Xenial: Load signed external modules using local MOK key (V2)
Tim Gardner
tim.gardner at canonical.com
Wed Apr 20 19:25:45 UTC 2016
After a bit of experimentation I figured out why the previous patch set
wasn't working. I dropped 'akcipher: Move the RSA DER encoding check to
the crypto layer' which was relying on v4.6 functionality that doesn't
exist in v4.4. If you want to experiment with this yourself then here is
a cheat sheet:
https://docs.google.com/document/d/1Z1_jR3MmxuvqolQH4PORkJCgENkb2Tlw4FVA-sHqdMw
rtg
----
The following changes since commit a9ea3f9a4e060986722fd472c982796cfd14bac9:
UBUNTU: Start new release (2016-04-19 07:14:51 -0600)
are available in the git repository at:
git://kernel.ubuntu.com/rtg/ubuntu-xenial.git uefi-keyring
for you to fetch changes up to 0da43644b6254dc4644f1f56d59de726bc519e1c:
UBUNTU: SAUCE: (noup) MODSIGN: Support not importing certs from db
(2016-04-20 12:27:02 -0600)
----------------------------------------------------------------
Ard Biesheuvel (4):
efi: Remove redundant efi_set_variable_nonblocking() prototype
efi/runtime-wrappers: Add a nonblocking version of
QueryVariableInfo()
efi: Add nonblocking option to efi_query_variable_store()
efi: stub: implement efi_get_random_bytes() based on EFI_RNG_PROTOCOL
Dave Howells (2):
UBUNTU: SAUCE: (noup) Add EFI signature data types
UBUNTU: SAUCE: (noup) Add an EFI signature blob parser and key
loader.
David Howells (1):
KEYS: Add an alloc flag to convey the builtinness of a key
Josh Boyer (2):
UBUNTU: SAUCE: (noup) KEYS: Add a system blacklist keyring
UBUNTU: SAUCE: (noup) MODSIGN: Support not importing certs from db
Peter Jones (1):
efi: Reformat GUID tables to follow the format in UEFI spec
Petko Manolov (1):
IMA: create machine owner and blacklist keyrings
Robert Elliott (1):
efi: Add NV memory attribute
Tadeusz Struk (1):
crypto: KEYS: convert public key and digsig asym to the akcipher api
Tim Gardner (3):
UBUNTU: [Config] CONFIG_EFI_SIGNATURE_LIST_PARSER=y
UBUNTU: [Config] CONFIG_IMA_MOK_KEYRING=y
UBUNTU: [Config] CONFIG_MODULE_SIG_UEFI=y,
CONFIG_SYSTEM_BLACKLIST_KEYRING=y
arch/x86/platform/efi/quirks.c | 33 +++++++++++++-
certs/system_keyring.c | 31 ++++++++++++-
crypto/asymmetric_keys/Kconfig | 10 +++-
crypto/asymmetric_keys/Makefile | 8 ++--
crypto/asymmetric_keys/efi_parser.c | 109
++++++++++++++++++++++++++++++++++++++++++++
crypto/asymmetric_keys/pkcs7_parser.c | 12 ++---
crypto/asymmetric_keys/pkcs7_trust.c | 2 +-
crypto/asymmetric_keys/pkcs7_verify.c | 2 +-
crypto/asymmetric_keys/public_key.c | 64 +++++++++-----------------
crypto/asymmetric_keys/public_key.h | 36 ---------------
crypto/asymmetric_keys/rsa.c | 212
++++++++++++++++++++++++++++++++-----------------------------------------------------
crypto/asymmetric_keys/x509_cert_parser.c | 37 +++------------
crypto/asymmetric_keys/x509_public_key.c | 19 ++++----
crypto/asymmetric_keys/x509_rsakey.asn1 | 4 --
debian.master/config/config.common.ubuntu | 9 ++--
drivers/firmware/efi/efi.c | 5 +-
drivers/firmware/efi/libstub/Makefile | 2 +-
drivers/firmware/efi/libstub/efistub.h | 3 ++
drivers/firmware/efi/libstub/random.c | 35 ++++++++++++++
drivers/firmware/efi/runtime-wrappers.c | 22 +++++++++
drivers/firmware/efi/vars.c | 16 ++++++-
include/crypto/public_key.h | 34 ++++----------
include/keys/system_keyring.h | 28 ++++++++++++
include/linux/efi.h | 115
+++++++++++++++++++++++++++++++++-------------
include/linux/key.h | 1 +
init/Kconfig | 9 ++++
kernel/modsign_uefi.c | 40 ++++++++++++----
security/integrity/digsig_asymmetric.c | 14 ++++++
security/integrity/ima/Kconfig | 20 ++++++++
security/integrity/ima/Makefile | 1 +
security/integrity/ima/ima_mok.c | 54 ++++++++++++++++++++++
security/keys/key.c | 2 +
32 files changed, 644 insertions(+), 345 deletions(-)
create mode 100644 crypto/asymmetric_keys/efi_parser.c
delete mode 100644 crypto/asymmetric_keys/public_key.h
delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1
create mode 100644 drivers/firmware/efi/libstub/random.c
create mode 100644 security/integrity/ima/ima_mok.c
--
Tim Gardner tim.gardner at canonical.com
More information about the kernel-team
mailing list