~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/security/integrity/platform_certs/keyring_handler.c

Version: ~ [ linux-6.11-rc3 ] ~ [ linux-6.10.4 ] ~ [ linux-6.9.12 ] ~ [ linux-6.8.12 ] ~ [ linux-6.7.12 ] ~ [ linux-6.6.45 ] ~ [ linux-6.5.13 ] ~ [ linux-6.4.16 ] ~ [ linux-6.3.13 ] ~ [ linux-6.2.16 ] ~ [ linux-6.1.104 ] ~ [ linux-6.0.19 ] ~ [ linux-5.19.17 ] ~ [ linux-5.18.19 ] ~ [ linux-5.17.15 ] ~ [ linux-5.16.20 ] ~ [ linux-5.15.164 ] ~ [ linux-5.14.21 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.223 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.281 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.319 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.336 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.337 ] ~ [ linux-4.4.302 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.9 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~ 
  1 // SPDX-License-Identifier: GPL-2.0
  2 
  3 #include <linux/kernel.h>
  4 #include <linux/sched.h>
  5 #include <linux/cred.h>
  6 #include <linux/err.h>
  7 #include <linux/efi.h>
  8 #include <linux/slab.h>
  9 #include <keys/asymmetric-type.h>
 10 #include <keys/system_keyring.h>
 11 #include "../integrity.h"
 12 #include "keyring_handler.h"
 13 
 14 static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
 15 static efi_guid_t efi_cert_x509_sha256_guid __initdata =
 16         EFI_CERT_X509_SHA256_GUID;
 17 static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
 18 
 19 /*
 20  * Blacklist an X509 TBS hash.
 21  */
 22 static __init void uefi_blacklist_x509_tbs(const char *source,
 23                                            const void *data, size_t len)
 24 {
 25         mark_hash_blacklisted(data, len, BLACKLIST_HASH_X509_TBS);
 26 }
 27 
 28 /*
 29  * Blacklist the hash of an executable.
 30  */
 31 static __init void uefi_blacklist_binary(const char *source,
 32                                          const void *data, size_t len)
 33 {
 34         mark_hash_blacklisted(data, len, BLACKLIST_HASH_BINARY);
 35 }
 36 
 37 /*
 38  * Add an X509 cert to the revocation list.
 39  */
 40 static __init void uefi_revocation_list_x509(const char *source,
 41                                              const void *data, size_t len)
 42 {
 43         add_key_to_revocation_list(data, len);
 44 }
 45 
 46 /*
 47  * Return the appropriate handler for particular signature list types found in
 48  * the UEFI db tables.
 49  */
 50 __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
 51 {
 52         if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
 53                 return add_to_platform_keyring;
 54         return NULL;
 55 }
 56 
 57 /*
 58  * Return the appropriate handler for particular signature list types found in
 59  * the MokListRT tables.
 60  */
 61 __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
 62 {
 63         if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
 64                 if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) &&
 65                     imputed_trust_enabled())
 66                         return add_to_machine_keyring;
 67                 else
 68                         return add_to_platform_keyring;
 69         }
 70         return NULL;
 71 }
 72 
 73 __init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type)
 74 {
 75         if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
 76                 return add_to_machine_keyring;
 77 
 78         return NULL;
 79 }
 80 
 81 __init efi_element_handler_t get_handler_for_code_signing_keys(const efi_guid_t *sig_type)
 82 {
 83         if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
 84                 return add_to_secondary_keyring;
 85 
 86         return NULL;
 87 }
 88 
 89 /*
 90  * Return the appropriate handler for particular signature list types found in
 91  * the UEFI dbx and MokListXRT tables.
 92  */
 93 __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
 94 {
 95         if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
 96                 return uefi_blacklist_x509_tbs;
 97         if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
 98                 return uefi_blacklist_binary;
 99         if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
100                 return uefi_revocation_list_x509;
101         return NULL;
102 }
103
~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~
kernel.org | git.kernel.org | LWN.net | Project Home | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

sflogo.php