[UPSTREAM][RFC PATCH] integrity: Load mokx certs from the EFI MOK config table
Krzysztof Kozlowski
krzysztof.kozlowski at canonical.com
Mon May 10 15:04:07 UTC 2021
On 10/05/2021 11:00, Guilherme Piccoli wrote:
> Hi Dmitri, very nice idea of using the list as RFC for upstream!
> I have a small suggestion inline below, regarding the commit message.
> Cheers,
>
>
> Guilherme
>
> On Mon, May 10, 2021 at 11:15 AM Dimitri John Ledkov
> <dimitri.ledkov at canonical.com> wrote:
>>
>> Refactor load_moklist_certs() to load either MokListRT into db, or
>> MokListXRT into dbx. Call load_moklist_certs() twice - first to load
>> mokx certs into dbx, then mok certs into db.
>>
>> This thus now attempts to load mokx certs via the EFI MOKvar config
>> table first, and if that fails, via the EFI variable. Previously mokx
>> certs were only loaded via the EFI variable. Which fails when
>> MokListXRT is large and instead of MokListXRT is only available as
>> MokListXRT{1,2,3}. This is the case with Ubuntu's 15.4 based
>> shim. This patch is required to address CVE-2020-26541 when
>> certificates are revoked via MokListXRT.
>>
>> Fixes: ebd9c2ae369a45bdd9f8615484db09be58fc242b
>
> The fixes tag is set usually with a 12-char SHA + commit name. In your
> case, it'd be:
> Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the
> blacklist keyring")
Good catch. You just need to run scripts/checkpatch 0001-*
Best regards,
Krzysztof
More information about the kernel-team
mailing list