keyring_handler.c - cachepc-linux - Fork of AMDESE/linux with modifications for CachePC side-channel attack

	cachepc-linux Fork of AMDESE/linux with modifications for CachePC side-channel attack
	git clone https://git.sinitax.com/sinitax/cachepc-linux
	Log \| Files \| Refs \| README \| LICENSE \| sfeed.txt
keyring_handler.c (2345B)
      1// SPDX-License-Identifier: GPL-2.0
      2
      3#include <linux/kernel.h>
      4#include <linux/sched.h>
      5#include <linux/cred.h>
      6#include <linux/err.h>
      7#include <linux/efi.h>
      8#include <linux/slab.h>
      9#include <keys/asymmetric-type.h>
     10#include <keys/system_keyring.h>
     11#include "../integrity.h"
     12#include "keyring_handler.h"
     13
     14static efi_guid_t efi_cert_x509_guid __initdata = EFI_CERT_X509_GUID;
     15static efi_guid_t efi_cert_x509_sha256_guid __initdata =
     16	EFI_CERT_X509_SHA256_GUID;
     17static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID;
     18
     19/*
     20 * Blacklist an X509 TBS hash.
     21 */
     22static __init void uefi_blacklist_x509_tbs(const char *source,
     23					   const void *data, size_t len)
     24{
     25	mark_hash_blacklisted(data, len, BLACKLIST_HASH_X509_TBS);
     26}
     27
     28/*
     29 * Blacklist the hash of an executable.
     30 */
     31static __init void uefi_blacklist_binary(const char *source,
     32					 const void *data, size_t len)
     33{
     34	mark_hash_blacklisted(data, len, BLACKLIST_HASH_BINARY);
     35}
     36
     37/*
     38 * Add an X509 cert to the revocation list.
     39 */
     40static __init void uefi_revocation_list_x509(const char *source,
     41					     const void *data, size_t len)
     42{
     43	add_key_to_revocation_list(data, len);
     44}
     45
     46/*
     47 * Return the appropriate handler for particular signature list types found in
     48 * the UEFI db tables.
     49 */
     50__init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
     51{
     52	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
     53		return add_to_platform_keyring;
     54	return NULL;
     55}
     56
     57/*
     58 * Return the appropriate handler for particular signature list types found in
     59 * the MokListRT tables.
     60 */
     61__init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
     62{
     63	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
     64		if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())
     65			return add_to_machine_keyring;
     66		else
     67			return add_to_platform_keyring;
     68	}
     69	return NULL;
     70}
     71
     72/*
     73 * Return the appropriate handler for particular signature list types found in
     74 * the UEFI dbx and MokListXRT tables.
     75 */
     76__init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
     77{
     78	if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
     79		return uefi_blacklist_x509_tbs;
     80	if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
     81		return uefi_blacklist_binary;
     82	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
     83		return uefi_revocation_list_x509;
     84	return NULL;
     85}