Xenial: Load signed external modules using local MOK key (V2)

Tim Gardner tim.gardner at canonical.com
Wed Apr 20 19:25:45 UTC 2016


After a bit of experimentation I figured out why the previous patch set 
wasn't working. I dropped 'akcipher: Move the RSA DER encoding check to 
the crypto layer' which was relying on v4.6 functionality that doesn't 
exist in v4.4. If you want to experiment with this yourself then here is 
a cheat sheet: 
https://docs.google.com/document/d/1Z1_jR3MmxuvqolQH4PORkJCgENkb2Tlw4FVA-sHqdMw

rtg
----

The following changes since commit a9ea3f9a4e060986722fd472c982796cfd14bac9:

   UBUNTU: Start new release (2016-04-19 07:14:51 -0600)

are available in the git repository at:

   git://kernel.ubuntu.com/rtg/ubuntu-xenial.git uefi-keyring

for you to fetch changes up to 0da43644b6254dc4644f1f56d59de726bc519e1c:

   UBUNTU: SAUCE: (noup) MODSIGN: Support not importing certs from db 
(2016-04-20 12:27:02 -0600)

----------------------------------------------------------------
Ard Biesheuvel (4):
       efi: Remove redundant efi_set_variable_nonblocking() prototype
       efi/runtime-wrappers: Add a nonblocking version of 
QueryVariableInfo()
       efi: Add nonblocking option to efi_query_variable_store()
       efi: stub: implement efi_get_random_bytes() based on EFI_RNG_PROTOCOL

Dave Howells (2):
       UBUNTU: SAUCE: (noup) Add EFI signature data types
       UBUNTU: SAUCE: (noup) Add an EFI signature blob parser and key 
loader.

David Howells (1):
       KEYS: Add an alloc flag to convey the builtinness of a key

Josh Boyer (2):
       UBUNTU: SAUCE: (noup) KEYS: Add a system blacklist keyring
       UBUNTU: SAUCE: (noup) MODSIGN: Support not importing certs from db

Peter Jones (1):
       efi: Reformat GUID tables to follow the format in UEFI spec

Petko Manolov (1):
       IMA: create machine owner and blacklist keyrings

Robert Elliott (1):
       efi: Add NV memory attribute

Tadeusz Struk (1):
       crypto: KEYS: convert public key and digsig asym to the akcipher api

Tim Gardner (3):
       UBUNTU: [Config] CONFIG_EFI_SIGNATURE_LIST_PARSER=y
       UBUNTU: [Config] CONFIG_IMA_MOK_KEYRING=y
       UBUNTU: [Config] CONFIG_MODULE_SIG_UEFI=y, 
CONFIG_SYSTEM_BLACKLIST_KEYRING=y

  arch/x86/platform/efi/quirks.c            |  33 +++++++++++++-
  certs/system_keyring.c                    |  31 ++++++++++++-
  crypto/asymmetric_keys/Kconfig            |  10 +++-
  crypto/asymmetric_keys/Makefile           |   8 ++--
  crypto/asymmetric_keys/efi_parser.c       | 109 
++++++++++++++++++++++++++++++++++++++++++++
  crypto/asymmetric_keys/pkcs7_parser.c     |  12 ++---
  crypto/asymmetric_keys/pkcs7_trust.c      |   2 +-
  crypto/asymmetric_keys/pkcs7_verify.c     |   2 +-
  crypto/asymmetric_keys/public_key.c       |  64 +++++++++-----------------
  crypto/asymmetric_keys/public_key.h       |  36 ---------------
  crypto/asymmetric_keys/rsa.c              | 212 
++++++++++++++++++++++++++++++++-----------------------------------------------------
  crypto/asymmetric_keys/x509_cert_parser.c |  37 +++------------
  crypto/asymmetric_keys/x509_public_key.c  |  19 ++++----
  crypto/asymmetric_keys/x509_rsakey.asn1   |   4 --
  debian.master/config/config.common.ubuntu |   9 ++--
  drivers/firmware/efi/efi.c                |   5 +-
  drivers/firmware/efi/libstub/Makefile     |   2 +-
  drivers/firmware/efi/libstub/efistub.h    |   3 ++
  drivers/firmware/efi/libstub/random.c     |  35 ++++++++++++++
  drivers/firmware/efi/runtime-wrappers.c   |  22 +++++++++
  drivers/firmware/efi/vars.c               |  16 ++++++-
  include/crypto/public_key.h               |  34 ++++----------
  include/keys/system_keyring.h             |  28 ++++++++++++
  include/linux/efi.h                       | 115 
+++++++++++++++++++++++++++++++++-------------
  include/linux/key.h                       |   1 +
  init/Kconfig                              |   9 ++++
  kernel/modsign_uefi.c                     |  40 ++++++++++++----
  security/integrity/digsig_asymmetric.c    |  14 ++++++
  security/integrity/ima/Kconfig            |  20 ++++++++
  security/integrity/ima/Makefile           |   1 +
  security/integrity/ima/ima_mok.c          |  54 ++++++++++++++++++++++
  security/keys/key.c                       |   2 +
  32 files changed, 644 insertions(+), 345 deletions(-)
  create mode 100644 crypto/asymmetric_keys/efi_parser.c
  delete mode 100644 crypto/asymmetric_keys/public_key.h
  delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1
  create mode 100644 drivers/firmware/efi/libstub/random.c
  create mode 100644 security/integrity/ima/ima_mok.c


-- 
Tim Gardner tim.gardner at canonical.com




More information about the kernel-team mailing list