mokvar-table.c 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * mokvar-table.c
  4. *
  5. * Copyright (c) 2020 Red Hat
  6. * Author: Lenny Szubowicz <lszubowi@redhat.com>
  7. *
  8. * This module contains the kernel support for the Linux EFI Machine
  9. * Owner Key (MOK) variable configuration table, which is identified by
  10. * the LINUX_EFI_MOK_VARIABLE_TABLE_GUID.
  11. *
  12. * This EFI configuration table provides a more robust alternative to
  13. * EFI volatile variables by which an EFI boot loader can pass the
  14. * contents of the Machine Owner Key (MOK) certificate stores to the
  15. * kernel during boot. If both the EFI MOK config table and corresponding
  16. * EFI MOK variables are present, the table should be considered as
  17. * more authoritative.
  18. *
  19. * This module includes code that validates and maps the EFI MOK table,
  20. * if it's presence was detected very early in boot.
  21. *
  22. * Kernel interface routines are provided to walk through all the
  23. * entries in the MOK config table or to search for a specific named
  24. * entry.
  25. *
  26. * The contents of the individual named MOK config table entries are
  27. * made available to user space via read-only sysfs binary files under:
  28. *
  29. * /sys/firmware/efi/mok-variables/
  30. *
  31. */
  32. #define pr_fmt(fmt) "mokvar: " fmt
  33. #include <linux/capability.h>
  34. #include <linux/efi.h>
  35. #include <linux/init.h>
  36. #include <linux/io.h>
  37. #include <linux/kernel.h>
  38. #include <linux/kobject.h>
  39. #include <linux/list.h>
  40. #include <linux/slab.h>
  41. #include <asm/early_ioremap.h>
  42. /*
  43. * The LINUX_EFI_MOK_VARIABLE_TABLE_GUID config table is a packed
  44. * sequence of struct efi_mokvar_table_entry, one for each named
  45. * MOK variable. The sequence is terminated by an entry with a
  46. * completely NULL name and 0 data size.
  47. *
  48. * efi_mokvar_table_size is set to the computed size of the
  49. * MOK config table by efi_mokvar_table_init(). This will be
  50. * non-zero if and only if the table if present and has been
  51. * validated by efi_mokvar_table_init().
  52. */
  53. static size_t efi_mokvar_table_size;
  54. /*
  55. * efi_mokvar_table_va is the kernel virtual address at which the
  56. * EFI MOK config table has been mapped by efi_mokvar_sysfs_init().
  57. */
  58. static struct efi_mokvar_table_entry *efi_mokvar_table_va;
  59. /*
  60. * Each /sys/firmware/efi/mok-variables/ sysfs file is represented by
  61. * an instance of struct efi_mokvar_sysfs_attr on efi_mokvar_sysfs_list.
  62. * bin_attr.private points to the associated EFI MOK config table entry.
  63. *
  64. * This list is created during boot and then remains unchanged.
  65. * So no synchronization is currently required to walk the list.
  66. */
  67. struct efi_mokvar_sysfs_attr {
  68. struct bin_attribute bin_attr;
  69. struct list_head node;
  70. };
  71. static LIST_HEAD(efi_mokvar_sysfs_list);
  72. static struct kobject *mokvar_kobj;
  73. /*
  74. * efi_mokvar_table_init() - Early boot validation of EFI MOK config table
  75. *
  76. * If present, validate and compute the size of the EFI MOK variable
  77. * configuration table. This table may be provided by an EFI boot loader
  78. * as an alternative to ordinary EFI variables, due to platform-dependent
  79. * limitations. The memory occupied by this table is marked as reserved.
  80. *
  81. * This routine must be called before efi_unmap_boot_services() in order
  82. * to guarantee that it can mark the table as reserved.
  83. *
  84. * Implicit inputs:
  85. * efi.mokvar_table: Physical address of EFI MOK variable config table
  86. * or special value that indicates no such table.
  87. *
  88. * Implicit outputs:
  89. * efi_mokvar_table_size: Computed size of EFI MOK variable config table.
  90. * The table is considered present and valid if this
  91. * is non-zero.
  92. */
  93. void __init efi_mokvar_table_init(void)
  94. {
  95. struct efi_mokvar_table_entry __aligned(1) *mokvar_entry, *next_entry;
  96. efi_memory_desc_t md;
  97. void *va = NULL;
  98. unsigned long cur_offset = 0;
  99. unsigned long offset_limit;
  100. unsigned long map_size_needed = 0;
  101. unsigned long size;
  102. int err;
  103. if (!efi_enabled(EFI_MEMMAP))
  104. return;
  105. if (efi.mokvar_table == EFI_INVALID_TABLE_ADDR)
  106. return;
  107. /*
  108. * The EFI MOK config table must fit within a single EFI memory
  109. * descriptor range.
