[UPSTREAM][RFC PATCH] integrity: Load mokx certs from the EFI MOK config table
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Mon May 10 15:28:57 UTC 2021
On Mon, May 10, 2021 at 4:24 PM Krzysztof Kozlowski
<krzysztof.kozlowski at canonical.com> wrote:
>
>
> On 10/05/2021 11:13, Dimitri John Ledkov wrote:
> > On Mon, May 10, 2021 at 4:04 PM Krzysztof Kozlowski
> > <krzysztof.kozlowski at canonical.com> wrote:
> >>
> >> On 10/05/2021 11:00, Guilherme Piccoli wrote:
> >>> Hi Dmitri, very nice idea of using the list as RFC for upstream!
> >>> I have a small suggestion inline below, regarding the commit message.
> >>> Cheers,
> >>>
> >>>
> >>> Guilherme
> >>>
> >>> On Mon, May 10, 2021 at 11:15 AM Dimitri John Ledkov
> >>> <dimitri.ledkov at canonical.com> wrote:
> >>>>
> >>>> Refactor load_moklist_certs() to load either MokListRT into db, or
> >>>> MokListXRT into dbx. Call load_moklist_certs() twice - first to load
> >>>> mokx certs into dbx, then mok certs into db.
> >>>>
> >>>> This thus now attempts to load mokx certs via the EFI MOKvar config
> >>>> table first, and if that fails, via the EFI variable. Previously mokx
> >>>> certs were only loaded via the EFI variable. Which fails when
> >>>> MokListXRT is large and instead of MokListXRT is only available as
> >>>> MokListXRT{1,2,3}. This is the case with Ubuntu's 15.4 based
> >>>> shim. This patch is required to address CVE-2020-26541 when
> >>>> certificates are revoked via MokListXRT.
> >>>>
> >>>> Fixes: ebd9c2ae369a45bdd9f8615484db09be58fc242b
> >>>
> >>> The fixes tag is set usually with a 12-char SHA + commit name. In your
> >>> case, it'd be:
> >>> Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the
> >>> blacklist keyring")
> >>
> >>
> >> Good catch. You just need to run scripts/checkpatch 0001-*
> >>
> >
> > And yet....
> >
> > $ ./scripts/checkpatch.pl
> > 0001-integrity-Load-mokx-certs-from-the-EFI-MOK-config-ta.patch
> > total: 0 errors, 0 warnings, 129 lines checked
> >
> > 0001-integrity-Load-mokx-certs-from-the-EFI-MOK-config-ta.patch has no
> > obvious style problems and is ready for submission.
> >
> > So I don't know how my commit message is not tripping up that check
> > that clearly is there in checkpatch =/
> >
> > Thanks for this, will fix.
>
> I had impression it checks for it, but it turns out it looks only for
> commit IDs mentioned in the message. If it only was not written in
> Perl... :)
>
> https://elixir.bootlin.com/linux/latest/source/Documentation/process/submitting-patches.rst#L127
>
I need to _modify_ my git config?! the tool written by kernel
engineers is not suitable for kernel engineering by default?! Maybe I
should dput git into Ubuntu such that everyones's /etc/gitconfig is
suitable for kernel development ?! =))))) Adding to my todo to do that
in git upstream by default because it is silly to require everyone to
modify their gitconfig for this.
--
Regards,
Dimitri.
More information about the kernel-team
mailing list