| Message ID | 20210927155712.164337-1-dimitri.ledkov@canonical.com |
|---|---|
| Headers | show |
| Series | Support builtin revoked certificates and mokvar-table | expand |
Acked-by: Tim Gardner <tim.gardner@canonical.com> I see from LP: #1928679 that these changes have been released in Impish 5.13 and (I assume) tested. Does Azure support secure boot ? (because focal:linux-azure-5.8 is going to inherit from focal:linux-hwe-5.8). Given that these patches are somewhat kernel version independent, they ought to work on 5.8 as well as 5.13. Are you getting any upstream traction on the certificate revocation patches ? rtg P.S. Although patch bombs of this length are easy enough to review on the list (IMHO), pull requests are much easier to apply. On 9/27/21 9:56 AM, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/1928679 > BugLink: https://bugs.launchpad.net/bugs/1932029 > Link: https://trello.com/c/iPc3IqC9 (private) > > Same story as before, backport support for builtin revoked > certificates, add support loading revoked certificates from > mokvar-table. Note that for v5.8 it also means backporting the > mokvar-table driver as a whole, since it was only introduced upstream > in v5.9. > > This backport is for hwe-5.8 kernel, which whilst not built/released > anymore, is used as basis for azure-5.8 kernel. If/when azure-5.8 is > cranked on top of these changes, it must also adjust the config to > enable CONFIG_SYSTEM_REVOCATION_KEYS. Without adjusting the config > boot testing will fail, as it will notice that support is available > but not turned on. > > Built as hwe-5.8 kernel and tested in VM. > > Most patches are cherry-picks from upstream, apart from UBUNTU: ones > which are packaging or SAUCE patch cherry-picks from impish:linux. > > Previous backports of this: > v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html > v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html > v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html > > > Ard Biesheuvel (2): > efi: mokvar-table: fix some issues in new code > efi: mokvar: add missing include of asm/early_ioremap.h > > Borislav Petkov (1): > efi/mokvar: Reserve the table only if it is in boot services data > > Dimitri John Ledkov (6): > Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be > loaded" > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > table > UBUNTU: SAUCE: integrity: add informational messages when revoking > certs > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > certs > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys > > Eric Snowberg (4): > certs: Add EFI_CERT_X509_GUID support for dbx entries > certs: Move load_system_certificate_list to a common function > certs: Add ability to preload revocation certs > integrity: Load mokx variables into the blacklist keyring > > Lenny Szubowicz (3): > efi: Support for MOK variable config table > integrity: Move import of MokListRT certs to a separate routine > integrity: Load certs from the EFI MOK config table > > Linus Torvalds (1): > certs: add 'x509_revocation_list' to gitignore > > Tim Gardner (1): > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > arch/x86/kernel/setup.c | 1 + > arch/x86/platform/efi/efi.c | 3 + > certs/.gitignore | 1 + > certs/Kconfig | 17 + > certs/Makefile | 21 +- > certs/blacklist.c | 67 ++++ > certs/blacklist.h | 2 + > certs/common.c | 58 +++ > certs/common.h | 9 + > certs/revocation_certificates.S | 21 + > certs/system_keyring.c | 56 +-- > debian.hwe-5.8/config/config.common.ubuntu | 2 + > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 2 + > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > debian/rules | 14 +- > drivers/firmware/efi/Makefile | 1 + > drivers/firmware/efi/arm-init.c | 1 + > drivers/firmware/efi/efi.c | 6 + > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > include/keys/system_keyring.h | 15 + > include/linux/efi.h | 34 ++ > scripts/Makefile | 1 + > .../platform_certs/keyring_handler.c | 12 + > security/integrity/platform_certs/load_uefi.c | 107 +++++- > 25 files changed, 830 insertions(+), 70 deletions(-) > create mode 100644 certs/common.c > create mode 100644 certs/common.h > create mode 100644 certs/revocation_certificates.S > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > create mode 100644 drivers/firmware/efi/mokvar-table.c >
On Tue, Sep 28, 2021 at 2:39 PM Tim Gardner <tim.gardner@canonical.com> wrote: > > Acked-by: Tim Gardner <tim.gardner@canonical.com> > > I see from LP: #1928679 that these changes have been released in Impish > 5.13 and (I assume) tested. Yes these changes are in oem-5.10, Hirsute v5.11 & Impish v5.13 already. Some have been part of the new upstream release, other bits have been part of stable updates, and some bits i had to cherry-pick on top. > Does Azure support secure boot ? (because > focal:linux-azure-5.8 is going to inherit from focal:linux-hwe-5.8). > Yes it does. In general, we only sign kernels with production secure boot keys which have target platform support to verify those signatures. Thus if there is linux-*-signed, it means it is secureboot capable target platform. And azure-5.8 is the actual target for these changes, since we are not building hwe-5.8 anymore. But these patches are not-azure specific, hence targeting the "parent" kernel. Just in case we built anything else off hwe-5.8. > Given that these patches are somewhat kernel version independent, they > ought to work on 5.8 as well as 5.13. > Indeed, back-ports to v5.8 didn't need any context changes, and the major external requirement is for shim to register and provide config table. Ubuntu's shim does that on xenial and up. > Are you getting any upstream traction on the certificate revocation > patches ? > Loading MOKX from mokvar table didn't have any progress. Apart from pings and people mentioning that "it should be merged upstream". I'll resend those patches again. > rtg > > P.S. Although patch bombs of this length are easy enough to review on > the list (IMHO), pull requests are much easier to apply. > I agree, after sending the patch series, I also