APPLIED/cmnt: [SRU][BIONIC][PATCH 00/16] Support builtin revoked certificates and mokvar-table

Kleber Souza kleber.souza at canonical.com
Tue Nov 30 16:13:06 UTC 2021 

On 30.11.21 12:04, Dimitri John Ledkov wrote:
> BugLink: https://bugs.launchpad.net/bugs/1928679
> BugLink: https://bugs.launchpad.net/bugs/1932029
>
> Same story as before, backport support for builtin revoked
> certificates, add support loading revoked certificates from
> mokvar-table.
>
> Some of the patches had to be adjusted during backport. For example,
> instead of patching security/integrity/platform_certs/load_uefi.c
> which does not exist in v4.15 kernel certs/load_uefi.c is. Some error
> handling is done differently as well. For example, EFI status not
> found is not handled when loading keys from variables.
>
> This series doesn't have any reverts, as the lockdown patchset is
> mostly older without any major reorgs that didn't make upstream. It is
> slightly larger than focal's one as support for EFI_CERT_X509_GUID did
> not land via linux-stable updates.
>
> After this patch is applied, the RT boot testing & kernel built-in
> final check will catch any kernels that do not have
> CONFIG_SYSTEM_REVOCATION_KEYS set. In bionic, this may trip up raspi2,
> snapdgaron, kvm flavours as they in theory can support UEFI, but are
> not signed and may not enable all the lockdown and keyring
> features. These flavours may need reverting 70de61082d ("UBUNTU:
> [Packaging] Add system trusted and revocation keys final check") as
> was done in Focal. Or enable all the keyrings and builtin revocation
> keys.
>
> Focal patches already reviewed and applied:
>
>    https://lists.ubuntu.com/archives/kernel-team/2021-October/124497.html
>
> The following changes since commit 8233475840ca94121170efeaa4f661c7029ac576:
>
>    UBUNTU: Ubuntu-4.15.0-164.172 (2021-11-26 17:31:19 -0700)
>
> are available in the Git repository at:
>
>    https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/bionic revocation-keys
>
> for you to fetch changes up to 750558eb34dd84c912dbe004aca41987665535d5:
>
>    UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-11-30 10:44:16 +0000)
>
> This pull request can also be reviewed on launchpad at:
>
>    https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/bionic/+merge/412577
>
> Ard Biesheuvel (2):
>    efi: mokvar-table: fix some issues in new code
>    efi: mokvar: add missing include of asm/early_ioremap.h
>
> Borislav Petkov (1):
>    efi/mokvar: Reserve the table only if it is in boot services data
>
> Dimitri John Ledkov (5):
>    UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
>      table
>    UBUNTU: SAUCE: integrity: add informational messages when revoking
>      certs
>    UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
>      certs
>    UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
>    UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
>      keys
>
> Eric Snowberg (3):
>    certs: Add EFI_CERT_X509_GUID support for dbx entries
>    certs: Move load_system_certificate_list to a common function
>    certs: Add ability to preload revocation certs
>
> Lenny Szubowicz (3):
>    efi: Support for MOK variable config table
>    integrity: Move import of MokListRT certs to a separate routine
>    integrity: Load certs from the EFI MOK config table
>
> Linus Torvalds (1):
>    certs: add 'x509_revocation_list' to gitignore
>
> Tim Gardner (1):
>    UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded
>
>   arch/x86/kernel/setup.c                       |   1 +
>   certs/.gitignore                              |   1 +
>   certs/Kconfig                                 |  17 +
>   certs/Makefile                                |  21 +-
>   certs/blacklist.c                             |  67 ++++
>   certs/blacklist.h                             |   2 +
>   certs/common.c                                |  58 +++
>   certs/common.h                                |   9 +
>   certs/load_uefi.c                             | 109 +++++-
>   certs/revocation_certificates.S               |  21 +
>   certs/system_keyring.c                        |  57 +--
>   debian.master/config/annotations              |   1 +
>   debian.master/config/config.common.ubuntu     |   2 +
>   .../revoked-certs/canonical-uefi-2012-all.pem |  86 +++++
>   debian/rules                                  |  14 +-
>   drivers/firmware/efi/Makefile                 |   1 +
>   drivers/firmware/efi/arm-init.c               |   1 +
>   drivers/firmware/efi/efi.c                    |   9 +
>   drivers/firmware/efi/mokvar-table.c           | 362 ++++++++++++++++++
>   include/keys/system_keyring.h                 |  15 +
>   include/linux/efi.h                           |  34 ++
>   scripts/Makefile                              |   1 +
>   22 files changed, 824 insertions(+), 65 deletions(-)
>   create mode 100644 certs/common.c
>   create mode 100644 certs/common.h
>   create mode 100644 certs/revocation_certificates.S
>   create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
>   create mode 100644 drivers/firmware/efi/mokvar-table.c
>
Patches 5 and 6 come from focal:linux, so I have added the "cherry picked from ..."
line and Dimitri's SOB. I have also replaced the BugLink by LP#1932029.

Applied to bionic:linux.

Thanks,
Kleber

More information about the kernel-team mailing list