[UPSTREAM][RFC PATCH] integrity: Load mokx certs from the EFI MOK config table
Krzysztof Kozlowski
krzysztof.kozlowski at canonical.com
Mon May 10 15:24:54 UTC 2021
On 10/05/2021 11:13, Dimitri John Ledkov wrote:
> On Mon, May 10, 2021 at 4:04 PM Krzysztof Kozlowski
> <krzysztof.kozlowski at canonical.com> wrote:
>>
>> On 10/05/2021 11:00, Guilherme Piccoli wrote:
>>> Hi Dmitri, very nice idea of using the list as RFC for upstream!
>>> I have a small suggestion inline below, regarding the commit message.
>>> Cheers,
>>>
>>>
>>> Guilherme
>>>
>>> On Mon, May 10, 2021 at 11:15 AM Dimitri John Ledkov
>>> <dimitri.ledkov at canonical.com> wrote:
>>>>
>>>> Refactor load_moklist_certs() to load either MokListRT into db, or
>>>> MokListXRT into dbx. Call load_moklist_certs() twice - first to load
>>>> mokx certs into dbx, then mok certs into db.
>>>>
>>>> This thus now attempts to load mokx certs via the EFI MOKvar config
>>>> table first, and if that fails, via the EFI variable. Previously mokx
>>>> certs were only loaded via the EFI variable. Which fails when
>>>> MokListXRT is large and instead of MokListXRT is only available as
>>>> MokListXRT{1,2,3}. This is the case with Ubuntu's 15.4 based
>>>> shim. This patch is required to address CVE-2020-26541 when
>>>> certificates are revoked via MokListXRT.
>>>>
>>>> Fixes: ebd9c2ae369a45bdd9f8615484db09be58fc242b
>>>
>>> The fixes tag is set usually with a 12-char SHA + commit name. In your
>>> case, it'd be:
>>> Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the
>>> blacklist keyring")
>>
>>
>> Good catch. You just need to run scripts/checkpatch 0001-*
>>
>
> And yet....
>
> $ ./scripts/checkpatch.pl
> 0001-integrity-Load-mokx-certs-from-the-EFI-MOK-config-ta.patch
> total: 0 errors, 0 warnings, 129 lines checked
>
> 0001-integrity-Load-mokx-certs-from-the-EFI-MOK-config-ta.patch has no
> obvious style problems and is ready for submission.
>
> So I don't know how my commit message is not tripping up that check
> that clearly is there in checkpatch =/
>
> Thanks for this, will fix.
I had impression it checks for it, but it turns out it looks only for
commit IDs mentioned in the message. If it only was not written in
Perl... :)
https://elixir.bootlin.com/linux/latest/source/Documentation/process/submitting-patches.rst#L127
Best regards,
Krzysztof
More information about the kernel-team
mailing list