[UPSTREAM][RFC PATCH] integrity: Load mokx certs from the EFI MOK config table
Guilherme Piccoli
gpiccoli at canonical.com
Mon May 10 15:00:31 UTC 2021
Hi Dmitri, very nice idea of using the list as RFC for upstream!
I have a small suggestion inline below, regarding the commit message.
Cheers,
Guilherme
On Mon, May 10, 2021 at 11:15 AM Dimitri John Ledkov
<dimitri.ledkov at canonical.com> wrote:
>
> Refactor load_moklist_certs() to load either MokListRT into db, or
> MokListXRT into dbx. Call load_moklist_certs() twice - first to load
> mokx certs into dbx, then mok certs into db.
>
> This thus now attempts to load mokx certs via the EFI MOKvar config
> table first, and if that fails, via the EFI variable. Previously mokx
> certs were only loaded via the EFI variable. Which fails when
> MokListXRT is large and instead of MokListXRT is only available as
> MokListXRT{1,2,3}. This is the case with Ubuntu's 15.4 based
> shim. This patch is required to address CVE-2020-26541 when
> certificates are revoked via MokListXRT.
>
> Fixes: ebd9c2ae369a45bdd9f8615484db09be58fc242b
The fixes tag is set usually with a 12-char SHA + commit name. In your
case, it'd be:
Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the
blacklist keyring")
More information about the kernel-team
mailing list