[SRU][F/hwe-5.8][PATCH 00/18] Support builtin revoked certificates and mokvar-table
Dimitri John Ledkov
dimitri.ledkov at canonical.com
Mon Sep 27 15:56:54 UTC 2021
BugLink: https://bugs.launchpad.net/bugs/1928679
BugLink: https://bugs.launchpad.net/bugs/1932029
Link: https://trello.com/c/iPc3IqC9 (private)
Same story as before, backport support for builtin revoked
certificates, add support loading revoked certificates from
mokvar-table. Note that for v5.8 it also means backporting the
mokvar-table driver as a whole, since it was only introduced upstream
in v5.9.
This backport is for hwe-5.8 kernel, which whilst not built/released
anymore, is used as basis for azure-5.8 kernel. If/when azure-5.8 is
cranked on top of these changes, it must also adjust the config to
enable CONFIG_SYSTEM_REVOCATION_KEYS. Without adjusting the config
boot testing will fail, as it will notice that support is available
but not turned on.
Built as hwe-5.8 kernel and tested in VM.
Most patches are cherry-picks from upstream, apart from UBUNTU: ones
which are packaging or SAUCE patch cherry-picks from impish:linux.
Previous backports of this:
v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
Ard Biesheuvel (2):
efi: mokvar-table: fix some issues in new code
efi: mokvar: add missing include of asm/early_ioremap.h
Borislav Petkov (1):
efi/mokvar: Reserve the table only if it is in boot services data
Dimitri John Ledkov (6):
Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be
loaded"
UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
table
UBUNTU: SAUCE: integrity: add informational messages when revoking
certs
UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
certs
UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
keys
Eric Snowberg (4):
certs: Add EFI_CERT_X509_GUID support for dbx entries
certs: Move load_system_certificate_list to a common function
certs: Add ability to preload revocation certs
integrity: Load mokx variables into the blacklist keyring
Lenny Szubowicz (3):
efi: Support for MOK variable config table
integrity: Move import of MokListRT certs to a separate routine
integrity: Load certs from the EFI MOK config table
Linus Torvalds (1):
certs: add 'x509_revocation_list' to gitignore
Tim Gardner (1):
UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded
arch/x86/kernel/setup.c | 1 +
arch/x86/platform/efi/efi.c | 3 +
certs/.gitignore | 1 +
certs/Kconfig | 17 +
certs/Makefile | 21 +-
certs/blacklist.c | 67 ++++
certs/blacklist.h | 2 +
certs/common.c | 58 +++
certs/common.h | 9 +
certs/revocation_certificates.S | 21 +
certs/system_keyring.c | 56 +--
debian.hwe-5.8/config/config.common.ubuntu | 2 +
debian.master/config/annotations | 1 +
debian.master/config/config.common.ubuntu | 2 +
.../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++
debian/rules | 14 +-
drivers/firmware/efi/Makefile | 1 +
drivers/firmware/efi/arm-init.c | 1 +
drivers/firmware/efi/efi.c | 6 +
drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++
include/keys/system_keyring.h | 15 +
include/linux/efi.h | 34 ++
scripts/Makefile | 1 +
.../platform_certs/keyring_handler.c | 12 +
security/integrity/platform_certs/load_uefi.c | 107 +++++-
25 files changed, 830 insertions(+), 70 deletions(-)
create mode 100644 certs/common.c
create mode 100644 certs/common.h
create mode 100644 certs/revocation_certificates.S
create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
create mode 100644 drivers/firmware/efi/mokvar-table.c
--
2.30.2
More information about the kernel-team
mailing list