ACK/Cmnt: [SRU][F/hwe-5.8][PATCH 00/18] Support builtin revoked certificates and mokvar-table

Stefan Bader stefan.bader at canonical.com
Mon Oct 4 13:19:16 UTC 2021 

On 27.09.21 17:56, Dimitri John Ledkov wrote:
> BugLink: https://bugs.launchpad.net/bugs/1928679
> BugLink: https://bugs.launchpad.net/bugs/1932029
> Link: https://trello.com/c/iPc3IqC9 (private)
> 
> Same story as before, backport support for builtin revoked
> certificates, add support loading revoked certificates from
> mokvar-table. Note that for v5.8 it also means backporting the
> mokvar-table driver as a whole, since it was only introduced upstream
> in v5.9.
> 
> This backport is for hwe-5.8 kernel, which whilst not built/released
> anymore, is used as basis for azure-5.8 kernel. If/when azure-5.8 is
> cranked on top of these changes, it must also adjust the config to
> enable CONFIG_SYSTEM_REVOCATION_KEYS. Without adjusting the config
> boot testing will fail, as it will notice that support is available
> but not turned on.
> 
> Built as hwe-5.8 kernel and tested in VM.
> 
> Most patches are cherry-picks from upstream, apart from UBUNTU: ones
> which are packaging or SAUCE patch cherry-picks from impish:linux.
> 
> Previous backports of this:
> v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
> v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
> v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
> 
> 
> Ard Biesheuvel (2):
>    efi: mokvar-table: fix some issues in new code
>    efi: mokvar: add missing include of asm/early_ioremap.h
> 
> Borislav Petkov (1):
>    efi/mokvar: Reserve the table only if it is in boot services data
> 
> Dimitri John Ledkov (6):
>    Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be
>      loaded"
>    UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
>      table
>    UBUNTU: SAUCE: integrity: add informational messages when revoking
>      certs
>    UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
>      certs
>    UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
>    UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
>      keys
> 
> Eric Snowberg (4):
>    certs: Add EFI_CERT_X509_GUID support for dbx entries
>    certs: Move load_system_certificate_list to a common function
>    certs: Add ability to preload revocation certs
>    integrity: Load mokx variables into the blacklist keyring
> 
> Lenny Szubowicz (3):
>    efi: Support for MOK variable config table
>    integrity: Move import of MokListRT certs to a separate routine
>    integrity: Load certs from the EFI MOK config table
> 
> Linus Torvalds (1):
>    certs: add 'x509_revocation_list' to gitignore
> 
> Tim Gardner (1):
>    UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded
> 
>   arch/x86/kernel/setup.c                       |   1 +
>   arch/x86/platform/efi/efi.c                   |   3 +
>   certs/.gitignore                              |   1 +
>   certs/Kconfig                                 |  17 +
>   certs/Makefile                                |  21 +-
>   certs/blacklist.c                             |  67 ++++
>   certs/blacklist.h                             |   2 +
>   certs/common.c                                |  58 +++
>   certs/common.h                                |   9 +
>   certs/revocation_certificates.S               |  21 +
>   certs/system_keyring.c                        |  56 +--
>   debian.hwe-5.8/config/config.common.ubuntu    |   2 +
>   debian.master/config/annotations              |   1 +
>   debian.master/config/config.common.ubuntu     |   2 +
>   .../revoked-certs/canonical-uefi-2012-all.pem |  86 +++++
>   debian/rules                                  |  14 +-
>   drivers/firmware/efi/Makefile                 |   1 +
>   drivers/firmware/efi/arm-init.c               |   1 +
>   drivers/firmware/efi/efi.c                    |   6 +
>   drivers/firmware/efi/mokvar-table.c           | 362 ++++++++++++++++++
>   include/keys/system_keyring.h                 |  15 +
>   include/linux/efi.h                           |  34 ++
>   scripts/Makefile                              |   1 +
>   .../platform_certs/keyring_handler.c          |  12 +
>   security/integrity/platform_certs/load_uefi.c | 107 +++++-
>   25 files changed, 830 insertions(+), 70 deletions(-)
>   create mode 100644 certs/common.c
>   create mode 100644 certs/common.h
>   create mode 100644 certs/revocation_certificates.S
>   create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
>   create mode 100644 drivers/firmware/efi/mokvar-table.c
> 

Disclaimer, I looked at the pull-request but chose to reply to the thread with 
patches. Generally the content looks roughly ok (concentrated more on the places 
which modify code than on completely new functions). For hwe-5.8 it would not be 
necessary to make any modifications to debian.master but it does not hurt either.
Maybe only notpick is that we commonly change the cherry pick lines into

(cherry picked from <sha1> impish:linux)

There are some patches at the beginning which miss the info and personally I 
found the additional line in other patches easy to be missed when glancing 
through things. That could be done when applying.

Acked-by: Stefan Bader <stefan.bader at canonical.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20211004/2c040c90/attachment-0001.sig>

More information about the kernel-team mailing list