// SPDX-License-Identifier: GPL-2.0 #include <linux/kernel.h> #include <linux/sched.h> #include <linux/cred.h> #include <linux/dmi.h> #include <linux/err.h> #include <linux/efi.h> #include <linux/slab.h> #include <linux/ima.h> #include <keys/asymmetric-type.h> #include <keys/system_keyring.h> #include "../integrity.h" #include "keyring_handler.h" /* * On T2 Macs reading the db and dbx efi variables to load UEFI Secure Boot * certificates causes occurrence of a page fault in Apple's firmware and * a crash disabling EFI runtime services. The following quirk skips reading * these variables. */ static const struct dmi_system_id uefi_skip_cert[] = …; /* * Look to see if a UEFI variable called MokIgnoreDB exists and return true if * it does. * * This UEFI variable is set by the shim if a user tells the shim to not use * the certs/hashes in the UEFI db variable for verification purposes. If it * is set, we should ignore the db variable also and the true return indicates * this. */ static __init bool uefi_check_ignore_db(void) { … } /* * Get a certificate list blob from the named EFI variable. */ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size, efi_status_t *status) { … } /* * load_moklist_certs() - Load MokList certs * * Load the certs contained in the UEFI MokListRT database into the * platform trusted keyring. * * This routine checks the EFI MOK config table first. If and only if * that fails, this routine uses the MokListRT ordinary UEFI variable. * * Return: Status */ static int __init load_moklist_certs(void) { … } /* * load_uefi_certs() - Load certs from UEFI sources * * Load the certs contained in the UEFI databases into the platform trusted * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist * keyring. */ static int __init load_uefi_certs(void) { … } late_initcall(load_uefi_certs);
Codebase Browser
linux