Merge branch 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity
Pull IMA fixes from Mimi Zohar: "Two bug fixes and an associated change for each. The one that adds SM3 to the IMA list of supported hash algorithms is a simple change, but could be considered a new feature" * 'next-integrity' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: ima: add sm3 algorithm to hash algorithm configuration list crypto: rename sm3-256 to sm3 in hash_algo_name efi: Only print errors about failing to get certs if EFI vars are found x86/ima: use correct identifier for SetupMode variablealistair/sensors
commit
ebe7acadf5
|
@ -10,8 +10,6 @@ extern struct boot_params boot_params;
|
||||||
|
|
||||||
static enum efi_secureboot_mode get_sb_mode(void)
|
static enum efi_secureboot_mode get_sb_mode(void)
|
||||||
{
|
{
|
||||||
efi_char16_t efi_SecureBoot_name[] = L"SecureBoot";
|
|
||||||
efi_char16_t efi_SetupMode_name[] = L"SecureBoot";
|
|
||||||
efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
|
efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID;
|
||||||
efi_status_t status;
|
efi_status_t status;
|
||||||
unsigned long size;
|
unsigned long size;
|
||||||
|
@ -25,7 +23,7 @@ static enum efi_secureboot_mode get_sb_mode(void)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Get variable contents into buffer */
|
/* Get variable contents into buffer */
|
||||||
status = efi.get_variable(efi_SecureBoot_name, &efi_variable_guid,
|
status = efi.get_variable(L"SecureBoot", &efi_variable_guid,
|
||||||
NULL, &size, &secboot);
|
NULL, &size, &secboot);
|
||||||
if (status == EFI_NOT_FOUND) {
|
if (status == EFI_NOT_FOUND) {
|
||||||
pr_info("ima: secureboot mode disabled\n");
|
pr_info("ima: secureboot mode disabled\n");
|
||||||
|
@ -38,7 +36,7 @@ static enum efi_secureboot_mode get_sb_mode(void)
|
||||||
}
|
}
|
||||||
|
|
||||||
size = sizeof(setupmode);
|
size = sizeof(setupmode);
|
||||||
status = efi.get_variable(efi_SetupMode_name, &efi_variable_guid,
|
status = efi.get_variable(L"SetupMode", &efi_variable_guid,
|
||||||
NULL, &size, &setupmode);
|
NULL, &size, &setupmode);
|
||||||
|
|
||||||
if (status != EFI_SUCCESS) /* ignore unknown SetupMode */
|
if (status != EFI_SUCCESS) /* ignore unknown SetupMode */
|
||||||
|
|
|
@ -26,7 +26,7 @@ const char *const hash_algo_name[HASH_ALGO__LAST] = {
|
||||||
[HASH_ALGO_TGR_128] = "tgr128",
|
[HASH_ALGO_TGR_128] = "tgr128",
|
||||||
[HASH_ALGO_TGR_160] = "tgr160",
|
[HASH_ALGO_TGR_160] = "tgr160",
|
||||||
[HASH_ALGO_TGR_192] = "tgr192",
|
[HASH_ALGO_TGR_192] = "tgr192",
|
||||||
[HASH_ALGO_SM3_256] = "sm3-256",
|
[HASH_ALGO_SM3_256] = "sm3",
|
||||||
[HASH_ALGO_STREEBOG_256] = "streebog256",
|
[HASH_ALGO_STREEBOG_256] = "streebog256",
|
||||||
[HASH_ALGO_STREEBOG_512] = "streebog512",
|
[HASH_ALGO_STREEBOG_512] = "streebog512",
|
||||||
};
|
};
|
||||||
|
|
|
@ -112,6 +112,10 @@ choice
|
||||||
config IMA_DEFAULT_HASH_WP512
|
config IMA_DEFAULT_HASH_WP512
|
||||||
bool "WP512"
|
bool "WP512"
|
||||||
depends on CRYPTO_WP512=y && !IMA_TEMPLATE
|
depends on CRYPTO_WP512=y && !IMA_TEMPLATE
|
||||||
|
|
||||||
|
config IMA_DEFAULT_HASH_SM3
|
||||||
|
bool "SM3"
|
||||||
|
depends on CRYPTO_SM3=y && !IMA_TEMPLATE
|
||||||
endchoice
|
endchoice
|
||||||
|
|
||||||
config IMA_DEFAULT_HASH
|
config IMA_DEFAULT_HASH
|
||||||
|
@ -121,6 +125,7 @@ config IMA_DEFAULT_HASH
|
||||||
default "sha256" if IMA_DEFAULT_HASH_SHA256
|
default "sha256" if IMA_DEFAULT_HASH_SHA256
|
||||||
default "sha512" if IMA_DEFAULT_HASH_SHA512
|
default "sha512" if IMA_DEFAULT_HASH_SHA512
|
||||||
default "wp512" if IMA_DEFAULT_HASH_WP512
|
default "wp512" if IMA_DEFAULT_HASH_WP512
|
||||||
|
default "sm3" if IMA_DEFAULT_HASH_SM3
|
||||||
|
|
||||||
config IMA_WRITE_POLICY
|
config IMA_WRITE_POLICY
|
||||||
bool "Enable multiple writes to the IMA policy"
|
bool "Enable multiple writes to the IMA policy"
|
||||||
|
|
|
@ -35,16 +35,18 @@ static __init bool uefi_check_ignore_db(void)
|
||||||
* Get a certificate list blob from the named EFI variable.
