xref: /OK3568_Linux_fs/kernel/security/integrity/platform_certs/load_uefi.c (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0
2*4882a593Smuzhiyun 
3*4882a593Smuzhiyun #include <linux/kernel.h>
4*4882a593Smuzhiyun #include <linux/sched.h>
5*4882a593Smuzhiyun #include <linux/cred.h>
6*4882a593Smuzhiyun #include <linux/dmi.h>
7*4882a593Smuzhiyun #include <linux/err.h>
8*4882a593Smuzhiyun #include <linux/efi.h>
9*4882a593Smuzhiyun #include <linux/slab.h>
10*4882a593Smuzhiyun #include <keys/asymmetric-type.h>
11*4882a593Smuzhiyun #include <keys/system_keyring.h>
12*4882a593Smuzhiyun #include "../integrity.h"
13*4882a593Smuzhiyun #include "keyring_handler.h"
14*4882a593Smuzhiyun 
15*4882a593Smuzhiyun /*
16*4882a593Smuzhiyun  * On T2 Macs reading the db and dbx efi variables to load UEFI Secure Boot
17*4882a593Smuzhiyun  * certificates causes occurrence of a page fault in Apple's firmware and
18*4882a593Smuzhiyun  * a crash disabling EFI runtime services. The following quirk skips reading
19*4882a593Smuzhiyun  * these variables.
20*4882a593Smuzhiyun  */
21*4882a593Smuzhiyun static const struct dmi_system_id uefi_skip_cert[] = {
22*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,1") },
23*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,2") },
24*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,3") },
25*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,4") },
26*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,1") },
27*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,2") },
28*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,3") },
29*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,4") },
30*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,1") },
31*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,2") },
32*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir9,1") },
33*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "Macmini8,1") },
34*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") },
35*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") },
36*4882a593Smuzhiyun 	{ UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") },
37*4882a593Smuzhiyun 	{ }
38*4882a593Smuzhiyun };
39*4882a593Smuzhiyun 
40*4882a593Smuzhiyun /*
41*4882a593Smuzhiyun  * Look to see if a UEFI variable called MokIgnoreDB exists and return true if
42*4882a593Smuzhiyun  * it does.
43*4882a593Smuzhiyun  *
44*4882a593Smuzhiyun  * This UEFI variable is set by the shim if a user tells the shim to not use
45*4882a593Smuzhiyun  * the certs/hashes in the UEFI db variable for verification purposes.  If it
46*4882a593Smuzhiyun  * is set, we should ignore the db variable also and the true return indicates
47*4882a593Smuzhiyun  * this.
48*4882a593Smuzhiyun  */
uefi_check_ignore_db(void)49*4882a593Smuzhiyun static __init bool uefi_check_ignore_db(void)
50*4882a593Smuzhiyun {
51*4882a593Smuzhiyun 	efi_status_t status;
52*4882a593Smuzhiyun 	unsigned int db = 0;
53*4882a593Smuzhiyun 	unsigned long size = sizeof(db);
54*4882a593Smuzhiyun 	efi_guid_t guid = EFI_SHIM_LOCK_GUID;
55*4882a593Smuzhiyun 
56*4882a593Smuzhiyun 	status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
57*4882a593Smuzhiyun 	return status == EFI_SUCCESS;
58*4882a593Smuzhiyun }
59*4882a593Smuzhiyun 
60*4882a593Smuzhiyun /*
61*4882a593Smuzhiyun  * Get a certificate list blob from the named EFI variable.
62*4882a593Smuzhiyun  */
get_cert_list(efi_char16_t * name,efi_guid_t * guid,unsigned long * size,efi_status_t * status)63*4882a593Smuzhiyun static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
64*4882a593Smuzhiyun 				  unsigned long *size, efi_status_t *status)
65*4882a593Smuzhiyun {
66*4882a593Smuzhiyun 	unsigned long lsize = 4;
67*4882a593Smuzhiyun 	unsigned long tmpdb[4];
68*4882a593Smuzhiyun 	void *db;
69*4882a593Smuzhiyun 
70*4882a593Smuzhiyun 	*status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
71*4882a593Smuzhiyun 	if (*status == EFI_NOT_FOUND)
72*4882a593Smuzhiyun 		return NULL;
73*4882a593Smuzhiyun 
74*4882a593Smuzhiyun 	if (*status != EFI_BUFFER_TOO_SMALL) {
75*4882a593Smuzhiyun 		pr_err("Couldn't get size: 0x%lx\n", *status);
76*4882a593Smuzhiyun 		return NULL;
77*4882a593Smuzhiyun 	}
78*4882a593Smuzhiyun 
79*4882a593Smuzhiyun 	db = kmalloc(lsize, GFP_KERNEL);
80*4882a593Smuzhiyun 	if (!db)
81*4882a593Smuzhiyun 		return NULL;
82*4882a593Smuzhiyun 
83*4882a593Smuzhiyun 	*status = efi.get_variable(name, guid, NULL, &lsize, db);
84*4882a593Smuzhiyun 	if (*status != EFI_SUCCESS) {
85*4882a593Smuzhiyun 		kfree(db);
86*4882a593Smuzhiyun 		pr_err("Error reading db var: 0x%lx\n", *status);
87*4882a593Smuzhiyun 		return NULL;
88*4882a593Smuzhiyun 	}
89*4882a593Smuzhiyun 
90*4882a593Smuzhiyun 	*size = lsize;
91*4882a593Smuzhiyun 	return db;
92*4882a593Smuzhiyun }
93*4882a593Smuzhiyun 
94*4882a593Smuzhiyun /*
95*4882a593Smuzhiyun  * load_moklist_certs() - Load MokList certs
96*4882a593Smuzhiyun  *
97*4882a593Smuzhiyun  * Load the certs contained in the UEFI MokListRT database into the
98*4882a593Smuzhiyun  * platform trusted keyring.
