Xenial: Load signed external modules using local MOK key

Tim Gardner tim.gardner at canonical.com
Wed Apr 13 16:16:28 UTC 2016 

This mighty blob of code implements the functionality required to 
extract encryption keys and certificates from UEFI and use them to 
verify signed modules. This is important for locally compiled modules 
such as DKMS. A user would create or acquire a key and enter it into the 
MOK while also signing their local module with the same key. Upon reboot 
said key will appear in the kernel UEFI keyring which is then used to 
verify the new module.

This code is pretty much untested, but I wanted some more eyeballs on it 
in order to make sure my interpretation reflects reality.

This is phase 1 of secure boot signed module enforcement. Subsequent 
phases involve backporting this pile to Trusty and all kernels in 
between. Refer to 
https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot in order to 
understand why I am pushing for these changes at such a late date.

rtg
----

The following changes since commit 6b368f5c279310548da1a6de23d8e59567255029:

   pipe: limit the per-user amount of pages allocated in pipes 
(2016-04-13 09:52:33 -0600)

are available in the git repository at:

   git://kernel.ubuntu.com/rtg/ubuntu-xenial.git uefi-keyring

for you to fetch changes up to a914fecfc873be53d6a1cc486dfd4fb9a481854d:

   UBUNTU: SAUCE: (noup) efi: Disable secure boot if shim is in insecure 
mode (2016-04-13 10:00:56 -0600)

----------------------------------------------------------------
Ard Biesheuvel (4):
       efi: Remove redundant efi_set_variable_nonblocking() prototype
       efi/runtime-wrappers: Add a nonblocking version of 
QueryVariableInfo()
       efi: Add nonblocking option to efi_query_variable_store()
       efi: stub: implement efi_get_random_bytes() based on EFI_RNG_PROTOCOL

Dave Howells (2):
       UBUNTU: SAUCE: (noup) Add EFI signature data types
       UBUNTU: SAUCE: (noup) Add an EFI signature blob parser and key 
loader.

David Howells (2):
       akcipher: Move the RSA DER encoding check to the crypto layer
       KEYS: Add an alloc flag to convey the builtinness of a key

Josh Boyer (4):
       UBUNTU: SAUCE: (noup) KEYS: Add a system blacklist keyring
       UBUNTU: SAUCE: (noup) MODSIGN: Import certificates from UEFI 
Secure Boot
       UBUNTU: SAUCE: (noup) MODSIGN: Support not importing certs from db
       UBUNTU: SAUCE: (noup) efi: Disable secure boot if shim is in 
insecure mode

Peter Jones (1):
       efi: Reformat GUID tables to follow the format in UEFI spec

Petko Manolov (1):
       IMA: create machine owner and blacklist keyrings

Robert Elliott (1):
       efi: Add NV memory attribute

Tadeusz Struk (1):
       crypto: KEYS: convert public key and digsig asym to the akcipher api

Tim Gardner (3):
       UBUNTU: [Config] CONFIG_EFI_SIGNATURE_LIST_PARSER=y
       UBUNTU: [Config] CONFIG_IMA_MOK_KEYRING=y
       UBUNTU: [Config] CONFIG_MODULE_SIG_UEFI=y, 
CONFIG_SYSTEM_BLACKLIST_KEYRING=y

  arch/x86/boot/compressed/eboot.c          |  20 +++++++-
  arch/x86/platform/efi/quirks.c            |  33 +++++++++++-
  certs/system_keyring.c                    |  31 +++++++++++-
  crypto/asymmetric_keys/Kconfig            |  15 +++---
  crypto/asymmetric_keys/Makefile           |   9 ++--
  crypto/asymmetric_keys/efi_parser.c       | 109 
++++++++++++++++++++++++++++++++++++++++
  crypto/asymmetric_keys/pkcs7_parser.c     |  12 ++---
  crypto/asymmetric_keys/pkcs7_trust.c      |   2 +-
  crypto/asymmetric_keys/pkcs7_verify.c     |   2 +-
  crypto/asymmetric_keys/public_key.c       | 146 
+++++++++++++++++++++++++++++++++++++----------------
  crypto/asymmetric_keys/public_key.h       |  36 -------------
  crypto/asymmetric_keys/rsa.c              | 278 
-----------------------------------------------------------------------------------------------------
  crypto/asymmetric_keys/x509_cert_parser.c |  37 +++-----------
  crypto/asymmetric_keys/x509_public_key.c  |  19 +++----
  crypto/asymmetric_keys/x509_rsakey.asn1   |   4 --
  debian.master/config/config.common.ubuntu |   9 ++--
  drivers/firmware/efi/efi.c                |   5 +-
  drivers/firmware/efi/libstub/Makefile     |   2 +-
  drivers/firmware/efi/libstub/efistub.h    |   3 ++
  drivers/firmware/efi/libstub/random.c     |  35 +++++++++++++
  drivers/firmware/efi/runtime-wrappers.c   |  22 ++++++++
  drivers/firmware/efi/vars.c               |  16 +++++-
  include/crypto/public_key.h               |  32 +++---------
  include/keys/system_keyring.h             |  28 +++++++++++
  include/linux/efi.h                       | 121 
++++++++++++++++++++++++++++++++------------
  include/linux/key.h                       |   1 +
  init/Kconfig                              |  20 +++++++-
  kernel/Makefile                           |   3 ++
  kernel/modsign_uefi.c                     | 114 
++++++++++++++++++++++++++++++++++++++++++
  security/integrity/digsig_asymmetric.c    |  15 ++++++
  security/integrity/ima/Kconfig            |  20 ++++++++
  security/integrity/ima/Makefile           |   1 +
  security/integrity/ima/ima_mok.c          |  54 ++++++++++++++++++++
  security/keys/key.c                       |   2 +
  34 files changed, 766 insertions(+), 490 deletions(-)
  create mode 100644 crypto/asymmetric_keys/efi_parser.c
  delete mode 100644 crypto/asymmetric_keys/public_key.h
  delete mode 100644 crypto/asymmetric_keys/rsa.c
  delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1
  create mode 100644 drivers/firmware/efi/libstub/random.c
  create mode 100644 kernel/modsign_uefi.c
  create mode 100644 security/integrity/ima/ima_mok.c
-- 
Tim Gardner tim.gardner at canonical.com

More information about the kernel-team mailing list