From patchwork Thu Aug  5 14:59:44 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
X-Patchwork-Id: 1513953
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=NU69dibZ;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4GgWxP17gYz9sWS;
	Fri,  6 Aug 2021 01:00:09 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1mBeqr-00048T-BP; Thu, 05 Aug 2021 15:00:05 +0000
Received: from smtp-relay-canonical-1.internal ([10.131.114.174]
 helo=smtp-relay-canonical-1.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <dimitri.ledkov@canonical.com>) id 1mBeqo-00048E-Sz
 for kernel-team@lists.ubuntu.com; Thu, 05 Aug 2021 15:00:02 +0000
Received: from mail-pj1-f72.google.com (mail-pj1-f72.google.com
 [209.85.216.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPS id B89BA40666
 for <kernel-team@lists.ubuntu.com>; Thu,  5 Aug 2021 15:00:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1628175602;
 bh=lJUrYEivzXU3QqP1YA3X+b6tJAdRRqWIWHGgtBH1Ius=;
 h=From:To:Subject:Date:Message-Id:MIME-Version;
 b=NU69dibZW2SQTUP3Kg+C1GNHKPNqw9zmTAQNlLRIyiXzrS8OHHZ7quOKloPRFAWhU
 U6yJ/jK5APnVzvGl47+EfETH+kOV8fh1J3TAEB9kacuEedHaVpAObWK2kdSUrdIugP
 JUGlDJdgp8wSTLApFmtXkGoDCaHzLocaLZJSK/tz28X+UmZWSTeA+Y2rY+WhJ8kpRn
 rBytnr9avjs93cnMssERQSDUcT+LdKhQodIEOXl2HBju3GlvJr+BfAt643STF8bA0x
 69MBSFHZ+uTv7irBq48UHjWdF9Ud/h0ne4pnhwR5FsBHxjBeJPFkkU8yFGq1gbC8Co
 6URahCOSzO7Xw==
Received: by mail-pj1-f72.google.com with SMTP id
 s8-20020a17090a0748b0290177ecd83711so6539544pje.2
 for <kernel-team@lists.ubuntu.com>; Thu, 05 Aug 2021 08:00:02 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=lJUrYEivzXU3QqP1YA3X+b6tJAdRRqWIWHGgtBH1Ius=;
 b=IHSPBiWT879cbCa5BVsciRa4DfruesKBHPbv0kLmU8UCaRo/xtHWj3VShvr95UZoXm
 v0bT/sX9N3xnHFtvG19PGhy8TamuH1HEWRYrl77B0muQxzwG2KQPR0Rg7ezID/mg4tH+
 zKW+Id8l62jtIErGFWVef2agK5sIUxk3En4lWrVkaDzenskw3ygIQw9jhaSWsMGmjBd8
 Sw2cXQmGFyIBjCN7Wu5Aur7LPxC7/sOOHq4CfZk3KxmTSQBOg44CxEXWJhyecDZc9X68
 O7Vl/uy3KCcSzloZOWhShsttFD8uDckl3wTMiYqc0/3cEkuNS+3AbChMEw2wnll6/9qU
 rSHw==
X-Gm-Message-State: AOAM532fjqQEvLWikRJ070UG+l5MDcGAIw93bjA9lljeQxFwIcbN304F
 xlcXmHx7Ar3+bTJDYIskuxdgdRua30l/CFGPTXHOqRVW+584hj3kRDGWJLWjehoS/arpNgNFjvx
 bmOhnGkgSyACRh3xRoMfccDQsWsCPPGBVIg6CNt5/zA==
X-Received: by 2002:a63:4205:: with SMTP id p5mr134674pga.286.1628175600971;
 Thu, 05 Aug 2021 08:00:00 -0700 (PDT)
X-Google-Smtp-Source: 
 ABdhPJzWW345ltGxnFszrWbqmWX+RUvn7NijB6f0a/EdBXUpcPIRuzQuLExWKAHw7TXhXwEoYyMpuw==
X-Received: by 2002:a63:4205:: with SMTP id p5mr134646pga.286.1628175600648;
 Thu, 05 Aug 2021 08:00:00 -0700 (PDT)
Received: from localhost ([2a01:4b00:85fd:d700:15f9:47c1:a63f:6be0])
 by smtp.gmail.com with ESMTPSA id t7sm6464534pjf.19.2021.08.05.07.59.59
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 05 Aug 2021 08:00:00 -0700 (PDT)
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [HIRSUTE][PATCH 0/5] Built-in Revocation certificates
Date: Thu,  5 Aug 2021 15:59:44 +0100
Message-Id: <20210805145949.133895-1-dimitri.ledkov@canonical.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

In Impish, support was added to load revoked certificates from mokx
(submitted upstream, revied, not accepted yet) into blacklist keyring.

Also in Impish, from upstream, there is now support to have built-in
revoked keys. And we have 2012 UEFI key revoked by default (as also
revoked globally via uefi dbx update).

Backport both of the above things to Hirsute, such that our kernels
honor mokx revocations, and also have the 2012 key revoked always
(when booted with or without working shim).

This patch series was test built and tested using the revocations list
test case that is proposed for RT ubuntu_boot test. See
https://lists.ubuntu.com/archives/kernel-team/2021-August/122986.html

BugLink: https://bugs.launchpad.net/bugs/1928679
BugLink: https://bugs.launchpad.net/bugs/1932029

Dimitri John Ledkov (5):
  UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config
    table
  UBUNTU: SAUCE: integrity: add informational messages when revoking
    certs
  UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch
    certs
  UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in
  UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked
    keys

 certs/blacklist.c                             |  3 +
 debian.master/config/annotations              |  1 +
 debian.master/config/config.common.ubuntu     |  2 +-
 .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++
 debian/rules                                  | 14 ++-
 .../platform_certs/keyring_handler.c          |  1 +
 security/integrity/platform_certs/load_uefi.c | 74 ++++++++--------
 7 files changed, 145 insertions(+), 36 deletions(-)
 create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Andy Whitcroft <apw@canonical.com>