TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / hafnium / third_party / linux / 157378f43faad830e4aa3815bde5fa9f9a9f5be6 / . / drivers / firmware / efi / mokvar-table.c
blob: 38722d2009e2060f28523a12918509684f995712 [file] [log] [blame]
Olivier Deprez157378f2022-04-04 15:47:50 +0200[diff] [blame^]1// SPDX-License-Identifier: GPL-2.0
2/*
3 * mokvar-table.c
4 *
5 * Copyright (c) 2020 Red Hat
6 * Author: Lenny Szubowicz <lszubowi@redhat.com>
7 *
8 * This module contains the kernel support for the Linux EFI Machine
9 * Owner Key (MOK) variable configuration table, which is identified by
10 * the LINUX_EFI_MOK_VARIABLE_TABLE_GUID.
11 *
12 * This EFI configuration table provides a more robust alternative to
13 * EFI volatile variables by which an EFI boot loader can pass the
14 * contents of the Machine Owner Key (MOK) certificate stores to the
15 * kernel during boot. If both the EFI MOK config table and corresponding
16 * EFI MOK variables are present, the table should be considered as
17 * more authoritative.
18 *
19 * This module includes code that validates and maps the EFI MOK table,
20 * if it's presence was detected very early in boot.
21 *
22 * Kernel interface routines are provided to walk through all the
23 * entries in the MOK config table or to search for a specific named
24 * entry.
25 *
26 * The contents of the individual named MOK config table entries are
27 * made available to user space via read-only sysfs binary files under:
28 *
29 * /sys/firmware/efi/mok-variables/
30 *
31 */
32#define pr_fmt(fmt) "mokvar: " fmt
33
34#include <linux/capability.h>
35#include <linux/efi.h>
36#include <linux/init.h>
37#include <linux/io.h>
38#include <linux/kernel.h>
39#include <linux/kobject.h>
40#include <linux/list.h>
41#include <linux/slab.h>
42
43#include <asm/early_ioremap.h>
44
45/*
46 * The LINUX_EFI_MOK_VARIABLE_TABLE_GUID config table is a packed
47 * sequence of struct efi_mokvar_table_entry, one for each named
48 * MOK variable. The sequence is terminated by an entry with a
49 * completely NULL name and 0 data size.
50 *
51 * efi_mokvar_table_size is set to the computed size of the
52 * MOK config table by efi_mokvar_table_init(). This will be
53 * non-zero if and only if the table if present and has been
54 * validated by efi_mokvar_table_init().
55 */
56static size_t efi_mokvar_table_size;
57
58/*
59 * efi_mokvar_table_va is the kernel virtual address at which the
60 * EFI MOK config table has been mapped by efi_mokvar_sysfs_init().
61 */
62static struct efi_mokvar_table_entry *efi_mokvar_table_va;
63
64/*
65 * Each /sys/firmware/efi/mok-variables/ sysfs file is represented by
66 * an instance of struct efi_mokvar_sysfs_attr on efi_mokvar_sysfs_list.
67 * bin_attr.private points to the associated EFI MOK config table entry.
68 *
69 * This list is created during boot and then remains unchanged.
70 * So no synchronization is currently required to walk the list.
71 */
72struct efi_mokvar_sysfs_attr {
73 struct bin_attribute bin_attr;
74 struct list_head node;
75};
76
77static LIST_HEAD(efi_mokvar_sysfs_list);
78static struct kobject *mokvar_kobj;
79
80/*
81 * efi_mokvar_table_init() - Early boot validation of EFI MOK config table
82 *
83 * If present, validate and compute the size of the EFI MOK variable
84 * configuration table. This table may be provided by an EFI boot loader
85 * as an alternative to ordinary EFI variables, due to platform-dependent
86 * limitations. The memory occupied by this table is marked as reserved.
87 *
88 * This routine must be called before efi_free_boot_services() in order
89 * to guarantee that it can mark the table as reserved.
90 *
91 * Implicit inputs:
92 * efi.mokvar_table: Physical address of EFI MOK variable config table
93 * or special value that indicates no such table.
94 *
95 * Implicit outputs:
96 * efi_mokvar_table_size: Computed size of EFI MOK variable config table.
97 * The table is considered present and valid if this
98 * is non-zero.
99 */
100void __init efi_mokvar_table_init(void)
101{
102 efi_memory_desc_t md;
103 void *va = NULL;
104 unsigned long cur_offset = 0;
105 unsigned long offset_limit;
106 unsigned long map_size = 0;
107 unsigned long map_size_needed = 0;
108 unsigned long size;
109 struct efi_mokvar_table_entry *mokvar_entry;
110 int err;
111
112 if (!efi_enabled(EFI_MEMMAP))
113 return;
114
115 if (efi.mokvar_table == EFI_INVALID_TABLE_ADDR)
116 return;
117 /*
118 * The EFI MOK config table must fit within a single EFI memory
119 * descriptor range.
