linux

iv/linux

Fork 0

Commit Graph

Author	SHA1	Message	Date
Ard Biesheuvel	cc383a9e24	efi: mokvar: add missing include of asm/early_ioremap.h Nathan reports that building the new mokvar table code for 32-bit ARM fails with errors such as error: implicit declaration of function 'early_memunmap' error: implicit declaration of function 'early_memremap' This is caused by the lack of an explicit #include of the appropriate header, and ARM apparently does not inherit that inclusion via another header file. So add the #include. Tested-by: Nathan Chancellor <natechancellor@gmail.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>	2020-10-02 10:08:29 +02:00
Ard Biesheuvel	b89114cd01	efi: mokvar-table: fix some issues in new code Fix a couple of issues in the new mokvar-table handling code, as pointed out by Arvind and Boris: - don't bother checking the end of the physical region against the start address of the mokvar table, - ensure that we enter the loop with err = -EINVAL, - replace size_t with unsigned long to appease pedantic type equality checks. Reviewed-by: Arvind Sankar <nivedita@alum.mit.edu> Reviewed-by: Lenny Szubowicz <lszubowi@redhat.com> Tested-by: Borislav Petkov <bp@suse.de> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>	2020-09-29 19:40:57 +02:00
Lenny Szubowicz	58c909022a	efi: Support for MOK variable config table Because of system-specific EFI firmware limitations, EFI volatile variables may not be capable of holding the required contents of the Machine Owner Key (MOK) certificate store when the certificate list grows above some size. Therefore, an EFI boot loader may pass the MOK certs via a EFI configuration table created specifically for this purpose to avoid this firmware limitation. An EFI configuration table is a much more primitive mechanism compared to EFI variables and is well suited for one-way passage of static information from a pre-OS environment to the kernel. This patch adds initial kernel support to recognize, parse, and validate the EFI MOK configuration table, where named entries contain the same data that would otherwise be provided in similarly named EFI variables. Additionally, this patch creates a sysfs binary file for each EFI MOK configuration table entry found. These files are read-only to root and are provided for use by user space utilities such as mokutil. A subsequent patch will load MOK certs into the trusted platform key ring using this infrastructure. Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com> Link: https://lore.kernel.org/r/20200905013107.10457-2-lszubowi@redhat.com Signed-off-by: Ard Biesheuvel <ardb@kernel.org>	2020-09-16 18:53:42 +03:00

Author

SHA1

Message

Date

Ard Biesheuvel

cc383a9e24

efi: mokvar: add missing include of asm/early_ioremap.h

Nathan reports that building the new mokvar table code for 32-bit
ARM fails with errors such as

  error: implicit declaration of function 'early_memunmap'
  error: implicit declaration of function 'early_memremap'

This is caused by the lack of an explicit #include of the appropriate
header, and ARM apparently does not inherit that inclusion via another
header file. So add the #include.

Tested-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

2020-10-02 10:08:29 +02:00

Ard Biesheuvel

b89114cd01

efi: mokvar-table: fix some issues in new code

Fix a couple of issues in the new mokvar-table handling code, as
pointed out by Arvind and Boris:
- don't bother checking the end of the physical region against the start
  address of the mokvar table,
- ensure that we enter the loop with err = -EINVAL,
- replace size_t with unsigned long to appease pedantic type equality
  checks.

Reviewed-by: Arvind Sankar <nivedita@alum.mit.edu>
Reviewed-by: Lenny Szubowicz <lszubowi@redhat.com>
Tested-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

2020-09-29 19:40:57 +02:00

Lenny Szubowicz

58c909022a

efi: Support for MOK variable config table

Because of system-specific EFI firmware limitations, EFI volatile
variables may not be capable of holding the required contents of
the Machine Owner Key (MOK) certificate store when the certificate
list grows above some size. Therefore, an EFI boot loader may pass
the MOK certs via a EFI configuration table created specifically for
this purpose to avoid this firmware limitation.

An EFI configuration table is a much more primitive mechanism
compared to EFI variables and is well suited for one-way passage
of static information from a pre-OS environment to the kernel.

This patch adds initial kernel support to recognize, parse,
and validate the EFI MOK configuration table, where named
entries contain the same data that would otherwise be provided
in similarly named EFI variables.

Additionally, this patch creates a sysfs binary file for each
EFI MOK configuration table entry found. These files are read-only
to root and are provided for use by user space utilities such as
mokutil.

A subsequent patch will load MOK certs into the trusted platform
key ring using this infrastructure.

Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com>
Link: https://lore.kernel.org/r/20200905013107.10457-2-lszubowi@redhat.com
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

2020-09-16 18:53:42 +03:00

3 Commits