APPLIED: [SRU][F/hwe-5.8][PATCH 00/18] Support builtin revoked certificates and mokvar-table
Stefan Bader
stefan.bader at canonical.com
Mon Oct 4 15:01:05 UTC 2021
On 27.09.21 17:56, Dimitri John Ledkov wrote:
> BugLink: https://bugs.launchpad.net/bugs/1928679
> BugLink: https://bugs.launchpad.net/bugs/1932029
> Link: https://trello.com/c/iPc3IqC9 (private)
>
> Same story as before, backport support for builtin revoked
> certificates, add support loading revoked certificates from
> mokvar-table. Note that for v5.8 it also means backporting the
> mokvar-table driver as a whole, since it was only introduced upstream
> in v5.9.
>
> This backport is for hwe-5.8 kernel, which whilst not built/released
> anymore, is used as basis for azure-5.8 kernel. If/when azure-5.8 is
> cranked on top of these changes, it must also adjust the config to
> enable CONFIG_SYSTEM_REVOCATION_KEYS. Without adjusting the config
> boot testing will fail, as it will notice that support is available
> but not turned on.
>
> Built as hwe-5.8 kernel and tested in VM.
>
> Most patches are cherry-picks from upstream, apart from UBUNTU: ones
> which are packaging or SAUCE patch cherry-picks from impish:linux.
>
> Previous backports of this:
> v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
> v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
> v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
>
>
> Ard Biesheuvel (2):
> efi: mokvar-table: fix some issues in new code
> efi: mokvar: add missing include of asm/early_ioremap.h
>
> Borislav Petkov (1):
> efi/mokvar: Reserve the table only if it is in boot services data
>
> Dimitri John Ledkov (6):
> Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be
> loaded"
> UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
> table
> UBUNTU: SAUCE: integrity: add informational messages when revoking
> certs
> UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
> certs
> UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
> UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
> keys
>
> Eric Snowberg (4):
> certs: Add EFI_CERT_X509_GUID support for dbx entries
> certs: Move load_system_certificate_list to a common function
> certs: Add ability to preload revocation certs
> integrity: Load mokx variables into the blacklist keyring
>
> Lenny Szubowicz (3):
> efi: Support for MOK variable config table
> integrity: Move import of MokListRT certs to a separate routine
> integrity: Load certs from the EFI MOK config table
>
> Linus Torvalds (1):
> certs: add 'x509_revocation_list' to gitignore
>
> Tim Gardner (1):
> UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded
>
> arch/x86/kernel/setup.c | 1 +
> arch/x86/platform/efi/efi.c | 3 +
> certs/.gitignore | 1 +
> certs/Kconfig | 17 +
> certs/Makefile | 21 +-
> certs/blacklist.c | 67 ++++
> certs/blacklist.h | 2 +
> certs/common.c | 58 +++
> certs/common.h | 9 +
> certs/revocation_certificates.S | 21 +
> certs/system_keyring.c | 56 +--
> debian.hwe-5.8/config/config.common.ubuntu | 2 +
> debian.master/config/annotations | 1 +
> debian.master/config/config.common.ubuntu | 2 +
> .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++
> debian/rules | 14 +-
> drivers/firmware/efi/Makefile | 1 +
> drivers/firmware/efi/arm-init.c | 1 +
> drivers/firmware/efi/efi.c | 6 +
> drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++
> include/keys/system_keyring.h | 15 +
> include/linux/efi.h | 34 ++
> scripts/Makefile | 1 +
> .../platform_certs/keyring_handler.c | 12 +
> security/integrity/platform_certs/load_uefi.c | 107 +++++-
> 25 files changed, 830 insertions(+), 70 deletions(-)
> create mode 100644 certs/common.c
> create mode 100644 certs/common.h
> create mode 100644 certs/revocation_certificates.S
> create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
> create mode 100644 drivers/firmware/efi/mokvar-table.c
>
Applied to focal:linux-hwe-5.8/hwe-5.8. Thanks.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20211004/14d36bec/attachment-0001.sig>
More information about the kernel-team
mailing list