  110. */
  111. err = efi_mem_desc_lookup(efi.mokvar_table, &md);
  112. if (err) {
  113. pr_warn("EFI MOKvar config table is not within the EFI memory map\n");
  114. return;
  115. }
  116. offset_limit = efi_mem_desc_end(&md) - efi.mokvar_table;
  117. /*
  118. * Validate the MOK config table. Since there is no table header
  119. * from which we could get the total size of the MOK config table,
  120. * we compute the total size as we validate each variably sized
  121. * entry, remapping as necessary.
  122. */
  123. err = -EINVAL;
  124. while (cur_offset + sizeof(*mokvar_entry) <= offset_limit) {
  125. if (va)
  126. early_memunmap(va, sizeof(*mokvar_entry));
  127. va = early_memremap(efi.mokvar_table + cur_offset, sizeof(*mokvar_entry));
  128. if (!va) {
  129. pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%zu.\n",
  130. efi.mokvar_table + cur_offset, sizeof(*mokvar_entry));
  131. return;
  132. }
  133. mokvar_entry = va;
  134. next:
  135. /* Check for last sentinel entry */
  136. if (mokvar_entry->name[0] == '\0') {
  137. if (mokvar_entry->data_size != 0)
  138. break;
  139. err = 0;
  140. map_size_needed = cur_offset + sizeof(*mokvar_entry);
  141. break;
  142. }
  143. /* Enforce that the name is NUL terminated */
  144. mokvar_entry->name[sizeof(mokvar_entry->name) - 1] = '\0';
  145. /* Advance to the next entry */
  146. size = sizeof(*mokvar_entry) + mokvar_entry->data_size;
  147. cur_offset += size;
  148. /*
  149. * Don't bother remapping if the current entry header and the
  150. * next one end on the same page.
  151. */
  152. next_entry = (void *)((unsigned long)mokvar_entry + size);
  153. if (((((unsigned long)(mokvar_entry + 1) - 1) ^
  154. ((unsigned long)(next_entry + 1) - 1)) & PAGE_MASK) == 0) {
  155. mokvar_entry = next_entry;
  156. goto next;
  157. }
  158. }
  159. if (va)
  160. early_memunmap(va, sizeof(*mokvar_entry));
  161. if (err) {
  162. pr_err("EFI MOKvar config table is not valid\n");
  163. return;
  164. }
  165. if (md.type == EFI_BOOT_SERVICES_DATA)
  166. efi_mem_reserve(efi.mokvar_table, map_size_needed);
  167. efi_mokvar_table_size = map_size_needed;
  168. }
  169. /*
  170. * efi_mokvar_entry_next() - Get next entry in the EFI MOK config table
  171. *
  172. * mokvar_entry: Pointer to current EFI MOK config table entry
  173. * or null. Null indicates get first entry.
  174. * Passed by reference. This is updated to the
  175. * same value as the return value.
  176. *
  177. * Returns: Pointer to next EFI MOK config table entry
  178. * or null, if there are no more entries.
  179. * Same value is returned in the mokvar_entry
  180. * parameter.
  181. *
  182. * This routine depends on the EFI MOK config table being entirely
  183. * mapped with it's starting virtual address in efi_mokvar_table_va.
  184. */
  185. struct efi_mokvar_table_entry *efi_mokvar_entry_next(
  186. struct efi_mokvar_table_entry **mokvar_entry)
  187. {
  188. struct efi_mokvar_table_entry *mokvar_cur;
  189. struct efi_mokvar_table_entry *mokvar_next;
  190. size_t size_cur;
  191. mokvar_cur = *mokvar_entry;
  192. *mokvar_entry = NULL;
  193. if (efi_mokvar_table_va == NULL)
  194. return NULL;
  195. if (mokvar_cur == NULL) {
  196. mokvar_next = efi_mokvar_table_va;
  197. } else {
  198. if (mokvar_cur->name[0] == '\0')
  199. return NULL;
  200. size_cur = sizeof(*mokvar_cur) + mokvar_cur->data_size;
  201. mokvar_next = (void *)mokvar_cur + size_cur;
  202. }
  203. if (mokvar_next->name[0] == '\0')
  204. return NULL;
  205. *mokvar_entry = mokvar_next;
  206. return mokvar_next;
  207. }
  208. /*
  209. * efi_mokvar_entry_find() - Find EFI MOK config entry by name
  210. *
  211. * name: Name of the entry to look for.
  212. *
  213. * Returns: Pointer to EFI MOK config table entry if found;
  214. * null otherwise.
  215. *
  216. * This routine depends on the EFI MOK config table being entirely
  217. * mapped with it's starting virtual address in efi_mokvar_table_va.
