[UPSTREAM][RFC PATCH] integrity: Load mokx certs from the EFI MOK config table

[Dimitri John Ledkov]

On Mon, May 10, 2021 at 4:04 PM Krzysztof Kozlowski
<krzysztof.kozlowski at canonical.com> wrote:
>
> On 10/05/2021 11:00, Guilherme Piccoli wrote:
> > Hi Dmitri, very nice idea of using the list as RFC for upstream!
> > I have a small suggestion inline below, regarding the commit message.
> > Cheers,
> >
> >
> > Guilherme
> >
> > On Mon, May 10, 2021 at 11:15 AM Dimitri John Ledkov
> > <dimitri.ledkov at canonical.com> wrote:
> >>
> >> Refactor load_moklist_certs() to load either MokListRT into db, or
> >> MokListXRT into dbx. Call load_moklist_certs() twice - first to load
> >> mokx certs into dbx, then mok certs into db.
> >>
> >> This thus now attempts to load mokx certs via the EFI MOKvar config
> >> table first, and if that fails, via the EFI variable. Previously mokx
> >> certs were only loaded via the EFI variable. Which fails when
> >> MokListXRT is large and instead of MokListXRT is only available as
> >> MokListXRT{1,2,3}. This is the case with Ubuntu's 15.4 based
> >> shim. This patch is required to address CVE-2020-26541 when
> >> certificates are revoked via MokListXRT.
> >>
> >> Fixes: ebd9c2ae369a45bdd9f8615484db09be58fc242b
> >
> > The fixes tag is set usually with a 12-char SHA + commit name. In your
> > case, it'd be:
> > Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the
> > blacklist keyring")
>
>
> Good catch. You just need to run scripts/checkpatch 0001-*
>

And yet....

$ ./scripts/checkpatch.pl
0001-integrity-Load-mokx-certs-from-the-EFI-MOK-config-ta.patch
total: 0 errors, 0 warnings, 129 lines checked

0001-integrity-Load-mokx-certs-from-the-EFI-MOK-config-ta.patch has no
obvious style problems and is ready for submission.

So I don't know how my commit message is not tripping up that check
that clearly is there in checkpatch =/

Thanks for this, will fix.

-- 
Regards,

Dimitri.