[SRU][FOCAL][PATCH 00/16] Support builtin revoked certificates and mokvar-table

Dimitri John Ledkov dimitri.ledkov at canonical.com
Mon Oct 4 14:15:17 UTC 2021 

On Mon, Oct 4, 2021 at 2:36 PM Stefan Bader <stefan.bader at canonical.com> wrote:
>
> On 01.10.21 17:44, Dimitri John Ledkov wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1928679
> > BugLink: https://bugs.launchpad.net/bugs/1932029
> >
> > Same story as before, backport support for builtin revoked
> > certificates, add support loading revoked certificates from
> > mokvar-table.
> >
> > Note due to old lockdown patches, and cherry-pick of fixes, the first
> > commit partially reverts some changes of the internal function calls
> > to make them closer to what has ended up in vanilla upstream
> > kernels. Whilst the diff in
> > security/integrity/platform_certs/load_uefi.c is large against focal,
> > it is very small when compared with impish.
> >
> > This SRU includes mokvar table driver.
> >
> > Note to crankers - when rebasing derivative kernels one must also
> > adjust the config to enable CONFIG_SYSTEM_REVOCATION_KEYS. Without
> > adjusting the config boot testing will fail, as it will notice that
> > support is available but not turned on.
> >
> > Built with cbd for all arches and tested in VM.
> >
> > Most patches are cherry-picks from upstream, apart from UBUNTU: ones
> > which are packaging or SAUCE patch cherry-picks from impish:linux.
> >
> > Previous backports of this:
> > v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
> > v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
> > v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
> > v5.8: https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html
> >
> > By popular demand this is also available as a git branch / pull
> > request and launchpad merge request:
> >
> > https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374
> >
> > The following changes since commit a4a17166114e9aece92a2525226433d3c9c77f72:
> >
> >    UBUNTU: upstream stable to v5.4.145 (2021-10-01 11:34:04 +0200)
> >
> > are available in the Git repository at:
> >
> >    https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal 5.4-revocation-certs
> >
> > for you to fetch changes up to 1b21f2893dfddb55335bad4bc8d0eae3074a9753:
> >
> >    UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-10-01 16:11:49 +0100)
> >
> > Ard Biesheuvel (2):
> >    efi: mokvar-table: fix some issues in new code
> >    efi: mokvar: add missing include of asm/early_ioremap.h
> >
> > Borislav Petkov (1):
> >    efi/mokvar: Reserve the table only if it is in boot services data
> >
> > Dimitri John Ledkov (6):
> >    Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain
> >      about cert lists that aren't present."
> >    UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
> >      table
> >    UBUNTU: SAUCE: integrity: add informational messages when revoking
> >      certs
> >    UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
> >      certs
> >    UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
> >    UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
> >      keys
> >
> > Eric Snowberg (2):
> >    certs: Add ability to preload revocation certs
> >    integrity: Load mokx variables into the blacklist keyring
> >
> > Lenny Szubowicz (3):
> >    efi: Support for MOK variable config table
> >    integrity: Move import of MokListRT certs to a separate routine
> >    integrity: Load certs from the EFI MOK config table
> >
> > Linus Torvalds (1):
> >    certs: add 'x509_revocation_list' to gitignore
> >
> > Tim Gardner (1):
> >    UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded
> >
> >   arch/x86/kernel/setup.c                       |   1 +
> >   arch/x86/platform/efi/efi.c                   |   3 +
> >   certs/.gitignore                              |   1 +
> >   certs/Kconfig                                 |   8 +
> >   certs/Makefile                                |  19 +-
> >   certs/blacklist.c                             |  24 ++
> >   certs/common.c                                |   1 +
> >   certs/revocation_certificates.S               |  21 +
> >   debian.master/config/annotations              |   1 +
> >   debian.master/config/config.common.ubuntu     |   1 +
> >   .../revoked-certs/canonical-uefi-2012-all.pem |  86 +++++
> >   debian/rules                                  |  14 +-
> >   drivers/firmware/efi/Makefile                 |   1 +
> >   drivers/firmware/efi/arm-init.c               |   1 +
> >   drivers/firmware/efi/efi.c                    |   6 +
> >   drivers/firmware/efi/mokvar-table.c           | 362 ++++++++++++++++++
> >   include/linux/efi.h                           |  34 ++
> >   scripts/Makefile                              |   1 +
> >   .../platform_certs/keyring_handler.c          |   1 +
> >   security/integrity/platform_certs/load_uefi.c | 138 +++++--
> >   20 files changed, 684 insertions(+), 40 deletions(-)
> >   create mode 100644 certs/revocation_certificates.S
> >   create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
> >   create mode 100644 drivers/firmware/efi/mokvar-table.c
> >
>
> Just out of curiosity... why is the Focal set only 16 patches while the 5.8
> backport was 18.. The latter had a revert and re-apply while the new Focal set
> has one Revert only. I am sure I miss something...
>

Each kernel series has a different number of patches, based on whether
or not stable series were alive when they got backported upstream. And
if the upstream backports included all the things or not. And also,
how the conflicts were resolved when applying stable update
cherrypicks. Hence so far every series backport was of a different
length.

The mainline patches:
81f2023158 certs: add 'x509_revocation_list' to gitignore
ebd9c2ae36 integrity: Load mokx variables into the blacklist keyring
d1f044103d certs: Add ability to preload revocation certs
2565ca7f5e certs: Move load_system_certificate_list to a common function
56c5812623 certs: Add EFI_CERT_X509_GUID support for dbx entries

Are needed to implement builtin & mokvartable based revocations, and
yet only some of the above got backported via -stable trees to a
subset of series. When any of the above are missing via stable series,
I had to cherrypick them.

Plus mokvar-table driver never made it back via stable trees which
Ubuntu's shim requires (as otherwise buggy EFI firmwares fail to
mirror variables and let kernel access things), hence also had to
backport mokvar table driver when not present:

af963802dd efi/mokvar: Reserve the table only if it is in boot services data
cc383a9e24 efi: mokvar: add missing include of asm/early_ioremap.h
b89114cd01 efi: mokvar-table: fix some issues in new code
58c909022a efi: Support for MOK variable config table

I think we are the only ones that care as much about all of these
backports, because out of all other distros we are the ones who have
been signing things the longest, and have the most number of keys to
revoke. Meaning others are not affected by low efi variable runtime
space / mirroring firmware bugs hence all of these fixes are in the
mainline for their future revocations.

> I think the note to crankers would be best placed into a card (think there is
> one already which could get extended) which we can link into the individual cranks.

Ack.

More information about the kernel-team mailing list