  218. */
  219. struct efi_mokvar_table_entry *efi_mokvar_entry_find(const char *name)
  220. {
  221. struct efi_mokvar_table_entry *mokvar_entry = NULL;
  222. while (efi_mokvar_entry_next(&mokvar_entry)) {
  223. if (!strncmp(name, mokvar_entry->name,
  224. sizeof(mokvar_entry->name)))
  225. return mokvar_entry;
  226. }
  227. return NULL;
  228. }
  229. /*
  230. * efi_mokvar_sysfs_read() - sysfs binary file read routine
  231. *
  232. * Returns: Count of bytes read.
  233. *
  234. * Copy EFI MOK config table entry data for this mokvar sysfs binary file
  235. * to the supplied buffer, starting at the specified offset into mokvar table
  236. * entry data, for the specified count bytes. The copy is limited by the
  237. * amount of data in this mokvar config table entry.
  238. */
  239. static ssize_t efi_mokvar_sysfs_read(struct file *file, struct kobject *kobj,
  240. const struct bin_attribute *bin_attr, char *buf,
  241. loff_t off, size_t count)
  242. {
  243. struct efi_mokvar_table_entry *mokvar_entry = bin_attr->private;
  244. if (!capable(CAP_SYS_ADMIN))
  245. return 0;
  246. if (off >= mokvar_entry->data_size)
  247. return 0;
  248. if (count > mokvar_entry->data_size - off)
  249. count = mokvar_entry->data_size - off;
  250. memcpy(buf, mokvar_entry->data + off, count);
  251. return count;
  252. }
  253. /*
  254. * efi_mokvar_sysfs_init() - Map EFI MOK config table and create sysfs
  255. *
  256. * Map the EFI MOK variable config table for run-time use by the kernel
  257. * and create the sysfs entries in /sys/firmware/efi/mok-variables/
  258. *
  259. * This routine just returns if a valid EFI MOK variable config table
  260. * was not found earlier during boot.
  261. *
  262. * This routine must be called during a "middle" initcall phase, i.e.
  263. * after efi_mokvar_table_init() but before UEFI certs are loaded
  264. * during late init.
  265. *
  266. * Implicit inputs:
  267. * efi.mokvar_table: Physical address of EFI MOK variable config table
  268. * or special value that indicates no such table.
  269. *
  270. * efi_mokvar_table_size: Computed size of EFI MOK variable config table.
  271. * The table is considered present and valid if this
  272. * is non-zero.
  273. *
  274. * Implicit outputs:
  275. * efi_mokvar_table_va: Start virtual address of the EFI MOK config table.
  276. */
  277. static int __init efi_mokvar_sysfs_init(void)
  278. {
  279. void *config_va;
  280. struct efi_mokvar_table_entry *mokvar_entry = NULL;
  281. struct efi_mokvar_sysfs_attr *mokvar_sysfs = NULL;
  282. int err = 0;
  283. if (efi_mokvar_table_size == 0)
  284. return -ENOENT;
  285. config_va = memremap(efi.mokvar_table, efi_mokvar_table_size,
  286. MEMREMAP_WB);
  287. if (!config_va) {
  288. pr_err("Failed to map EFI MOKvar config table\n");
  289. return -ENOMEM;
  290. }
  291. efi_mokvar_table_va = config_va;
  292. mokvar_kobj = kobject_create_and_add("mok-variables", efi_kobj);
  293. if (!mokvar_kobj) {
  294. pr_err("Failed to create EFI mok-variables sysfs entry\n");
  295. return -ENOMEM;
  296. }
  297. while (efi_mokvar_entry_next(&mokvar_entry)) {
  298. mokvar_sysfs = kzalloc_obj(*mokvar_sysfs);
  299. if (!mokvar_sysfs) {
  300. err = -ENOMEM;
  301. break;
  302. }
  303. sysfs_bin_attr_init(&mokvar_sysfs->bin_attr);
  304. mokvar_sysfs->bin_attr.private = mokvar_entry;
  305. mokvar_sysfs->bin_attr.attr.name = mokvar_entry->name;
  306. mokvar_sysfs->bin_attr.attr.mode = 0400;
  307. mokvar_sysfs->bin_attr.size = mokvar_entry->data_size;
  308. mokvar_sysfs->bin_attr.read = efi_mokvar_sysfs_read;
  309. err = sysfs_create_bin_file(mokvar_kobj,
  310. &mokvar_sysfs->bin_attr);
  311. if (err)
  312. break;
  313. list_add_tail(&mokvar_sysfs->node, &efi_mokvar_sysfs_list);
  314. }
  315. if (err) {
  316. pr_err("Failed to create some EFI mok-variables sysfs entries\n");
  317. kfree(mokvar_sysfs);
  318. }
  319. return err;
  320. }
  321. fs_initcall(efi_mokvar_sysfs_init);