99*4882a593Smuzhiyun  *
100*4882a593Smuzhiyun  * This routine checks the EFI MOK config table first. If and only if
101*4882a593Smuzhiyun  * that fails, this routine uses the MokListRT ordinary UEFI variable.
102*4882a593Smuzhiyun  *
103*4882a593Smuzhiyun  * Return:	Status
104*4882a593Smuzhiyun  */
load_moklist_certs(void)105*4882a593Smuzhiyun static int __init load_moklist_certs(void)
106*4882a593Smuzhiyun {
107*4882a593Smuzhiyun 	struct efi_mokvar_table_entry *mokvar_entry;
108*4882a593Smuzhiyun 	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
109*4882a593Smuzhiyun 	void *mok;
110*4882a593Smuzhiyun 	unsigned long moksize;
111*4882a593Smuzhiyun 	efi_status_t status;
112*4882a593Smuzhiyun 	int rc;
113*4882a593Smuzhiyun 
114*4882a593Smuzhiyun 	/* First try to load certs from the EFI MOKvar config table.
115*4882a593Smuzhiyun 	 * It's not an error if the MOKvar config table doesn't exist
116*4882a593Smuzhiyun 	 * or the MokListRT entry is not found in it.
117*4882a593Smuzhiyun 	 */
118*4882a593Smuzhiyun 	mokvar_entry = efi_mokvar_entry_find("MokListRT");
119*4882a593Smuzhiyun 	if (mokvar_entry) {
120*4882a593Smuzhiyun 		rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)",
121*4882a593Smuzhiyun 					      mokvar_entry->data,
122*4882a593Smuzhiyun 					      mokvar_entry->data_size,
123*4882a593Smuzhiyun 					      get_handler_for_db);
124*4882a593Smuzhiyun 		/* All done if that worked. */
125*4882a593Smuzhiyun 		if (!rc)
126*4882a593Smuzhiyun 			return rc;
127*4882a593Smuzhiyun 
128*4882a593Smuzhiyun 		pr_err("Couldn't parse MokListRT signatures from EFI MOKvar config table: %d\n",
129*4882a593Smuzhiyun 		       rc);
130*4882a593Smuzhiyun 	}
131*4882a593Smuzhiyun 
132*4882a593Smuzhiyun 	/* Get MokListRT. It might not exist, so it isn't an error
133*4882a593Smuzhiyun 	 * if we can't get it.
134*4882a593Smuzhiyun 	 */
135*4882a593Smuzhiyun 	mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
136*4882a593Smuzhiyun 	if (mok) {
137*4882a593Smuzhiyun 		rc = parse_efi_signature_list("UEFI:MokListRT",
138*4882a593Smuzhiyun 					      mok, moksize, get_handler_for_db);
139*4882a593Smuzhiyun 		kfree(mok);
140*4882a593Smuzhiyun 		if (rc)
141*4882a593Smuzhiyun 			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
142*4882a593Smuzhiyun 		return rc;
143*4882a593Smuzhiyun 	}
144*4882a593Smuzhiyun 	if (status == EFI_NOT_FOUND)
145*4882a593Smuzhiyun 		pr_debug("MokListRT variable wasn't found\n");
146*4882a593Smuzhiyun 	else
147*4882a593Smuzhiyun 		pr_info("Couldn't get UEFI MokListRT\n");
148*4882a593Smuzhiyun 	return 0;
149*4882a593Smuzhiyun }
150*4882a593Smuzhiyun 
151*4882a593Smuzhiyun /*
152*4882a593Smuzhiyun  * load_uefi_certs() - Load certs from UEFI sources
153*4882a593Smuzhiyun  *
154*4882a593Smuzhiyun  * Load the certs contained in the UEFI databases into the platform trusted
155*4882a593Smuzhiyun  * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
156*4882a593Smuzhiyun  * keyring.
