[SRU][FOCAL][PATCH 00/16] Support builtin revoked certificates and mokvar-table

Dimitri John Ledkov dimitri.ledkov at canonical.com
Fri Oct 1 15:44:16 UTC 2021 

BugLink: https://bugs.launchpad.net/bugs/1928679
BugLink: https://bugs.launchpad.net/bugs/1932029

Same story as before, backport support for builtin revoked
certificates, add support loading revoked certificates from
mokvar-table.

Note due to old lockdown patches, and cherry-pick of fixes, the first
commit partially reverts some changes of the internal function calls
to make them closer to what has ended up in vanilla upstream
kernels. Whilst the diff in
security/integrity/platform_certs/load_uefi.c is large against focal,
it is very small when compared with impish.

This SRU includes mokvar table driver.

Note to crankers - when rebasing derivative kernels one must also
adjust the config to enable CONFIG_SYSTEM_REVOCATION_KEYS. Without
adjusting the config boot testing will fail, as it will notice that
support is available but not turned on.

Built with cbd for all arches and tested in VM.

Most patches are cherry-picks from upstream, apart from UBUNTU: ones
which are packaging or SAUCE patch cherry-picks from impish:linux.

Previous backports of this:
v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
v5.8: https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html

By popular demand this is also available as a git branch / pull
request and launchpad merge request:

https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374

The following changes since commit a4a17166114e9aece92a2525226433d3c9c77f72:

  UBUNTU: upstream stable to v5.4.145 (2021-10-01 11:34:04 +0200)

are available in the Git repository at:

  https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal 5.4-revocation-certs

for you to fetch changes up to 1b21f2893dfddb55335bad4bc8d0eae3074a9753:

  UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-10-01 16:11:49 +0100)

Ard Biesheuvel (2):
  efi: mokvar-table: fix some issues in new code
  efi: mokvar: add missing include of asm/early_ioremap.h

Borislav Petkov (1):
  efi/mokvar: Reserve the table only if it is in boot services data

Dimitri John Ledkov (6):
  Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain
    about cert lists that aren't present."
  UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
    table
  UBUNTU: SAUCE: integrity: add informational messages when revoking
    certs
  UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
    certs
  UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
  UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
    keys

Eric Snowberg (2):
  certs: Add ability to preload revocation certs
  integrity: Load mokx variables into the blacklist keyring

Lenny Szubowicz (3):
  efi: Support for MOK variable config table
  integrity: Move import of MokListRT certs to a separate routine
  integrity: Load certs from the EFI MOK config table

Linus Torvalds (1):
  certs: add 'x509_revocation_list' to gitignore

Tim Gardner (1):
  UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded

 arch/x86/kernel/setup.c                       |   1 +
 arch/x86/platform/efi/efi.c                   |   3 +
 certs/.gitignore                              |   1 +
 certs/Kconfig                                 |   8 +
 certs/Makefile                                |  19 +-
 certs/blacklist.c                             |  24 ++
 certs/common.c                                |   1 +
 certs/revocation_certificates.S               |  21 +
 debian.master/config/annotations              |   1 +
 debian.master/config/config.common.ubuntu     |   1 +
 .../revoked-certs/canonical-uefi-2012-all.pem |  86 +++++
 debian/rules                                  |  14 +-
 drivers/firmware/efi/Makefile                 |   1 +
 drivers/firmware/efi/arm-init.c               |   1 +
 drivers/firmware/efi/efi.c                    |   6 +
 drivers/firmware/efi/mokvar-table.c           | 362 ++++++++++++++++++
 include/linux/efi.h                           |  34 ++
 scripts/Makefile                              |   1 +
 .../platform_certs/keyring_handler.c          |   1 +
 security/integrity/platform_certs/load_uefi.c | 138 +++++--
 20 files changed, 684 insertions(+), 40 deletions(-)
 create mode 100644 certs/revocation_certificates.S
 create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
 create mode 100644 drivers/firmware/efi/mokvar-table.c

-- 
2.30.2

More information about the kernel-team mailing list