120 */
121 err = efi_mem_desc_lookup(efi.mokvar_table, &md);
122 if (err) {
123 pr_warn("EFI MOKvar config table is not within the EFI memory map\n");
124 return;
125 }
126
127 offset_limit = efi_mem_desc_end(&md) - efi.mokvar_table;
128
129 /*
130 * Validate the MOK config table. Since there is no table header
131 * from which we could get the total size of the MOK config table,
132 * we compute the total size as we validate each variably sized
133 * entry, remapping as necessary.
134 */
135 err = -EINVAL;
136 while (cur_offset + sizeof(*mokvar_entry) <= offset_limit) {
137 mokvar_entry = va + cur_offset;
138 map_size_needed = cur_offset + sizeof(*mokvar_entry);
139 if (map_size_needed > map_size) {
140 if (va)
141 early_memunmap(va, map_size);
142 /*
143 * Map a little more than the fixed size entry
144 * header, anticipating some data. It's safe to
145 * do so as long as we stay within current memory
146 * descriptor.
147 */
148 map_size = min(map_size_needed + 2*EFI_PAGE_SIZE,
149 offset_limit);
150 va = early_memremap(efi.mokvar_table, map_size);
151 if (!va) {
152 pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%lu.\n",
153 efi.mokvar_table, map_size);
154 return;
155 }
156 mokvar_entry = va + cur_offset;
157 }
158
159 /* Check for last sentinel entry */
160 if (mokvar_entry->name[0] == '\0') {
161 if (mokvar_entry->data_size != 0)
162 break;
163 err = 0;
164 break;
165 }
166
167 /* Sanity check that the name is null terminated */
168 size = strnlen(mokvar_entry->name,
169 sizeof(mokvar_entry->name));
170 if (size >= sizeof(mokvar_entry->name))
171 break;
172
173 /* Advance to the next entry */
174 cur_offset = map_size_needed + mokvar_entry->data_size;
175 }
176
177 if (va)
178 early_memunmap(va, map_size);
179 if (err) {
180 pr_err("EFI MOKvar config table is not valid\n");
181 return;
182 }
183
184 if (md.type == EFI_BOOT_SERVICES_DATA)
185 efi_mem_reserve(efi.mokvar_table, map_size_needed);
186
187 efi_mokvar_table_size = map_size_needed;
188}
189
190/*
191 * efi_mokvar_entry_next() - Get next entry in the EFI MOK config table
192 *
193 * mokvar_entry: Pointer to current EFI MOK config table entry
194 * or null. Null indicates get first entry.
195 * Passed by reference. This is updated to the
196 * same value as the return value.
197 *
198 * Returns: Pointer to next EFI MOK config table entry
199 * or null, if there are no more entries.
200 * Same value is returned in the mokvar_entry
201 * parameter.
202 *
203 * This routine depends on the EFI MOK config table being entirely
204 * mapped with it's starting virtual address in efi_mokvar_table_va.
205 */
206struct efi_mokvar_table_entry *efi_mokvar_entry_next(
207 struct efi_mokvar_table_entry **mokvar_entry)
208{
209 struct efi_mokvar_table_entry *mokvar_cur;
210 struct efi_mokvar_table_entry *mokvar_next;
211 size_t size_cur;
212
213 mokvar_cur = *mokvar_entry;
214 *mokvar_entry = NULL;
215
216 if (efi_mokvar_table_va == NULL)
217 return NULL;
218
219 if (mokvar_cur == NULL) {
220 mokvar_next = efi_mokvar_table_va;
221 } else {
222 if (mokvar_cur->name[0] == '\0')
223 return NULL;
224 size_cur = sizeof(*mokvar_cur) + mokvar_cur->data_size;
225 mokvar_next = (void *)mokvar_cur + size_cur;
226 }
227
228 if (mokvar_next->name[0] == '\0')
229 return NULL;
230
231 *mokvar_entry = mokvar_next;
232 return mokvar_next;
233}
234
235/*
236 * efi_mokvar_entry_find() - Find EFI MOK config entry by name
237 *
238 * name: Name of the entry to look for.
239 *
240 * Returns: Pointer to EFI MOK config table entry if found;
241 * null otherwise.
242 *
243 * This routine depends on the EFI MOK config table being entirely
244 * mapped with it's starting virtual address in efi_mokvar_table_va.
