xref: /linux/security/integrity/platform_certs/load_powerpc.c (revision 266679ffd867cb247c36717ea4d7998e9304823b)
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Copyright (C) 2019 IBM Corporation
4  * Author: Nayna Jain
5  *
6  *      - loads keys and hashes stored and controlled by the firmware.
7  */
8 #include <linux/kernel.h>
9 #include <linux/sched.h>
10 #include <linux/cred.h>
11 #include <linux/err.h>
12 #include <linux/slab.h>
13 #include <asm/secure_boot.h>
14 #include <asm/secvar.h>
15 #include "keyring_handler.h"
16 #include "../integrity.h"
17 
18 /*
19  * Get a certificate list blob from the named secure variable.
20  *
21  * Returns:
22  *  - a pointer to a kmalloc'd buffer containing the cert list on success
23  *  - NULL if the key does not exist
24  *  - an ERR_PTR on error
25  */
26 static __init void *get_cert_list(u8 *key, unsigned long keylen, u64 *size)
27 {
28 	int rc;
29 	void *db;
30 
31 	rc = secvar_ops->get(key, keylen, NULL, size);
32 	if (rc) {
33 		if (rc == -ENOENT)
34 			return NULL;
35 		return ERR_PTR(rc);
36 	}
37 
38 	db = kmalloc(*size, GFP_KERNEL);
39 	if (!db)
40 		return ERR_PTR(-ENOMEM);
41 
42 	rc = secvar_ops->get(key, keylen, db, size);
43 	if (rc) {
44 		kfree(db);
45 		return ERR_PTR(rc);
46 	}
47 
48 	return db;
49 }
50 
51 /*
52  * Load the certs contained in the keys databases into the platform trusted
53  * keyring and the blacklisted X.509 cert SHA256 hashes into the blacklist
54  * keyring.
55  */
56 static int __init load_powerpc_certs(void)
57 {
58 	void *db = NULL, *dbx = NULL;
59 	u64 dbsize = 0, dbxsize = 0;
60 	int rc = 0;
61 	ssize_t len;
62 	char buf[32];
63 
64 	if (!secvar_ops)
65 		return -ENODEV;
66 
67 	len = secvar_ops->format(buf, sizeof(buf));
68 	if (len <= 0)
69 		return -ENODEV;
70 
71 	// Check for known secure boot implementations from OPAL or PLPKS
72 	if (strcmp("ibm,edk2-compat-v1", buf) && strcmp("ibm,plpks-sb-v1", buf)) {
73 		pr_err("Unsupported secvar implementation \"%s\", not loading certs\n", buf);
74 		return -ENODEV;
75 	}
76 
77 	/*
78 	 * Get db, and dbx. They might not exist, so it isn't an error if we
79 	 * can't get them.
80 	 */
81 	db = get_cert_list("db", 3, &dbsize);
82 	if (!db) {
83 		pr_info("Couldn't get db list from firmware\n");
84 	} else if (IS_ERR(db)) {
85 		rc = PTR_ERR(db);
86 		pr_err("Error reading db from firmware: %d\n", rc);
87 		return rc;
88 	} else {
89 		rc = parse_efi_signature_list("powerpc:db", db, dbsize,
90 					      get_handler_for_db);
91 		if (rc)
92 			pr_err("Couldn't parse db signatures: %d\n", rc);
93 		kfree(db);
94 	}
95 
96 	dbx = get_cert_list("dbx", 4,  &dbxsize);
97 	if (!dbx) {
98 		pr_info("Couldn't get dbx list from firmware\n");
99 	} else if (IS_ERR(dbx)) {
100 		rc = PTR_ERR(dbx);
101 		pr_err("Error reading dbx from firmware: %d\n", rc);
102 		return rc;
103 	} else {
104 		rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize,
105 					      get_handler_for_dbx);
106 		if (rc)
107 			pr_err("Couldn't parse dbx signatures: %d\n", rc);
108 		kfree(dbx);
109 	}
110 
111 	return rc;
112 }
113 late_initcall(load_powerpc_certs);
114