18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * Copyright (C) 2019 IBM Corporation 48c2ecf20Sopenharmony_ci * Author: Nayna Jain 58c2ecf20Sopenharmony_ci * 68c2ecf20Sopenharmony_ci * - loads keys and hashes stored and controlled by the firmware. 78c2ecf20Sopenharmony_ci */ 88c2ecf20Sopenharmony_ci#include <linux/kernel.h> 98c2ecf20Sopenharmony_ci#include <linux/sched.h> 108c2ecf20Sopenharmony_ci#include <linux/cred.h> 118c2ecf20Sopenharmony_ci#include <linux/err.h> 128c2ecf20Sopenharmony_ci#include <linux/slab.h> 138c2ecf20Sopenharmony_ci#include <linux/of.h> 148c2ecf20Sopenharmony_ci#include <asm/secure_boot.h> 158c2ecf20Sopenharmony_ci#include <asm/secvar.h> 168c2ecf20Sopenharmony_ci#include "keyring_handler.h" 178c2ecf20Sopenharmony_ci 188c2ecf20Sopenharmony_ci/* 198c2ecf20Sopenharmony_ci * Get a certificate list blob from the named secure variable. 208c2ecf20Sopenharmony_ci */ 218c2ecf20Sopenharmony_cistatic __init void *get_cert_list(u8 *key, unsigned long keylen, uint64_t *size) 228c2ecf20Sopenharmony_ci{ 238c2ecf20Sopenharmony_ci int rc; 248c2ecf20Sopenharmony_ci void *db; 258c2ecf20Sopenharmony_ci 268c2ecf20Sopenharmony_ci rc = secvar_ops->get(key, keylen, NULL, size); 278c2ecf20Sopenharmony_ci if (rc) { 288c2ecf20Sopenharmony_ci pr_err("Couldn't get size: %d\n", rc); 298c2ecf20Sopenharmony_ci return NULL; 308c2ecf20Sopenharmony_ci } 318c2ecf20Sopenharmony_ci 328c2ecf20Sopenharmony_ci db = kmalloc(*size, GFP_KERNEL); 338c2ecf20Sopenharmony_ci if (!db) 348c2ecf20Sopenharmony_ci return NULL; 358c2ecf20Sopenharmony_ci 368c2ecf20Sopenharmony_ci rc = secvar_ops->get(key, keylen, db, size); 378c2ecf20Sopenharmony_ci if (rc) { 388c2ecf20Sopenharmony_ci kfree(db); 398c2ecf20Sopenharmony_ci pr_err("Error reading %s var: %d\n", key, rc); 408c2ecf20Sopenharmony_ci return NULL; 418c2ecf20Sopenharmony_ci } 428c2ecf20Sopenharmony_ci 438c2ecf20Sopenharmony_ci return db; 448c2ecf20Sopenharmony_ci} 458c2ecf20Sopenharmony_ci 468c2ecf20Sopenharmony_ci/* 478c2ecf20Sopenharmony_ci * Load the certs contained in the keys databases into the platform trusted 488c2ecf20Sopenharmony_ci * keyring and the blacklisted X.509 cert SHA256 hashes into the blacklist 498c2ecf20Sopenharmony_ci * keyring. 508c2ecf20Sopenharmony_ci */ 518c2ecf20Sopenharmony_cistatic int __init load_powerpc_certs(void) 528c2ecf20Sopenharmony_ci{ 538c2ecf20Sopenharmony_ci void *db = NULL, *dbx = NULL; 548c2ecf20Sopenharmony_ci uint64_t dbsize = 0, dbxsize = 0; 558c2ecf20Sopenharmony_ci int rc = 0; 568c2ecf20Sopenharmony_ci struct device_node *node; 578c2ecf20Sopenharmony_ci 588c2ecf20Sopenharmony_ci if (!secvar_ops) 598c2ecf20Sopenharmony_ci return -ENODEV; 608c2ecf20Sopenharmony_ci 618c2ecf20Sopenharmony_ci /* The following only applies for the edk2-compat backend. */ 628c2ecf20Sopenharmony_ci node = of_find_compatible_node(NULL, NULL, "ibm,edk2-compat-v1"); 638c2ecf20Sopenharmony_ci if (!node) 648c2ecf20Sopenharmony_ci return -ENODEV; 658c2ecf20Sopenharmony_ci 668c2ecf20Sopenharmony_ci /* 678c2ecf20Sopenharmony_ci * Get db, and dbx. They might not exist, so it isn't an error if we 688c2ecf20Sopenharmony_ci * can't get them. 698c2ecf20Sopenharmony_ci */ 708c2ecf20Sopenharmony_ci db = get_cert_list("db", 3, &dbsize); 718c2ecf20Sopenharmony_ci if (!db) { 728c2ecf20Sopenharmony_ci pr_err("Couldn't get db list from firmware\n"); 738c2ecf20Sopenharmony_ci } else { 748c2ecf20Sopenharmony_ci rc = parse_efi_signature_list("powerpc:db", db, dbsize, 758c2ecf20Sopenharmony_ci get_handler_for_db); 768c2ecf20Sopenharmony_ci if (rc) 778c2ecf20Sopenharmony_ci pr_err("Couldn't parse db signatures: %d\n", rc); 788c2ecf20Sopenharmony_ci kfree(db); 798c2ecf20Sopenharmony_ci } 808c2ecf20Sopenharmony_ci 818c2ecf20Sopenharmony_ci dbx = get_cert_list("dbx", 4, &dbxsize); 828c2ecf20Sopenharmony_ci if (!dbx) { 838c2ecf20Sopenharmony_ci pr_info("Couldn't get dbx list from firmware\n"); 848c2ecf20Sopenharmony_ci } else { 858c2ecf20Sopenharmony_ci rc = parse_efi_signature_list("powerpc:dbx", dbx, dbxsize, 868c2ecf20Sopenharmony_ci get_handler_for_dbx); 878c2ecf20Sopenharmony_ci if (rc) 888c2ecf20Sopenharmony_ci pr_err("Couldn't parse dbx signatures: %d\n", rc); 898c2ecf20Sopenharmony_ci kfree(dbx); 908c2ecf20Sopenharmony_ci } 918c2ecf20Sopenharmony_ci 928c2ecf20Sopenharmony_ci of_node_put(node); 938c2ecf20Sopenharmony_ci 948c2ecf20Sopenharmony_ci return rc; 958c2ecf20Sopenharmony_ci} 968c2ecf20Sopenharmony_cilate_initcall(load_powerpc_certs); 97