UBUNTU: SAUCE: (noup) MODSIGN: Support not importing certs from db

BugLink: http://bugs.launchpad.net/bugs/1569924 If a user tells shim to not use the certs/hashes in the UEFI db variable for verification purposes, shim will set a UEFI variable called MokIgnoreDB. Have the uefi import code look for this and not import things from the db variable. Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Andy Whitcroft <andy.whitcroft@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

UBUNTU: SAUCE: (noup) MODSIGN: Support not importing certs from db
BugLink: http://bugs.launchpad.net/bugs/1569924 If a user tells shim to not use the certs/hashes in the UEFI db variable for verification purposes, shim will set a UEFI variable called MokIgnoreDB. Have the uefi import code look for this and not import things from the db variable. Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Andy Whitcroft <andy.whitcroft@canonical.com> Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
d760d063 · Josh Boyer · Tim Gardner · efc7d880 · d760d063
Commit d760d063 authored Oct 03, 2013 by Josh Boyer Committed by Tim Gardner Apr 20, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 31 additions and 9 deletions

kernel/modsign_uefi.c kernel/modsign_uefi.c +31 -9

No files found.
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -8,6 +8,23 @@
 #include <keys/system_keyring.h>
 #include "module-internal.h"
+static __init int check_ignore_db(void)
+{
+	efi_status_t status;
+	unsigned int db = 0;
+	unsigned long size = sizeof(db);
+	efi_guid_t guid = EFI_SHIM_LOCK_GUID;
+	/* Check and see if the MokIgnoreDB variable exists.  If that fails
+	 * then we don't ignore DB.  If it succeeds, we do.
+	 */
+	status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
+	if (status != EFI_SUCCESS)
+		return 0;
+	return 1;
+}
 static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
 {
 	efi_status_t status;
@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
 	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
 	void *db = NULL, *dbx = NULL, *mok = NULL;
 	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
-	int rc = 0;
+	int ignore_db, rc = 0;
 	/* Check if SB is enabled and just return if not */
 	if (!efi_enabled(EFI_SECURE_BOOT))
 		return 0;
+	/* See if the user has setup Ignore DB mode */
+	ignore_db = check_ignore_db();
 	/* Get db, MokListRT, and dbx.  They might not exist, so it isn't
 	 * an error if we can't get them.
 	 */
-	db = get_cert_list(L"db", &secure_var, &dbsize);
+	if (!ignore_db) {
-	if (!db) {
+		db = get_cert_list(L"db", &secure_var, &dbsize);
-		pr_err("MODSIGN: Couldn't get UEFI db list\n");
+		if (!db) {
-	} else {
+			pr_err("MODSIGN: Couldn't get UEFI db list\n");
-		rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
+		} else {
-		if (rc)
+			rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
-			pr_err("Couldn't parse db signatures: %d\n", rc);
+			if (rc)
-		kfree(db);
+				pr_err("Couldn't parse db signatures: %d\n", rc);
+			kfree(db);
+		}
 	}
 	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);