[SRU][BIONIC][PATCH 00/16] Support builtin revoked certificates and mokvar-table

Dimitri John Ledkov dimitri.ledkov at canonical.com
Tue Nov 30 11:04:00 UTC 2021 

BugLink: https://bugs.launchpad.net/bugs/1928679
BugLink: https://bugs.launchpad.net/bugs/1932029

Same story as before, backport support for builtin revoked
certificates, add support loading revoked certificates from
mokvar-table.

Some of the patches had to be adjusted during backport. For example,
instead of patching security/integrity/platform_certs/load_uefi.c
which does not exist in v4.15 kernel certs/load_uefi.c is. Some error
handling is done differently as well. For example, EFI status not
found is not handled when loading keys from variables.

This series doesn't have any reverts, as the lockdown patchset is
mostly older without any major reorgs that didn't make upstream. It is
slightly larger than focal's one as support for EFI_CERT_X509_GUID did
not land via linux-stable updates.

After this patch is applied, the RT boot testing & kernel built-in
final check will catch any kernels that do not have
CONFIG_SYSTEM_REVOCATION_KEYS set. In bionic, this may trip up raspi2,
snapdgaron, kvm flavours as they in theory can support UEFI, but are
not signed and may not enable all the lockdown and keyring
features. These flavours may need reverting 70de61082d ("UBUNTU:
[Packaging] Add system trusted and revocation keys final check") as
was done in Focal. Or enable all the keyrings and builtin revocation
keys.

Focal patches already reviewed and applied:

  https://lists.ubuntu.com/archives/kernel-team/2021-October/124497.html

The following changes since commit 8233475840ca94121170efeaa4f661c7029ac576:

  UBUNTU: Ubuntu-4.15.0-164.172 (2021-11-26 17:31:19 -0700)

are available in the Git repository at:

  https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/bionic revocation-keys

for you to fetch changes up to 750558eb34dd84c912dbe004aca41987665535d5:

  UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-11-30 10:44:16 +0000)

This pull request can also be reviewed on launchpad at:

  https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/bionic/+merge/412577

Ard Biesheuvel (2):
  efi: mokvar-table: fix some issues in new code
  efi: mokvar: add missing include of asm/early_ioremap.h

Borislav Petkov (1):
  efi/mokvar: Reserve the table only if it is in boot services data

Dimitri John Ledkov (5):
  UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
    table
  UBUNTU: SAUCE: integrity: add informational messages when revoking
    certs
  UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
    certs
  UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
  UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
    keys

Eric Snowberg (3):
  certs: Add EFI_CERT_X509_GUID support for dbx entries
  certs: Move load_system_certificate_list to a common function
  certs: Add ability to preload revocation certs

Lenny Szubowicz (3):
  efi: Support for MOK variable config table
  integrity: Move import of MokListRT certs to a separate routine
  integrity: Load certs from the EFI MOK config table

Linus Torvalds (1):
  certs: add 'x509_revocation_list' to gitignore

Tim Gardner (1):
  UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded

 arch/x86/kernel/setup.c                       |   1 +
 certs/.gitignore                              |   1 +
 certs/Kconfig                                 |  17 +
 certs/Makefile                                |  21 +-
 certs/blacklist.c                             |  67 ++++
 certs/blacklist.h                             |   2 +
 certs/common.c                                |  58 +++
 certs/common.h                                |   9 +
 certs/load_uefi.c                             | 109 +++++-
 certs/revocation_certificates.S               |  21 +
 certs/system_keyring.c                        |  57 +--
 debian.master/config/annotations              |   1 +
 debian.master/config/config.common.ubuntu     |   2 +
 .../revoked-certs/canonical-uefi-2012-all.pem |  86 +++++
 debian/rules                                  |  14 +-
 drivers/firmware/efi/Makefile                 |   1 +
 drivers/firmware/efi/arm-init.c               |   1 +
 drivers/firmware/efi/efi.c                    |   9 +
 drivers/firmware/efi/mokvar-table.c           | 362 ++++++++++++++++++
 include/keys/system_keyring.h                 |  15 +
 include/linux/efi.h                           |  34 ++
 scripts/Makefile                              |   1 +
 22 files changed, 824 insertions(+), 65 deletions(-)
 create mode 100644 certs/common.c
 create mode 100644 certs/common.h
 create mode 100644 certs/revocation_certificates.S
 create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
 create mode 100644 drivers/firmware/efi/mokvar-table.c

-- 
2.32.0

More information about the kernel-team mailing list