git.baikalelectronics.ru Git - kernel.git/commit

author	Lenny Szubowicz <lszubowi@redhat.com>
	Sat, 5 Sep 2020 01:31:07 +0000 (21:31 -0400)
committer	Ard Biesheuvel <ardb@kernel.org>
	Wed, 16 Sep 2020 15:53:42 +0000 (18:53 +0300)
commit	6d67b15a0bbc970ce1c85589c4b07404172623a0
tree	c476fcad781d963d90a6248b083457ff465de9a5	tree \| snapshot
parent	42e56796d29d4214e47709e4be84d28d495c1823	commit \| diff

integrity: Load certs from the EFI MOK config table

Because of system-specific EFI firmware limitations, EFI volatile
variables may not be capable of holding the required contents of
the Machine Owner Key (MOK) certificate store when the certificate
list grows above some size. Therefore, an EFI boot loader may pass
the MOK certs via a EFI configuration table created specifically for
this purpose to avoid this firmware limitation.

An EFI configuration table is a much more primitive mechanism
compared to EFI variables and is well suited for one-way passage
of static information from a pre-OS environment to the kernel.

This patch adds the support to load certs from the MokListRT
entry in the MOK variable configuration table, if it's present.
The pre-existing support to load certs from the MokListRT EFI
variable remains and is used if the EFI MOK configuration table
isn't present or can't be successfully used.

Signed-off-by: Lenny Szubowicz <lszubowi@redhat.com>
Link: https://lore.kernel.org/r/20200905013107.10457-4-lszubowi@redhat.com
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>