157*4882a593Smuzhiyun  */
load_uefi_certs(void)158*4882a593Smuzhiyun static int __init load_uefi_certs(void)
159*4882a593Smuzhiyun {
160*4882a593Smuzhiyun 	efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
161*4882a593Smuzhiyun 	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
162*4882a593Smuzhiyun 	void *db = NULL, *dbx = NULL, *mokx = NULL;
163*4882a593Smuzhiyun 	unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0;
164*4882a593Smuzhiyun 	efi_status_t status;
165*4882a593Smuzhiyun 	int rc = 0;
166*4882a593Smuzhiyun 	const struct dmi_system_id *dmi_id;
167*4882a593Smuzhiyun 
168*4882a593Smuzhiyun 	dmi_id = dmi_first_match(uefi_skip_cert);
169*4882a593Smuzhiyun 	if (dmi_id) {
170*4882a593Smuzhiyun 		pr_err("Reading UEFI Secure Boot Certs is not supported on T2 Macs.\n");
171*4882a593Smuzhiyun 		return false;
172*4882a593Smuzhiyun 	}
173*4882a593Smuzhiyun 
174*4882a593Smuzhiyun 	if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
175*4882a593Smuzhiyun 		return false;
176*4882a593Smuzhiyun 
177*4882a593Smuzhiyun 	/* Get db and dbx.  They might not exist, so it isn't an error
178*4882a593Smuzhiyun 	 * if we can't get them.
179*4882a593Smuzhiyun 	 */
180*4882a593Smuzhiyun 	if (!uefi_check_ignore_db()) {
181*4882a593Smuzhiyun 		db = get_cert_list(L"db", &secure_var, &dbsize, &status);
182*4882a593Smuzhiyun 		if (!db) {
183*4882a593Smuzhiyun 			if (status == EFI_NOT_FOUND)
184*4882a593Smuzhiyun 				pr_debug("MODSIGN: db variable wasn't found\n");
185*4882a593Smuzhiyun 			else
186*4882a593Smuzhiyun 				pr_err("MODSIGN: Couldn't get UEFI db list\n");
187*4882a593Smuzhiyun 		} else {
188*4882a593Smuzhiyun 			rc = parse_efi_signature_list("UEFI:db",
189*4882a593Smuzhiyun 					db, dbsize, get_handler_for_db);
190*4882a593Smuzhiyun 			if (rc)
191*4882a593Smuzhiyun 				pr_err("Couldn't parse db signatures: %d\n",
192*4882a593Smuzhiyun 				       rc);
193*4882a593Smuzhiyun 			kfree(db);
194*4882a593Smuzhiyun 		}
195*4882a593Smuzhiyun 	}
196*4882a593Smuzhiyun 
197*4882a593Smuzhiyun 	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
198*4882a593Smuzhiyun 	if (!dbx) {
199*4882a593Smuzhiyun 		if (status == EFI_NOT_FOUND)
200*4882a593Smuzhiyun 			pr_debug("dbx variable wasn't found\n");
201*4882a593Smuzhiyun 		else
202*4882a593Smuzhiyun 			pr_info("Couldn't get UEFI dbx list\n");
203*4882a593Smuzhiyun 	} else {
204*4882a593Smuzhiyun 		rc = parse_efi_signature_list("UEFI:dbx",
205*4882a593Smuzhiyun 					      dbx, dbxsize,
206*4882a593Smuzhiyun 					      get_handler_for_dbx);
207*4882a593Smuzhiyun 		if (rc)
208*4882a593Smuzhiyun 			pr_err("Couldn't parse dbx signatures: %d\n", rc);
209*4882a593Smuzhiyun 		kfree(dbx);
210*4882a593Smuzhiyun 	}
211*4882a593Smuzhiyun 
212*4882a593Smuzhiyun 	mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
213*4882a593Smuzhiyun 	if (!mokx) {
214*4882a593Smuzhiyun 		if (status == EFI_NOT_FOUND)
215*4882a593Smuzhiyun 			pr_debug("mokx variable wasn't found\n");
216*4882a593Smuzhiyun 		else
217*4882a593Smuzhiyun 			pr_info("Couldn't get mokx list\n");
218*4882a593Smuzhiyun 	} else {
219*4882a593Smuzhiyun 		rc = parse_efi_signature_list("UEFI:MokListXRT",
220*4882a593Smuzhiyun 					      mokx, mokxsize,
221*4882a593Smuzhiyun 					      get_handler_for_dbx);
222*4882a593Smuzhiyun 		if (rc)
223*4882a593Smuzhiyun 			pr_err("Couldn't parse mokx signatures %d\n", rc);
224*4882a593Smuzhiyun 		kfree(mokx);
225*4882a593Smuzhiyun 	}
226*4882a593Smuzhiyun 
227*4882a593Smuzhiyun 	/* Load the MokListRT certs */
228*4882a593Smuzhiyun 	rc = load_moklist_certs();
229*4882a593Smuzhiyun 
230*4882a593Smuzhiyun 	return rc;
231*4882a593Smuzhiyun }
232*4882a593Smuzhiyun late_initcall(load_uefi_certs);
233