245 */
246struct efi_mokvar_table_entry *efi_mokvar_entry_find(const char *name)
247{
248 struct efi_mokvar_table_entry *mokvar_entry = NULL;
249
250 while (efi_mokvar_entry_next(&mokvar_entry)) {
251 if (!strncmp(name, mokvar_entry->name,
252 sizeof(mokvar_entry->name)))
253 return mokvar_entry;
254 }
255 return NULL;
256}
257
258/*
259 * efi_mokvar_sysfs_read() - sysfs binary file read routine
260 *
261 * Returns: Count of bytes read.
262 *
263 * Copy EFI MOK config table entry data for this mokvar sysfs binary file
264 * to the supplied buffer, starting at the specified offset into mokvar table
265 * entry data, for the specified count bytes. The copy is limited by the
266 * amount of data in this mokvar config table entry.
267 */
268static ssize_t efi_mokvar_sysfs_read(struct file *file, struct kobject *kobj,
269 struct bin_attribute *bin_attr, char *buf,
270 loff_t off, size_t count)
271{
272 struct efi_mokvar_table_entry *mokvar_entry = bin_attr->private;
273
274 if (!capable(CAP_SYS_ADMIN))
275 return 0;
276
277 if (off >= mokvar_entry->data_size)
278 return 0;
279 if (count > mokvar_entry->data_size - off)
280 count = mokvar_entry->data_size - off;
281
282 memcpy(buf, mokvar_entry->data + off, count);
283 return count;
284}
285
286/*
287 * efi_mokvar_sysfs_init() - Map EFI MOK config table and create sysfs
288 *
289 * Map the EFI MOK variable config table for run-time use by the kernel
290 * and create the sysfs entries in /sys/firmware/efi/mok-variables/
291 *
292 * This routine just returns if a valid EFI MOK variable config table
293 * was not found earlier during boot.
294 *
295 * This routine must be called during a "middle" initcall phase, i.e.
296 * after efi_mokvar_table_init() but before UEFI certs are loaded
297 * during late init.
298 *
299 * Implicit inputs:
300 * efi.mokvar_table: Physical address of EFI MOK variable config table
301 * or special value that indicates no such table.
302 *
303 * efi_mokvar_table_size: Computed size of EFI MOK variable config table.
304 * The table is considered present and valid if this
305 * is non-zero.
306 *
307 * Implicit outputs:
308 * efi_mokvar_table_va: Start virtual address of the EFI MOK config table.
309 */
310static int __init efi_mokvar_sysfs_init(void)
311{
312 void *config_va;
313 struct efi_mokvar_table_entry *mokvar_entry = NULL;
314 struct efi_mokvar_sysfs_attr *mokvar_sysfs = NULL;
315 int err = 0;
316
317 if (efi_mokvar_table_size == 0)
318 return -ENOENT;
319
320 config_va = memremap(efi.mokvar_table, efi_mokvar_table_size,
321 MEMREMAP_WB);
322 if (!config_va) {
323 pr_err("Failed to map EFI MOKvar config table\n");
324 return -ENOMEM;
325 }
326 efi_mokvar_table_va = config_va;
327
328 mokvar_kobj = kobject_create_and_add("mok-variables", efi_kobj);
329 if (!mokvar_kobj) {
330 pr_err("Failed to create EFI mok-variables sysfs entry\n");
331 return -ENOMEM;
332 }
333
334 while (efi_mokvar_entry_next(&mokvar_entry)) {
335 mokvar_sysfs = kzalloc(sizeof(*mokvar_sysfs), GFP_KERNEL);
336 if (!mokvar_sysfs) {
337 err = -ENOMEM;
338 break;
339 }
340
341 sysfs_bin_attr_init(&mokvar_sysfs->bin_attr);
342 mokvar_sysfs->bin_attr.private = mokvar_entry;
343 mokvar_sysfs->bin_attr.attr.name = mokvar_entry->name;
344 mokvar_sysfs->bin_attr.attr.mode = 0400;
345 mokvar_sysfs->bin_attr.size = mokvar_entry->data_size;
346 mokvar_sysfs->bin_attr.read = efi_mokvar_sysfs_read;
347
348 err = sysfs_create_bin_file(mokvar_kobj,
349 &mokvar_sysfs->bin_attr);
350 if (err)
351 break;
352
353 list_add_tail(&mokvar_sysfs->node, &efi_mokvar_sysfs_list);
354 }
355
356 if (err) {
357 pr_err("Failed to create some EFI mok-variables sysfs entries\n");
358 kfree(mokvar_sysfs);
359 }
360 return err;
361}
362device_initcall(efi_mokvar_sysfs_init);