Commit ebe7acad authored by Linus Torvalds's avatar Linus Torvalds

Merge branch 'next-integrity' of...

Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull IMA fixes from Mimi Zohar:
 "Two bug fixes and an associated change for each.

  The one that adds SM3 to the IMA list of supported hash algorithms is
  a simple change, but could be considered a new feature"

* 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: add sm3 algorithm to hash algorithm configuration list
  crypto: rename sm3-256 to sm3 in hash_algo_name
  efi: Only print errors about failing to get certs if EFI vars are found
  x86/ima: use correct identifier for SetupMode variable
parents ca7e1fd1 5780b9ab
...@@ -10,8 +10,6 @@ extern struct boot_params boot_params; ...@@ -10,8 +10,6 @@ extern struct boot_params boot_params;
static enum efi_secureboot_mode get_sb_mode(void) static enum efi_secureboot_mode get_sb_mode(void)
{ {
efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
efi_char16_t efi_SetupMode_name[] = L"SecureBoot";
efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
efi_status_t status; efi_status_t status;
unsigned long size; unsigned long size;
...@@ -25,7 +23,7 @@ static enum efi_secureboot_mode get_sb_mode(void) ...@@ -25,7 +23,7 @@ static enum efi_secureboot_mode get_sb_mode(void)
} }
/* Get variable contents into buffer */ /* Get variable contents into buffer */
status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid, status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
NULL, &size, &secboot); NULL, &size, &secboot);
if (status == EFI_NOT_FOUND) { if (status == EFI_NOT_FOUND) {
pr_info("ima: secureboot mode disabled\n"); pr_info("ima: secureboot mode disabled\n");
...@@ -38,7 +36,7 @@ static enum efi_secureboot_mode get_sb_mode(void) ...@@ -38,7 +36,7 @@ static enum efi_secureboot_mode get_sb_mode(void)
} }
size = sizeof(setupmode); size = sizeof(setupmode);
status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid, status = efi.get_variable(L"SetupMode", &efi_variable_guid,
NULL, &size, &setupmode); NULL, &size, &setupmode);
if (status != EFI_SUCCESS) /* ignore unknown SetupMode */ if (status != EFI_SUCCESS) /* ignore unknown SetupMode */
......
...@@ -26,7 +26,7 @@ const char *const hash_algo_name[HASH_ALGO__LAST] = { ...@@ -26,7 +26,7 @@ const char *const hash_algo_name[HASH_ALGO__LAST] = {
[HASH_ALGO_TGR_128] = "tgr128", [HASH_ALGO_TGR_128] = "tgr128",
[HASH_ALGO_TGR_160] = "tgr160", [HASH_ALGO_TGR_160] = "tgr160",
[HASH_ALGO_TGR_192] = "tgr192", [HASH_ALGO_TGR_192] = "tgr192",
[HASH_ALGO_SM3_256] = "sm3-256", [HASH_ALGO_SM3_256] = "sm3",
[HASH_ALGO_STREEBOG_256] = "streebog256", [HASH_ALGO_STREEBOG_256] = "streebog256",
[HASH_ALGO_STREEBOG_512] = "streebog512", [HASH_ALGO_STREEBOG_512] = "streebog512",
}; };
......
...@@ -112,6 +112,10 @@ choice ...@@ -112,6 +112,10 @@ choice
config IMA_DEFAULT_HASH_WP512 config IMA_DEFAULT_HASH_WP512
bool "WP512" bool "WP512"
depends on CRYPTO_WP512=y && !IMA_TEMPLATE depends on CRYPTO_WP512=y && !IMA_TEMPLATE
config IMA_DEFAULT_HASH_SM3
bool "SM3"
depends on CRYPTO_SM3=y && !IMA_TEMPLATE
endchoice endchoice
config IMA_DEFAULT_HASH config IMA_DEFAULT_HASH
...@@ -121,6 +125,7 @@ config IMA_DEFAULT_HASH ...@@ -121,6 +125,7 @@ config IMA_DEFAULT_HASH
default "sha256" if IMA_DEFAULT_HASH_SHA256 default "sha256" if IMA_DEFAULT_HASH_SHA256
default "sha512" if IMA_DEFAULT_HASH_SHA512 default "sha512" if IMA_DEFAULT_HASH_SHA512
default "wp512" if IMA_DEFAULT_HASH_WP512 default "wp512" if IMA_DEFAULT_HASH_WP512
default "sm3" if IMA_DEFAULT_HASH_SM3
config IMA_WRITE_POLICY config IMA_WRITE_POLICY
bool "Enable multiple writes to the IMA policy" bool "Enable multiple writes to the IMA policy"
