[UNSTABLE][PATCH 1/2] UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table
Krzysztof Kozlowski
krzysztof.kozlowski at canonical.com
Mon May 17 13:41:03 UTC 2021
On 17/05/2021 09:18, Dimitri John Ledkov wrote:
> Refactor load_moklist_certs() to load either MokListRT into db, or
> MokListXRT into dbx. Call load_moklist_certs() twice - first to load
> mokx certs into dbx, then mok certs into db.
>
> This thus now attempts to load mokx certs via the EFI MOKvar config
> table first, and if that fails, via the EFI variable. Previously mokx
> certs were only loaded via the EFI variable. Which fails when
> MokListXRT is large. Instead of large MokListXRT variable, only
> MokListXRT{1,2,3} are available which are not loaded. This is the case
> with Ubuntu's 15.4 based shim. This patch is required to address
> CVE-2020-26541 when certificates are revoked via MokListXRT.
>
> Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring")
No blank line between tags.
>
> BugLink: https://bugs.launchpad.net/bugs/1928679
> Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
> ---
> security/integrity/platform_certs/load_uefi.c | 74 ++++++++++---------
> 1 file changed, 40 insertions(+), 34 deletions(-)
LGTM, but I cannot judge the context of this patch, so I would propose
to wait for upstream comments.
Best regards,
Krzysztof
More information about the kernel-team
mailing list