efi: Do not import certificates from UEFI Secure Boot for T2 Macs

author Aditya Garg <gargaditya08@live.com>

Fri, 15 Apr 2022 17:02:46 +0000 (17:02 +0000)

committer Mimi Zohar <zohar@linux.ibm.com>

Sun, 15 May 2022 12:22:04 +0000 (08:22 -0400)
author Aditya Garg <gargaditya08@live.com>
Fri, 15 Apr 2022 17:02:46 +0000 (17:02 +0000)
committer Mimi Zohar <zohar@linux.ibm.com>
Sun, 15 May 2022 12:22:04 +0000 (08:22 -0400)
diff --git a/security/integrity/platform_certs/keyring_handler.h b/security/integrity/platform_certs/keyring_handler.h

index 284558f..212d894 100644 (file)
--- a/security/integrity/platform_certs/keyring_handler.h
+++ b/security/integrity/platform_certs/keyring_handler.h
@@ -35,3 +35,11 @@ efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type);
  efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type);
  
  #endif
+
+#ifndef UEFI_QUIRK_SKIP_CERT
+#define UEFI_QUIRK_SKIP_CERT(vendor, product) \
+                .matches = { \
+                       DMI_MATCH(DMI_BOARD_VENDOR, vendor), \
+                       DMI_MATCH(DMI_PRODUCT_NAME, product), \
+               },
+#endif
diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c

index 5f45c3c..093894a 100644 (file)
--- a/security/integrity/platform_certs/load_uefi.c
+++ b/security/integrity/platform_certs/load_uefi.c
@@ -3,6 +3,7 @@
  #include <linux/kernel.h>
  #include <linux/sched.h>
  #include <linux/cred.h>
+#include <linux/dmi.h>
  #include <linux/err.h>
  #include <linux/efi.h>
  #include <linux/slab.h>
@@ -13,6 +14,31 @@
  #include "keyring_handler.h"
  
  /*
+ * On T2 Macs reading the db and dbx efi variables to load UEFI Secure Boot
+ * certificates causes occurrence of a page fault in Apple's firmware and
+ * a crash disabling EFI runtime services. The following quirk skips reading
+ * these variables.
+ */
+static const struct dmi_system_id uefi_skip_cert[] = {
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,1") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,2") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,3") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro15,4") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,1") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,2") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,3") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookPro16,4") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,1") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir8,2") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacBookAir9,1") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacMini8,1") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "MacPro7,1") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,1") },
+       { UEFI_QUIRK_SKIP_CERT("Apple Inc.", "iMac20,2") },
+       { }
+};
+
+/*
   * Look to see if a UEFI variable called MokIgnoreDB exists and return true if
   * it does.
   *
@@ -138,6 +164,13 @@ static int __init load_uefi_certs(void)
         unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0;
         efi_status_t status;
         int rc = 0;
+       const struct dmi_system_id *dmi_id;
+
+       dmi_id = dmi_first_match(uefi_skip_cert);
+       if (dmi_id) {
+               pr_err("Reading UEFI Secure Boot Certs is not supported on T2 Macs.\n");
+               return false;
+       }
  
         if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
                 return false;
author	Aditya Garg <gargaditya08@live.com>
	Fri, 15 Apr 2022 17:02:46 +0000 (17:02 +0000)
committer	Mimi Zohar <zohar@linux.ibm.com>
	Sun, 15 May 2022 12:22:04 +0000 (08:22 -0400)
security/integrity/platform_certs/keyring_handler.h		patch \| blob \| history
security/integrity/platform_certs/load_uefi.c		patch \| blob \| history