diff options
| -rw-r--r-- | security/integrity/Kconfig | 9 | ||||
| -rw-r--r-- | security/integrity/Makefile | 4 | ||||
| -rw-r--r-- | security/integrity/platform_certs/load_powerpc.c | 96 |
3 files changed, 108 insertions, 1 deletions
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig index 0bae6adb63a9..71f0177e8716 100644 --- a/security/integrity/Kconfig +++ b/security/integrity/Kconfig @@ -72,6 +72,15 @@ config LOAD_IPL_KEYS depends on S390 def_bool y +config LOAD_PPC_KEYS + bool "Enable loading of platform and blacklisted keys for POWER" + depends on INTEGRITY_PLATFORM_KEYRING + depends on PPC_SECURE_BOOT + default y + help + Enable loading of keys to the .platform keyring and blacklisted + hashes to the .blacklist keyring for powerpc based platforms. + config INTEGRITY_AUDIT bool "Enables integrity auditing support " depends on AUDIT diff --git a/security/integrity/Makefile b/security/integrity/Makefile index 351c9662994b..7ee39d66cf16 100644 --- a/security/integrity/Makefile +++ b/security/integrity/Makefile @@ -14,6 +14,8 @@ integrity-$(CONFIG_LOAD_UEFI_KEYS) += platform_certs/efi_parser.o \ platform_certs/load_uefi.o \ platform_certs/keyring_handler.o integrity-$(CONFIG_LOAD_IPL_KEYS) += platform_certs/load_ipl_s390.o - +integrity-$(CONFIG_LOAD_PPC_KEYS) += platform_certs/efi_parser.o \ + platform_certs/load_powerpc.o \ + platform_certs/keyring_handler.o obj-$(CONFIG_IMA) += ima/ obj-$(CONFIG_EVM) += evm/ diff --git a/security/integrity/platform_certs/load_powerpc.c b/security/integrity/platform_certs/load_powerpc.c new file mode 100644 index 000000000000..a2900cb85357 --- /dev/null +++ b/security/integrity/platform_certs/load_powerpc.c @@ -0,0 +1,96 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Copyright (C) 2019 IBM Corporation + * Author: Nayna Jain + * + * - loads keys and hashes stored and controlled by the firmware. + */ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/cred.h> +#include <linux/err.h> +#include <linux/slab.h> +#include <linux/of.h> +#include <asm/secure_boot.h> +#include <asm/secvar.h> +#include "keyring_handler.h" + +/* + * Get a certificate list blob from the named secure variable. + */ +static __init void *get_cert_list(u8 *key, unsigned long keylen, uint64_t *size) +{ + int rc; + void *db; + + rc = secvar_ops->get(key, keylen, NULL, size); + if (rc) { + pr_err("Couldn't get size: %d\n", rc); + return NULL; + } + + db = kmalloc(*size, GFP_KERNEL); + if (!db) + return NULL; + + rc = secvar_ops->get(key, keylen, db, size); + if (rc) { + kfree(db); + pr_err("Error reading %s var: %d\n", key, rc); + return NULL; + } + + return db; +} + +/* + * Load the certs contained in the keys databases into the platform trusted + * keyring and the blacklisted X.509 cert SHA256 hashes into the blacklist + * keyring. + */ +static int __init load_powerpc_certs(void) +{ + void *db = NULL, *dbx = NULL; + uint64_t dbsize = 0, dbxsize = 0; + int rc = 0; + struct device_node *node; + + if (!secvar_ops) + return -ENODEV; + + /* The following only applies for the edk2-compat backend. */ + node = of_find_compatible_node(NULL, NULL, "ibm,edk2-compat-v1"); + if (!node) + return -ENODEV; + + /* + * Get db, and dbx. They might not exist, so it isn't an error if we + * can't get them. + */ + db = get_cert_list("db", 3, &dbsize); + if (!db) { + pr_err("Couldn't get db list from firmware\n"); + } else { + rc = parse_efi_signature_list("powerpc:db", db, dbsize, + get_handler_for_db); + if (rc) + pr_err("Couldn't parse db signatures: %d\n", rc); + kfree(db); + } + + dbx = get_cert_list("dbx", 4, &dbxsize); + if (!dbx) { + pr_info("Couldn't get dbx list from firmware\n"); + } else { + rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize, + get_handler_for_dbx); + if (rc) + pr_err("Couldn't parse dbx signatures: %d\n", rc); + kfree(dbx); + } + + of_node_put(node); + + return rc; +} +late_initcall(load_powerpc_certs); |