ACK/Cmnt: [SRU][F/hwe-5.8][PATCH 00/18] Support builtin revoked certificates and mokvar-table

Dimitri John Ledkov dimitri.ledkov at canonical.com
Tue Sep 28 14:21:41 UTC 2021 

On Tue, Sep 28, 2021 at 2:39 PM Tim Gardner <tim.gardner at canonical.com> wrote:
>
> Acked-by: Tim Gardner <tim.gardner at canonical.com>
>
> I see from LP: #1928679 that these changes have been released in Impish
> 5.13 and (I assume) tested.

Yes these changes are in oem-5.10, Hirsute v5.11 & Impish v5.13
already. Some have been part of the new upstream release, other bits
have been part of stable updates, and some bits i had to cherry-pick
on top.

> Does Azure support secure boot ? (because
> focal:linux-azure-5.8 is going to inherit from focal:linux-hwe-5.8).
>

Yes it does.
In general, we only sign kernels with production secure boot keys
which have target platform support to verify those signatures. Thus if
there is linux-*-signed, it means it is secureboot capable target
platform.

And azure-5.8 is the actual target for these changes, since we are not
building hwe-5.8 anymore. But these patches are not-azure specific,
hence targeting the "parent" kernel. Just in case we built anything
else off hwe-5.8.

> Given that these patches are somewhat kernel version independent, they
> ought to work on 5.8 as well as 5.13.
>

Indeed, back-ports to v5.8 didn't need any context changes, and the
major external requirement is for shim to register and provide config
table. Ubuntu's shim does that on xenial and up.

> Are you getting any upstream traction on the certificate revocation
> patches ?
>

Loading MOKX from mokvar table didn't have any progress. Apart from
pings and people mentioning that "it should be merged upstream". I'll
resend those patches again.

> rtg
>
> P.S. Although patch bombs of this length are easy enough to review on
> the list (IMHO), pull requests are much easier to apply.
>

I agree, after sending the patch series, I also tried to prepare
launchpad merge request & email pull-request.
https://lists.ubuntu.com/archives/kernel-team/2021-September/124370.html
 https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409282

I'll try to prepare the merge request at the same time as sending the
patch bomb. Such that one can do email based review workflow; but also
clone/pull the patches as a branch as well.

These sets of patches still need backport to v5.4 and v4.15 at the very least.


> On 9/27/21 9:56 AM, Dimitri John Ledkov wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1928679
> > BugLink: https://bugs.launchpad.net/bugs/1932029
> > Link: https://trello.com/c/iPc3IqC9 (private)
> >
> > Same story as before, backport support for builtin revoked
> > certificates, add support loading revoked certificates from
> > mokvar-table. Note that for v5.8 it also means backporting the
> > mokvar-table driver as a whole, since it was only introduced upstream
> > in v5.9.
> >
> > This backport is for hwe-5.8 kernel, which whilst not built/released
> > anymore, is used as basis for azure-5.8 kernel. If/when azure-5.8 is
> > cranked on top of these changes, it must also adjust the config to
> > enable CONFIG_SYSTEM_REVOCATION_KEYS. Without adjusting the config
> > boot testing will fail, as it will notice that support is available
> > but not turned on.
> >
> > Built as hwe-5.8 kernel and tested in VM.
> >
> > Most patches are cherry-picks from upstream, apart from UBUNTU: ones
> > which are packaging or SAUCE patch cherry-picks from impish:linux.
> >
> > Previous backports of this:
> > v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html
> > v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html
> > v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html
> >
> >
> > Ard Biesheuvel (2):
> >    efi: mokvar-table: fix some issues in new code
> >    efi: mokvar: add missing include of asm/early_ioremap.h
> >
> > Borislav Petkov (1):
> >    efi/mokvar: Reserve the table only if it is in boot services data
> >
> > Dimitri John Ledkov (6):
> >    Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be
> >      loaded"
> >    UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
> >      table
> >    UBUNTU: SAUCE: integrity: add informational messages when revoking
> >      certs
> >    UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
> >      certs
> >    UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
> >    UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
> >      keys
> >
> > Eric Snowberg (4):
> >    certs: Add EFI_CERT_X509_GUID support for dbx entries
> >    certs: Move load_system_certificate_list to a common function
> >    certs: Add ability to preload revocation certs
> >    integrity: Load mokx variables into the blacklist keyring
> >
> > Lenny Szubowicz (3):
> >    efi: Support for MOK variable config table
> >    integrity: Move import of MokListRT certs to a separate routine
> >    integrity: Load certs from the EFI MOK config table
> >
> > Linus Torvalds (1):
> >    certs: add 'x509_revocation_list' to gitignore
> >
> > Tim Gardner (1):
> >    UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded
> >
> >   arch/x86/kernel/setup.c                       |   1 +
> >   arch/x86/platform/efi/efi.c                   |   3 +
> >   certs/.gitignore                              |   1 +
> >   certs/Kconfig                                 |  17 +
> >   certs/Makefile                                |  21 +-
> >   certs/blacklist.c                             |  67 ++++
> >   certs/blacklist.h                             |   2 +
> >   certs/common.c                                |  58 +++
> >   certs/common.h                                |   9 +
> >   certs/revocation_certificates.S               |  21 +
> >   certs/system_keyring.c                        |  56 +--
> >   debian.hwe-5.8/config/config.common.ubuntu    |   2 +
> >   debian.master/config/annotations              |   1 +
> >   debian.master/config/config.common.ubuntu     |   2 +
> >   .../revoked-certs/canonical-uefi-2012-all.pem |  86 +++++
> >   debian/rules                                  |  14 +-
> >   drivers/firmware/efi/Makefile                 |   1 +
> >   drivers/firmware/efi/arm-init.c               |   1 +
> >   drivers/firmware/efi/efi.c                    |   6 +
> >   drivers/firmware/efi/mokvar-table.c           | 362 ++++++++++++++++++
> >   include/keys/system_keyring.h                 |  15 +
> >   include/linux/efi.h                           |  34 ++
> >   scripts/Makefile                              |   1 +
> >   .../platform_certs/keyring_handler.c          |  12 +
> >   security/integrity/platform_certs/load_uefi.c | 107 +++++-
> >   25 files changed, 830 insertions(+), 70 deletions(-)
> >   create mode 100644 certs/common.c
> >   create mode 100644 certs/common.h
> >   create mode 100644 certs/revocation_certificates.S
> >   create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
> >   create mode 100644 drivers/firmware/efi/mokvar-table.c
> >
>
> --
> -----------
> Tim Gardner
> Canonical, Inc

More information about the kernel-team mailing list