APPLIED: [SRU][FOCAL][PATCH 00/16] Support builtin revoked certificates and mokvar-table

Kelsey Skunberg kelsey.skunberg at canonical.com
Wed Oct 13 23:43:05 UTC 2021 

Applied to Focal master-next. Thank you! 

-Kelsey

On 2021-10-01 16:44:16 , Dimitri John Ledkov wrote:
> BugLink: https://bugs.launchpad.net/bugs/1928679
> BugLink: https://bugs.launchpad.net/bugs/1932029
> 
> Same story as before, backport support for builtin revoked
> certificates, add support loading revoked certificates from
> mokvar-table.
> 
> Note due to old lockdown patches, and cherry-pick of fixes, the first
> commit partially reverts some changes of the internal function calls
> to make them closer to what has ended up in vanilla upstream
> kernels. Whilst the diff in
> security/integrity/platform_certs/load_uefi.c is large against focal,
> it is very small when compared with impish.
> 
> This SRU includes mokvar table driver.
> 
> Note to crankers - when rebasing derivative kernels one must also
> adjust the config to enable CONFIG_SYSTEM_REVOCATION_KEYS. Without
> adjusting the config boot testing will fail, as it will notice that
> support is available but not turned on.
> 
> Built with cbd for all arches and tested in VM.
> 
> Most patches are cherry-picks from upstream, apart from UBUNTU: ones
> which are packaging or SAUCE patch cherry-picks from impish:linux.
> 
> Previous backports of this:
> v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
> v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
> v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
> v5.8: https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html
> 
> By popular demand this is also available as a git branch / pull
> request and launchpad merge request:
> 
> https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374
> 
> The following changes since commit a4a17166114e9aece92a2525226433d3c9c77f72:
> 
>   UBUNTU: upstream stable to v5.4.145 (2021-10-01 11:34:04 +0200)
> 
> are available in the Git repository at:
> 
>   https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal 5.4-revocation-certs
> 
> for you to fetch changes up to 1b21f2893dfddb55335bad4bc8d0eae3074a9753:
> 
>   UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-10-01 16:11:49 +0100)
> 
> Ard Biesheuvel (2):
>   efi: mokvar-table: fix some issues in new code
>   efi: mokvar: add missing include of asm/early_ioremap.h
> 
> Borislav Petkov (1):
>   efi/mokvar: Reserve the table only if it is in boot services data
> 
> Dimitri John Ledkov (6):
>   Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain
>     about cert lists that aren't present."
>   UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
>     table
>   UBUNTU: SAUCE: integrity: add informational messages when revoking
>     certs
>   UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
>     certs
>   UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
>   UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
>     keys
> 
> Eric Snowberg (2):
>   certs: Add ability to preload revocation certs
>   integrity: Load mokx variables into the blacklist keyring
> 
> Lenny Szubowicz (3):
>   efi: Support for MOK variable config table
>   integrity: Move import of MokListRT certs to a separate routine
>   integrity: Load certs from the EFI MOK config table
> 
> Linus Torvalds (1):
>   certs: add 'x509_revocation_list' to gitignore
> 
> Tim Gardner (1):
>   UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded
> 
>  arch/x86/kernel/setup.c                       |   1 +
>  arch/x86/platform/efi/efi.c                   |   3 +
>  certs/.gitignore                              |   1 +
>  certs/Kconfig                                 |   8 +
>  certs/Makefile                                |  19 +-
>  certs/blacklist.c                             |  24 ++
>  certs/common.c                                |   1 +
>  certs/revocation_certificates.S               |  21 +
>  debian.master/config/annotations              |   1 +
>  debian.master/config/config.common.ubuntu     |   1 +
>  .../revoked-certs/canonical-uefi-2012-all.pem |  86 +++++
>  debian/rules                                  |  14 +-
>  drivers/firmware/efi/Makefile                 |   1 +
>  drivers/firmware/efi/arm-init.c               |   1 +
>  drivers/firmware/efi/efi.c                    |   6 +
>  drivers/firmware/efi/mokvar-table.c           | 362 ++++++++++++++++++
>  include/linux/efi.h                           |  34 ++
>  scripts/Makefile                              |   1 +
>  .../platform_certs/keyring_handler.c          |   1 +
>  security/integrity/platform_certs/load_uefi.c | 138 +++++--
>  20 files changed, 684 insertions(+), 40 deletions(-)
>  create mode 100644 certs/revocation_certificates.S
>  create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
>  create mode 100644 drivers/firmware/efi/mokvar-table.c
> 
> -- 
> 2.30.2
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list