198,6 +198,18 @@
|
|
kfree(mok);
|
|
}
|
|
|
|
+ rc = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &mokx);
|
|
+ if (rc < 0) {
|
|
+ pr_info("MODSIGN: Couldn't get UEFI MokListXRT\n");
|
|
+ } else if (mokxsize != 0) {
|
|
+ rc = parse_efi_signature_list("UEFI:mokx",
|
|
+ mokx, mokxsize,
|
|
+ get_handler_for_dbx);
|
|
+ if (rc)
|
|
+ pr_err("Couldn't parse MokListXRT signatures: %d\n", rc);
|
|
+ kfree(mokx);
|
|
+ }
|
|
+
|
|
return rc;
|
|
}
|
|
late_initcall(load_uefi_certs);
|