[UNSTABLE][PATCH 1/2] UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table

Dimitri John Ledkov dimitri.ledkov at canonical.com
Mon May 17 14:58:26 UTC 2021


On Mon, May 17, 2021 at 2:41 PM Krzysztof Kozlowski
<krzysztof.kozlowski at canonical.com> wrote:
>
> On 17/05/2021 09:18, Dimitri John Ledkov wrote:
> > Refactor load_moklist_certs() to load either MokListRT into db, or
> > MokListXRT into dbx. Call load_moklist_certs() twice - first to load
> > mokx certs into dbx, then mok certs into db.
> >
> > This thus now attempts to load mokx certs via the EFI MOKvar config
> > table first, and if that fails, via the EFI variable. Previously mokx
> > certs were only loaded via the EFI variable. Which fails when
> > MokListXRT is large. Instead of large MokListXRT variable, only
> > MokListXRT{1,2,3} are available which are not loaded. This is the case
> > with Ubuntu's 15.4 based shim. This patch is required to address
> > CVE-2020-26541 when certificates are revoked via MokListXRT.
> >
> > Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring")
>
> No blank line between tags.
>
> >
> > BugLink: https://bugs.launchpad.net/bugs/1928679
> > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov at canonical.com>
> > ---
> >  security/integrity/platform_certs/load_uefi.c | 74 ++++++++++---------
> >  1 file changed, 40 insertions(+), 34 deletions(-)
>
> LGTM, but I cannot judge the context of this patch, so I would propose
> to wait for upstream comments.
>
> Best regards,
> Krzysztof

We must not sign v5.13 based kernels until this patch is in.
Otherwise, the claim that v5.13 is enough to fix CVE-2020-26541 will
not hold true for Ubuntu. And if one does stable backports of
CVE-2020-26541 which are forthcoming, they will be insufficient on
Ubuntu.

I don't know how to mark this as a blocking issue for unstable-5.13
upload into impish.


-- 
Regards,

Dimitri.



More information about the kernel-team mailing list