[PATCH v11 16/22] powerpc_ieee1275: Introduce use_static_keys flag

[Sudhakar Kuppusamy via Grub-devel]

Introduce the use_static_keys flag to indicate that static keys are to be used
rather than keys from the PKS storage's db variable. This flag is set if
secure boot is enabled with PKS when the db variable is not present or
empty in the PKS storage.

The appendedsig module would use this flag to extract the static keys from
the GRUB ELF Note and stored in the db list.

Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avn...@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
---
 .../kern/powerpc/ieee1275/platform_keystore.c | 25 +++++++++++++++++--
 .../grub/powerpc/ieee1275/platform_keystore.h |  1 +
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/grub-core/kern/powerpc/ieee1275/platform_keystore.c 
b/grub-core/kern/powerpc/ieee1275/platform_keystore.c
index 7d0ad67e9..d3b8da815 100644
--- a/grub-core/kern/powerpc/ieee1275/platform_keystore.c
+++ b/grub-core/kern/powerpc/ieee1275/platform_keystore.c
@@ -50,9 +50,19 @@
 
 static grub_uint32_t pks_max_object_size = 0;
 
-/* Platform KeyStore db and dbx. */
+/*
+ * Platform KeyStore db and dbx, use_static_keys falg to
+ * indicate use of static keys.
+ *
+ * use_static_keys:
+ * False: Does not enforce the use of  the static key as a default key from
+          the GRUB ELF Note. This is default.
+ * True: Enforce the use of the static key as a default key from the
+ *       GRUB ELF Note if db variable is not available in PKS when use_keystore
+ *       is set to true
+ */
 static grub_pks_t pks_keystore = { .db = NULL, .dbx = NULL, .db_entries = 0,
-                                   .dbx_entries = 0};
+                                   .dbx_entries = 0, .use_static_keys = false};
 /*
  * pks_use_keystore: Key Management Modes
  * False: Static key management (use built-in Keys). This is default.
@@ -332,6 +342,17 @@ grub_pks_keystore_init (void)
 
   /* Read db from PKS. */
   rc = read_sbvar_from_pks (0, PKS_SBVAR_DB, &pks_keystore.db, 
&pks_keystore.db_entries);
+  if (rc == GRUB_ERR_FILE_NOT_FOUND || rc == GRUB_ERR_BAD_NUMBER)
+    {
+      rc = GRUB_ERR_NONE;
+      /*
+       * This flag is set to true because secure boot is enabled with PKS,
+       * and the db variable is not present or empty in the PKS storage.
+       * It enforces the use of static keys from the GRUB ELF Note.
+       */
+      pks_keystore.use_static_keys = true;
+    }
+
   if (rc == GRUB_ERR_NONE)
     {
       /* Read dbx from PKS. */
diff --git a/include/grub/powerpc/ieee1275/platform_keystore.h 
b/include/grub/powerpc/ieee1275/platform_keystore.h
index b18bd4688..24649b2b1 100644
--- a/include/grub/powerpc/ieee1275/platform_keystore.h
+++ b/include/grub/powerpc/ieee1275/platform_keystore.h
@@ -95,6 +95,7 @@ struct grub_pks
   grub_pks_sd_t *dbx;       /* Forbidden signature database. */
   grub_uint32_t db_entries; /* Size of signature database. */
   grub_uint32_t dbx_entries;/* Size of forbidden signature database. */
+  bool use_static_keys;     /* Flag to indicate use of static keys. */
 } GRUB_PACKED;
 typedef struct grub_pks grub_pks_t;
 
-- 
2.39.5 (Apple Git-154)


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel