diff options
| author | Alexandre Oliva <lxoliva@fsfla.org> | 2014-10-09 05:10:14 +0000 |
|---|---|---|
| committer | Alexandre Oliva <lxoliva@fsfla.org> | 2014-10-09 05:10:14 +0000 |
| commit | d85c6a16d4404de97f030cc749642f1ca4032279 (patch) | |
| tree | 207c24aeafde1360c6da5f0629a34d9239331384 /freed-ora/current/f21/MODSIGN-Support-not-importing-certs-from-db.patch | |
| parent | b2678230af186e8b8b8713f55097696dc8913b53 (diff) | |
| download | linux-libre-raptor-d85c6a16d4404de97f030cc749642f1ca4032279.tar.gz linux-libre-raptor-d85c6a16d4404de97f030cc749642f1ca4032279.zip | |
3.17.0-300.fc21.gnu
Diffstat (limited to 'freed-ora/current/f21/MODSIGN-Support-not-importing-certs-from-db.patch')
| -rw-r--r-- | freed-ora/current/f21/MODSIGN-Support-not-importing-certs-from-db.patch | 83 |
1 files changed, 83 insertions, 0 deletions
diff --git a/freed-ora/current/f21/MODSIGN-Support-not-importing-certs-from-db.patch b/freed-ora/current/f21/MODSIGN-Support-not-importing-certs-from-db.patch new file mode 100644 index 000000000..6ed99e627 --- /dev/null +++ b/freed-ora/current/f21/MODSIGN-Support-not-importing-certs-from-db.patch @@ -0,0 +1,83 @@ +From: Josh Boyer <jwboyer@fedoraproject.org> +Date: Thu, 3 Oct 2013 10:14:23 -0400 +Subject: [PATCH] MODSIGN: Support not importing certs from db + +If a user tells shim to not use the certs/hashes in the UEFI db variable +for verification purposes, shim will set a UEFI variable called MokIgnoreDB. +Have the uefi import code look for this and not import things from the db +variable. + +Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> +--- + kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c +index 94b0eb38a284..ae28b974d49a 100644 +--- a/kernel/modsign_uefi.c ++++ b/kernel/modsign_uefi.c +@@ -8,6 +8,23 @@ + #include <keys/system_keyring.h> + #include "module-internal.h" + ++static __init int check_ignore_db(void) ++{ ++ efi_status_t status; ++ unsigned int db = 0; ++ unsigned long size = sizeof(db); ++ efi_guid_t guid = EFI_SHIM_LOCK_GUID; ++ ++ /* Check and see if the MokIgnoreDB variable exists. If that fails ++ * then we don't ignore DB. If it succeeds, we do. ++ */ ++ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ return 1; ++} ++ + static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) + { + efi_status_t status; +@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void) + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *db = NULL, *dbx = NULL, *mok = NULL; + unsigned long dbsize = 0, dbxsize = 0, moksize = 0; +- int rc = 0; ++ int ignore_db, rc = 0; + + /* Check if SB is enabled and just return if not */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + ++ /* See if the user has setup Ignore DB mode */ ++ ignore_db = check_ignore_db(); ++ + /* Get db, MokListRT, and dbx. They might not exist, so it isn't + * an error if we can't get them. + */ +- db = get_cert_list(L"db", &secure_var, &dbsize); +- if (!db) { +- pr_err("MODSIGN: Couldn't get UEFI db list\n"); +- } else { +- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); +- if (rc) +- pr_err("Couldn't parse db signatures: %d\n", rc); +- kfree(db); ++ if (!ignore_db) { ++ db = get_cert_list(L"db", &secure_var, &dbsize); ++ if (!db) { ++ pr_err("MODSIGN: Couldn't get UEFI db list\n"); ++ } else { ++ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); ++ if (rc) ++ pr_err("Couldn't parse db signatures: %d\n", rc); ++ kfree(db); ++ } + } + + mok = get_cert_list(L"MokListRT", &mok_var, &moksize); +-- +1.9.3 + |
