Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/security/integrity/platform_certs/load_powerpc.c
26444 views
1
// SPDX-License-Identifier: GPL-2.0

2
/*

3
 * Copyright (C) 2019 IBM Corporation

4
 * Author: Nayna Jain

5
 *

6
 *      - loads keys and hashes stored and controlled by the firmware.

7
 */

8
#include <linux/kernel.h>

9
#include <linux/sched.h>

10
#include <linux/cred.h>

11
#include <linux/err.h>

12
#include <linux/slab.h>

13
#include <asm/secure_boot.h>

14
#include <asm/secvar.h>

15
#include "keyring_handler.h"

16
#include "../integrity.h"

17


18
#define extract_esl(db, data, size, offset)	\

19
	do { db = data + offset; size = size - offset; } while (0)

20


21
/*

22
 * Get a certificate list blob from the named secure variable.

23
 *

24
 * Returns:

25
 *  - a pointer to a kmalloc'd buffer containing the cert list on success

26
 *  - NULL if the key does not exist

27
 *  - an ERR_PTR on error

28
 */

29
static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size)

30
{

31
	int rc;

32
	void *db;

33


34
	rc = secvar_ops->get(key, keylen, NULL, size);

35
	if (rc) {

36
		if (rc == -ENOENT)

37
			return NULL;

38
		return ERR_PTR(rc);

39
	}

40


41
	db = kmalloc(*size, GFP_KERNEL);

42
	if (!db)

43
		return ERR_PTR(-ENOMEM);

44


45
	rc = secvar_ops->get(key, keylen, db, size);

46
	if (rc) {

47
		kfree(db);

48
		return ERR_PTR(rc);

49
	}

50


51
	return db;

52
}

53


54
/*

55
 * Load the certs contained in the keys databases into the platform trusted

56
 * keyring and the blacklisted X.509 cert SHA256 hashes into the blacklist

57
 * keyring.

58
 */

59
static int __init load_powerpc_certs(void)

60
{

61
	void *db = NULL, *dbx = NULL, *data = NULL;

62
	void *trustedca;

63
	void *moduledb;

64
	u64 dsize = 0;

65
	u64 offset = 0;

66
	int rc = 0;

67
	ssize_t len;

68
	char buf[32];

69


70
	if (!secvar_ops)

71
		return -ENODEV;

72


73
	len = secvar_ops->format(buf, sizeof(buf));

74
	if (len <= 0)

75
		return -ENODEV;

76


77
	// Check for known secure boot implementations from OPAL or PLPKS

78
	if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf) &&

79
	    strcmp("ibm,plpks-sb-v0", buf)) {

80
		pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf);

81
		return -ENODEV;

82
	}

83


84
	if (strcmp("ibm,plpks-sb-v1", buf) == 0 || strcmp("ibm,plpks-sb-v0", buf) == 0)

85
		/* PLPKS authenticated variables ESL data is prefixed with 8 bytes of timestamp */

86
		offset = 8;

87


88
	/*

89
	 * Get db, and dbx. They might not exist, so it isn't an error if we

90
	 * can't get them.

91
	 */

92
	data = get_cert_list("db", 3, &dsize);

93
	if (!data) {

94
		pr_info("Couldn't get db list from firmware\n");

95
	} else if (IS_ERR(data)) {

96
		rc = PTR_ERR(data);

97
		pr_err("Error reading db from firmware: %d\n", rc);

98
		return rc;

99
	} else {

100
		extract_esl(db, data, dsize, offset);

101


102
		rc = parse_efi_signature_list("powerpc:db", db, dsize,

103
					      get_handler_for_db);

104
		if (rc)

105
			pr_err("Couldn't parse db signatures: %d\n", rc);

106
		kfree(data);

107
	}

108


109
	data = get_cert_list("dbx", 4,  &dsize);

110
	if (!data) {

111
		pr_info("Couldn't get dbx list from firmware\n");

112
	} else if (IS_ERR(data)) {

113
		rc = PTR_ERR(data);

114
		pr_err("Error reading dbx from firmware: %d\n", rc);

115
		return rc;

116
	} else {

117
		extract_esl(dbx, data, dsize, offset);

118


119
		rc = parse_efi_signature_list("powerpc:dbx", dbx, dsize,

120
					      get_handler_for_dbx);

121
		if (rc)

122
			pr_err("Couldn't parse dbx signatures: %d\n", rc);

123
		kfree(data);

124
	}

125


126
	data = get_cert_list("trustedcadb", 12,  &dsize);

127
	if (!data) {

128
		pr_info("Couldn't get trustedcadb list from firmware\n");

129
	} else if (IS_ERR(data)) {

130
		rc = PTR_ERR(data);

131
		pr_err("Error reading trustedcadb from firmware: %d\n", rc);

132
	} else {

133
		extract_esl(trustedca, data, dsize, offset);

134


135
		rc = parse_efi_signature_list("powerpc:trustedca", trustedca, dsize,

136
					      get_handler_for_ca_keys);

137
		if (rc)

138
			pr_err("Couldn't parse trustedcadb signatures: %d\n", rc);

139
		kfree(data);

140
	}

141


142
	data = get_cert_list("moduledb", 9,  &dsize);

143
	if (!data) {

144
		pr_info("Couldn't get moduledb list from firmware\n");

145
	} else if (IS_ERR(data)) {

146
		rc = PTR_ERR(data);

147
		pr_err("Error reading moduledb from firmware: %d\n", rc);

148
	} else {

149
		extract_esl(moduledb, data, dsize, offset);

150


151
		rc = parse_efi_signature_list("powerpc:moduledb", moduledb, dsize,

152
					      get_handler_for_code_signing_keys);

153
		if (rc)

154
			pr_err("Couldn't parse moduledb signatures: %d\n", rc);

155
		kfree(data);

156
	}

157


158
	return rc;

159
}

160
late_initcall(load_powerpc_certs);

161


162