[FOCAL][linux-oem-5.10][PATCH 00/10] Backport builtin revocation certs

Dimitri John Ledkov dimitri.ledkov at canonical.com
Mon Aug 23 13:33:43 UTC 2021

This is a backport of the recent mokx, blacklist keyring, built-in
revoked certificates that are already applied in hirsute and impish.

The Eric Snowberg patches are cherry-picks from linux-stable v5.10.47
which has not yet been integrated into linux-oem-5.10. To apply them
cleanly, the UBUNTU SAUCE patch to dump stack when X.509 certificates
cannot be loaded has been reverted, as it also dropped upstream and
hirsute/impish kernels.

Then UBUNTU SAUCE patches to load mokx certs from the config table,
and add extra information debug messages are cherrypicked from
hirsute/impish. They have been submitted upstream, but not yet

And finally packaging changes are cherrypicked to have 2012 UEFI
signing certificate as builtin revoked. Context adjusted slightly, to
apply config change in both debian.master and debian.oem at the same

This brings linux-oem-5.10 on par with hirsute & impish, w.r.t. to
handling revoked UEFI signing certificates via mokx and as built-in.

Submitting this direct to linux-oem-5.10, as it is the last v5.10
based kernel we are currently maintaining.

Hirsute review was done in:

These have been test-built, booted in a UEFI VM, and verified using
the ACT test case that was recently merged.

Dimitri John Ledkov (6):
  Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be
  UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
  UBUNTU: SAUCE: integrity: add informational messages when revoking
  UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
  UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
  UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked

Eric Snowberg (4):
  certs: Add EFI_CERT_X509_GUID support for dbx entries
  certs: Move load_system_certificate_list to a common function
  certs: Add ability to preload revocation certs
  integrity: Load mokx variables into the blacklist keyring

 certs/Kconfig                                 | 17 ++++
 certs/Makefile                                | 21 ++++-
 certs/blacklist.c                             | 67 +++++++++++++++
 certs/blacklist.h                             |  2 +
 certs/common.c                                | 57 ++++++++++++
 certs/common.h                                |  9 ++
 certs/revocation_certificates.S               | 21 +++++
 certs/system_keyring.c                        | 56 ++----------
 debian.master/config/annotations              |  1 +
 debian.master/config/config.common.ubuntu     |  2 +
 debian.oem/config/annotations                 |  1 +
 debian.oem/config/config.common.ubuntu        |  2 +
 .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++
 debian/rules                                  | 14 ++-
 include/keys/system_keyring.h                 | 15 ++++
 scripts/Makefile                              |  1 +
 .../platform_certs/keyring_handler.c          | 12 +++
 security/integrity/platform_certs/load_uefi.c | 56 ++++++++----
 18 files changed, 372 insertions(+), 68 deletions(-)
 create mode 100644 certs/common.c
 create mode 100644 certs/common.h
 create mode 100644 certs/revocation_certificates.S
 create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem


More information about the kernel-team mailing list