......
...@@ -35,16 +35,18 @@ static __init bool uefi_check_ignore_db(void) ...@@ -35,16 +35,18 @@ static __init bool uefi_check_ignore_db(void)
* Get a certificate list blob from the named EFI variable. * Get a certificate list blob from the named EFI variable.
*/ */
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
unsigned long *size) unsigned long *size, efi_status_t *status)
{ {
efi_status_t status;
unsigned long lsize = 4; unsigned long lsize = 4;
unsigned long tmpdb[4]; unsigned long tmpdb[4];
void *db; void *db;
status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); *status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
if (status != EFI_BUFFER_TOO_SMALL) { if (*status == EFI_NOT_FOUND)
pr_err("Couldn't get size: 0x%lx\n", status); return NULL;
if (*status != EFI_BUFFER_TOO_SMALL) {
pr_err("Couldn't get size: 0x%lx\n", *status);
return NULL; return NULL;
} }
...@@ -52,10 +54,10 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, ...@@ -52,10 +54,10 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
if (!db) if (!db)
return NULL; return NULL;
status = efi.get_variable(name, guid, NULL, &lsize, db); *status = efi.get_variable(name, guid, NULL, &lsize, db);
if (status != EFI_SUCCESS) { if (*status != EFI_SUCCESS) {
kfree(db); kfree(db);
pr_err("Error reading db var: 0x%lx\n", status); pr_err("Error reading db var: 0x%lx\n", *status);
return NULL; return NULL;
} }
...@@ -74,6 +76,7 @@ static int __init load_uefi_certs(void) ...@@ -74,6 +76,7 @@ static int __init load_uefi_certs(void)
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
void *db = NULL, *dbx = NULL, *mok = NULL; void *db = NULL, *dbx = NULL, *mok = NULL;
unsigned long dbsize = 0, dbxsize = 0, moksize = 0; unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
efi_status_t status;
int rc = 0; int rc = 0;
if (!efi.get_variable) if (!efi.get_variable)
...@@ -83,8 +86,11 @@ static int __init load_uefi_certs(void) ...@@ -83,8 +86,11 @@ static int __init load_uefi_certs(void)
* an error if we can't get them. * an error if we can't get them.
*/ */
if (!uefi_check_ignore_db()) { if (!uefi_check_ignore_db()) {
db = get_cert_list(L"db", &secure_var, &dbsize); db = get_cert_list(L"db", &secure_var, &dbsize, &status);
if (!db) { if (!db) {
if (status == EFI_NOT_FOUND)
pr_debug("MODSIGN: db variable wasn't found\n");
else
pr_err("MODSIGN: Couldn't get UEFI db list\n"); pr_err("MODSIGN: Couldn't get UEFI db list\n");
} else { } else {
rc = parse_efi_signature_list("UEFI:db", rc = parse_efi_signature_list("UEFI:db",
...@@ -96,8 +102,11 @@ static int __init load_uefi_certs(void) ...@@ -96,8 +102,11 @@ static int __init load_uefi_certs(void)
} }
} }
mok = get_cert_list(L"MokListRT", &mok_var, &moksize); mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
if (!mok) { if (!mok) {
if (status == EFI_NOT_FOUND)
pr_debug("MokListRT variable wasn't found\n");
else
pr_info("Couldn't get UEFI MokListRT\n"); pr_info("Couldn't get UEFI MokListRT\n");
} else { } else {
rc = parse_efi_signature_list("UEFI:MokListRT", rc = parse_efi_signature_list("UEFI:MokListRT",
...@@ -107,8 +116,11 @@ static int __init load_uefi_certs(void) ...@@ -107,8 +116,11 @@ static int __init load_uefi_certs(void)
kfree(mok); kfree(mok);
} }
dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
if (!dbx) { if (!dbx) {
if (status == EFI_NOT_FOUND)
pr_debug("dbx variable wasn't found\n");
else
pr_info("Couldn't get UEFI dbx list\n"); pr_info("Couldn't get UEFI dbx list\n");
} else { } else {
rc = parse_efi_signature_list("UEFI:dbx", rc = parse_efi_signature_list("UEFI:dbx",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment