diff mbox series

[4/8] efi_loader: Allow parsing of miscellaneous signature database variables

Message ID 20200430173630.15608-5-sughosh.ganu@linaro.org
State New
Headers show
Series qemu: arm64: Add support for uefi firmware management protocol routines | expand

Commit Message

Sughosh Ganu April 30, 2020, 5:36 p.m. UTC 
The current function to parse the signature database(sigdb) only
allows parsing of secure boot related sigdb variables, namely PK, KEK,
db and dbx. Allow the function to parse any other sigdb
variables. This would be useful for the capsule authenticate feature,
which would be storing it's root certificate in a non secure-boot
sigdb. This is done by passing the vendor guid as a function argument.

Signed-off-by: Sughosh Ganu <sughosh.ganu at linaro.org>
---
 include/efi_loader.h              |  3 ++-
 lib/efi_loader/efi_image_loader.c | 11 +++++++----
 lib/efi_loader/efi_signature.c    | 14 +++-----------
 lib/efi_loader/efi_variable.c     |  9 ++++++---
 4 files changed, 18 insertions(+), 19 deletions(-)
diff mbox series

Patch

diff --git a/include/efi_loader.h b/include/efi_loader.h
index ad99ab660f..b7638d5825 100644
--- a/include/efi_loader.h
+++ b/include/efi_loader.h
@@ -774,7 +774,8 @@  efi_status_t efi_image_region_add(struct efi_image_regions *regs,
 				  int nocheck);
 
 void efi_sigstore_free(struct efi_signature_store *sigstore);
-struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name);
+struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name,
+						     const efi_guid_t *vendor);
 
 bool efi_secure_boot_enabled(void);
 
diff --git a/lib/efi_loader/efi_image_loader.c b/lib/efi_loader/efi_image_loader.c
index 6c270ce94f..e07dc290a3 100644
--- a/lib/efi_loader/efi_image_loader.c
+++ b/lib/efi_loader/efi_image_loader.c
@@ -418,13 +418,15 @@  static bool efi_image_unsigned_authenticate(struct efi_image_regions *regs)
 	struct efi_signature_store *db = NULL, *dbx = NULL;
 	bool ret = false;
 
-	dbx = efi_sigstore_parse_sigdb(L"dbx");
+	dbx = efi_sigstore_parse_sigdb(L"dbx",
+				       &efi_guid_image_security_database);
 	if (!dbx) {
 		debug("Getting signature database(dbx) failed\n");
 		goto out;
 	}
 
-	db = efi_sigstore_parse_sigdb(L"db");
+	db = efi_sigstore_parse_sigdb(L"db",
+				      &efi_guid_image_security_database);
 	if (!db) {
 		debug("Getting signature database(db) failed\n");
 		goto out;
@@ -515,13 +517,14 @@  static bool efi_image_authenticate(void *efi, size_t efi_size)
 	/*
 	 * verify signature using db and dbx
 	 */
-	db = efi_sigstore_parse_sigdb(L"db");
+	db = efi_sigstore_parse_sigdb(L"db", &efi_guid_image_security_database);
 	if (!db) {
 		debug("Getting signature database(db) failed\n");
 		goto err;
 	}
 
-	dbx = efi_sigstore_parse_sigdb(L"dbx");
+	dbx = efi_sigstore_parse_sigdb(L"dbx",
+				       &efi_guid_image_security_database);
 	if (!dbx) {
 		debug("Getting signature database(dbx) failed\n");
 		goto err;
diff --git a/lib/efi_loader/efi_signature.c b/lib/efi_loader/efi_signature.c
index 658e3547da..bf6f39aab2 100644
--- a/lib/efi_loader/efi_signature.c
+++ b/lib/efi_loader/efi_signature.c
@@ -714,30 +714,22 @@  err:
 /**
  * efi_sigstore_parse_sigdb - parse a signature database variable
  * @name:	Variable's name
+ * @vendor:	Vendor guid
  *
  * Read in a value of signature database variable pointed to by
  * @name, parse it and instantiate a signature store structure.
  *
  * Return:	Pointer to signature store on success, NULL on error
  */
-struct efi_signature_store *efi_sigstore_parse_sigdb(u16 *name)
+struct efi_signature_store *efi_sigstore_parse_sigdb(
+	u16 *name, const efi_guid_t *vendor)
 {
 	struct efi_signature_store *sigstore = NULL, *siglist;
 	struct efi_signature_list *esl;
-	const efi_guid_t *vendor;
 	void *db;
 	efi_uintn_t db_size;
 	efi_status_t ret;
 
-	if (!u16_strcmp(name, L"PK") || !u16_strcmp(name, L"KEK")) {
-		vendor = &efi_global_variable_guid;
-	} else if (!u16_strcmp(name, L"db") || !u16_strcmp(name, L"dbx")) {
-		vendor = &efi_guid_image_security_database;
-	} else {
-		debug("unknown signature database, %ls\n", name);
-		return NULL;
-	}
-
 	/* retrieve variable data */
 	db_size = 0;
 	ret = EFI_CALL(efi_get_variable(name, vendor, NULL, &db_size, NULL));
diff --git a/lib/efi_loader/efi_variable.c b/lib/efi_loader/efi_variable.c
index 7df881a74b..6c2dd82306 100644
--- a/lib/efi_loader/efi_variable.c
+++ b/lib/efi_loader/efi_variable.c
@@ -604,14 +604,17 @@  static efi_status_t efi_variable_authenticate(u16 *variable,
 	if (u16_strcmp(variable, L"PK") == 0 ||
 	    u16_strcmp(variable, L"KEK") == 0) {
 		/* with PK */
-		truststore = efi_sigstore_parse_sigdb(L"PK");
+		truststore = efi_sigstore_parse_sigdb(L"PK",
+			&efi_global_variable_guid);
 		if (!truststore)
 			goto err;
 	} else if (u16_strcmp(variable, L"db") == 0 ||
 		   u16_strcmp(variable, L"dbx") == 0) {
 		/* with PK and KEK */
-		truststore = efi_sigstore_parse_sigdb(L"KEK");
-		truststore2 = efi_sigstore_parse_sigdb(L"PK");
+		truststore = efi_sigstore_parse_sigdb(L"KEK",
+			&efi_global_variable_guid);
+		truststore2 = efi_sigstore_parse_sigdb(L"PK",
+			&efi_global_variable_guid);
 
 		if (!truststore) {
 			if (!truststore2)