Commit a3af7188 authored by Nayna Jain's avatar Nayna Jain Committed by Jarkko Sakkinen
Browse files

integrity: PowerVM support for loading CA keys on machine keyring 



Keys that derive their trust from an entity such as a security officer,
administrator, system owner, or machine owner are said to have "imputed
trust". CA keys with imputed trust can be loaded onto the machine keyring.
The mechanism for loading these keys onto the machine keyring is platform
dependent.

Load keys stored in the variable trustedcadb onto the .machine keyring
on PowerVM platform.

Signed-off-by: default avatarNayna Jain <nayna@linux.ibm.com>
Reviewed-and-tested-by: default avatarMimi Zohar <zohar@linux.ibm.com>
Reviewed-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
Tested-by: default avatarNageswara R Sastry <rnsastry@linux.ibm.com>
Signed-off-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
parent 90f6f691

security/integrity/platform_certs/keyring_handler.c

+8 −0
Original line number Diff line number Diff line
@@ -69,6 +69,14 @@ __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) 
	return NULL;

}



__init efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type)

{

	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)

		return add_to_machine_keyring;



	return NULL;

}



/*

 * Return the appropriate handler for particular signature list types found in

 * the UEFI dbx and MokListXRT tables.

security/integrity/platform_certs/keyring_handler.h

+5 −0
Original line number Diff line number Diff line
@@ -29,6 +29,11 @@ efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type); 
 */

efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type);



/*

 * Return the handler for particular signature list types for CA keys.

 */

efi_element_handler_t get_handler_for_ca_keys(const efi_guid_t *sig_type);



/*

 * Return the handler for particular signature list types found in the dbx.

 */

security/integrity/platform_certs/load_powerpc.c

+17 −0
Original line number Diff line number Diff line
@@ -59,6 +59,7 @@ static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size) 
static int __init load_powerpc_certs(void)

{

	void *db = NULL, *dbx = NULL, *data = NULL;

	void *trustedca;

	u64 dsize = 0;

	u64 offset = 0;

	int rc = 0;
@@ -120,6 +121,22 @@ static int __init load_powerpc_certs(void) 
		kfree(data);

	}



	data = get_cert_list("trustedcadb", 12,  &dsize);

	if (!data) {

		pr_info("Couldn't get trustedcadb list from firmware\n");

	} else if (IS_ERR(data)) {

		rc = PTR_ERR(data);

		pr_err("Error reading trustedcadb from firmware: %d\n", rc);

	} else {

		extract_esl(trustedca, data, dsize, offset);



		rc = parse_efi_signature_list("powerpc:trustedca", trustedca, dsize,

					      get_handler_for_ca_keys);

		if (rc)

			pr_err("Couldn't parse trustedcadb signatures: %d\n", rc);

		kfree(data);

	}



	return rc;

}

late_initcall(load_powerpc_certs);