|
* Get a certificate list blob from the named EFI variable.
|
||||||
*/
|
*/
|
||||||
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
|
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
|
||||||
unsigned long *size)
|
unsigned long *size, efi_status_t *status)
|
||||||
{
|
{
|
||||||
efi_status_t status;
|
|
||||||
unsigned long lsize = 4;
|
unsigned long lsize = 4;
|
||||||
unsigned long tmpdb[4];
|
unsigned long tmpdb[4];
|
||||||
void *db;
|
void *db;
|
||||||
|
|
||||||
status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
|
*status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
|
||||||
if (status != EFI_BUFFER_TOO_SMALL) {
|
if (*status == EFI_NOT_FOUND)
|
||||||
pr_err("Couldn't get size: 0x%lx\n", status);
|
return NULL;
|
||||||
|
|
||||||
|
if (*status != EFI_BUFFER_TOO_SMALL) {
|
||||||
|
pr_err("Couldn't get size: 0x%lx\n", *status);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -52,10 +54,10 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
|
||||||
if (!db)
|
if (!db)
|
||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
status = efi.get_variable(name, guid, NULL, &lsize, db);
|
*status = efi.get_variable(name, guid, NULL, &lsize, db);
|
||||||
if (status != EFI_SUCCESS) {
|
if (*status != EFI_SUCCESS) {
|
||||||
kfree(db);
|
kfree(db);
|
||||||
pr_err("Error reading db var: 0x%lx\n", status);
|
pr_err("Error reading db var: 0x%lx\n", *status);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -74,6 +76,7 @@ static int __init load_uefi_certs(void)
|
||||||
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
|
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
|
||||||
void *db = NULL, *dbx = NULL, *mok = NULL;
|
void *db = NULL, *dbx = NULL, *mok = NULL;
|
||||||
unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
||||||
|
efi_status_t status;
|
||||||
int rc = 0;
|
int rc = 0;
|
||||||
|
|
||||||
if (!efi.get_variable)
|
if (!efi.get_variable)
|
||||||
|
@ -83,9 +86,12 @@ static int __init load_uefi_certs(void)
|
||||||
* an error if we can't get them.
|
* an error if we can't get them.
|
||||||
*/
|
*/
|
||||||
if (!uefi_check_ignore_db()) {
|
if (!uefi_check_ignore_db()) {
|
||||||
db = get_cert_list(L"db", &secure_var, &dbsize);
|
db = get_cert_list(L"db", &secure_var, &dbsize, &status);
|
||||||
if (!db) {
|
if (!db) {
|
||||||
pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
if (status == EFI_NOT_FOUND)
|
||||||
|
pr_debug("MODSIGN: db variable wasn't found\n");
|
||||||
|
else
|
||||||
|
pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||||
} else {
|
} else {
|
||||||
rc = parse_efi_signature_list("UEFI:db",
|
rc = parse_efi_signature_list("UEFI:db",
|
||||||
db, dbsize, get_handler_for_db);
|
db, dbsize, get_handler_for_db);
|
||||||
|
@ -96,9 +102,12 @@ static int __init load_uefi_certs(void)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
|
mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);
|
||||||
if (!mok) {
|
if (!mok) {
|
||||||
pr_info("Couldn't get UEFI MokListRT\n");
|
if (status == EFI_NOT_FOUND)
|
||||||
|
pr_debug("MokListRT variable wasn't found\n");
|
||||||
|
else
|
||||||
|
pr_info("Couldn't get UEFI MokListRT\n");
|
||||||
} else {
|
} else {
|
||||||
rc = parse_efi_signature_list("UEFI:MokListRT",
|
rc = parse_efi_signature_list("UEFI:MokListRT",
|
||||||
mok, moksize, get_handler_for_db);
|
mok, moksize, get_handler_for_db);
|
||||||
|
@ -107,9 +116,12 @@ static int __init load_uefi_certs(void)
|
||||||
kfree(mok);
|
kfree(mok);
|
||||||
}
|
}
|
||||||
|
|
||||||
dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
|
dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status);
|
||||||
if (!dbx) {
|
if (!dbx) {
|
||||||
pr_info("Couldn't get UEFI dbx list\n");
|
if (status == EFI_NOT_FOUND)
|
||||||
|
pr_debug("dbx variable wasn't found\n");
|
||||||
|
else
|
||||||
|
pr_info("Couldn't get UEFI dbx list\n");
|
||||||
} else {
|
} else {
|
||||||
rc = parse_efi_signature_list("UEFI:dbx",
|
rc = parse_efi_signature_list("UEFI:dbx",
|
||||||
dbx, dbxsize,
|
dbx, dbxsize,
|
||||||
|
|
Loading…
Reference in New Issue