tried to prepare launchpad merge request & email pull-request. https://lists.ubuntu.com/archives/kernel-team/2021-September/124370.html https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409282 I'll try to prepare the merge request at the same time as sending the patch bomb. Such that one can do email based review workflow; but also clone/pull the patches as a branch as well. These sets of patches still need backport to v5.4 and v4.15 at the very least. > On 9/27/21 9:56 AM, Dimitri John Ledkov wrote: > > BugLink: https://bugs.launchpad.net/bugs/1928679 > > BugLink: https://bugs.launchpad.net/bugs/1932029 > > Link: https://trello.com/c/iPc3IqC9 (private) > > > > Same story as before, backport support for builtin revoked > > certificates, add support loading revoked certificates from > > mokvar-table. Note that for v5.8 it also means backporting the > > mokvar-table driver as a whole, since it was only introduced upstream > > in v5.9. > > > > This backport is for hwe-5.8 kernel, which whilst not built/released > > anymore, is used as basis for azure-5.8 kernel. If/when azure-5.8 is > > cranked on top of these changes, it must also adjust the config to > > enable CONFIG_SYSTEM_REVOCATION_KEYS. Without adjusting the config > > boot testing will fail, as it will notice that support is available > > but not turned on. > > > > Built as hwe-5.8 kernel and tested in VM. > > > > Most patches are cherry-picks from upstream, apart from UBUNTU: ones > > which are packaging or SAUCE patch cherry-picks from impish:linux. > > > > Previous backports of this: > > v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html > > v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html > > v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html > > > > > > Ard Biesheuvel (2): > > efi: mokvar-table: fix some issues in new code > > efi: mokvar: add missing include of asm/early_ioremap.h > > > > Borislav Petkov (1): > > efi/mokvar: Reserve the table only if it is in boot services data > > > > Dimitri John Ledkov (6): > > Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be > > loaded" > > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > > table > > UBUNTU: SAUCE: integrity: add informational messages when revoking > > certs > > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > > certs > > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > > keys > > > > Eric Snowberg (4): > > certs: Add EFI_CERT_X509_GUID support for dbx entries > > certs: Move load_system_certificate_list to a common function > > certs: Add ability to preload revocation certs > > integrity: Load mokx variables into the blacklist keyring > > > > Lenny Szubowicz (3): > > efi: Support for MOK variable config table > > integrity: Move import of MokListRT certs to a separate routine > > integrity: Load certs from the EFI MOK config table > > > > Linus Torvalds (1): > > certs: add 'x509_revocation_list' to gitignore > > > > Tim Gardner (1): > > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > > > arch/x86/kernel/setup.c | 1 + > > arch/x86/platform/efi/efi.c | 3 + > > certs/.gitignore | 1 + > > certs/Kconfig | 17 + > > certs/Makefile | 21 +- > > certs/blacklist.c | 67 ++++ > > certs/blacklist.h | 2 + > > certs/common.c | 58 +++ > > certs/common.h | 9 + > > certs/revocation_certificates.S | 21 + > > certs/system_keyring.c | 56 +-- > > debian.hwe-5.8/config/config.common.ubuntu | 2 + > > debian.master/config/annotations | 1 + > > debian.master/config/config.common.ubuntu | 2 + > > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > > debian/rules | 14 +- > > drivers/firmware/efi/Makefile | 1 + > > drivers/firmware/efi/arm-init.c | 1 + > > drivers/firmware/efi/efi.c | 6 + > > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > > include/keys/system_keyring.h | 15 + > > include/linux/efi.h | 34 ++ > > scripts/Makefile | 1 + > > .../platform_certs/keyring_handler.c | 12 + > > security/integrity/platform_certs/load_uefi.c | 107 +++++- > > 25 files changed, 830 insertions(+), 70 deletions(-) > > create mode 100644 certs/common.c > > create mode 100644 certs/common.h > > create mode 100644 certs/revocation_certificates.S > > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > > create mode 100644 drivers/firmware/efi/mokvar-table.c > > > > -- > ----------- > Tim Gardner > Canonical, Inc
On 27.09.21 17:56, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/1928679 > BugLink: https://bugs.launchpad.net/bugs/1932029 > Link: https://trello.com/c/iPc3IqC9 (private) > > Same story as before, backport support for builtin revoked > certificates, add support loading revoked certificates from > mokvar-table. Note that for v5.8 it also means backporting the > mokvar-table driver as a whole, since it was only introduced upstream > in v5.9. > > This backport is for hwe-5.8 kernel, which whilst not built/released > anymore, is used as basis for azure-5.8 kernel. If/when azure-5.8 is > cranked on top of these changes, it must also adjust the config to > enable CONFIG_SYSTEM_REVOCATION_KEYS. Without adjusting the config > boot testing will fail, as it will notice that support is available > but not turned on. > > Built as hwe-5.8 kernel and tested in VM. > > Most patches are cherry-picks from upstream, apart from UBUNTU: ones > which are packaging or SAUCE patch cherry-picks from impish:linux. > > Previous backports of this: > v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html > v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html > v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html > > > Ard Biesheuvel (2): > efi: mokvar-table: fix some issues in new code > efi: mokvar: add missing include of asm/early_ioremap.h > > Borislav Petkov (1): > efi/mokvar: Reserve the table only if it is in boot services data > > Dimitri John Ledkov (6): > Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be > loaded" > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > table > UBUNTU: SAUCE: integrity: add informational messages when revoking > certs > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > certs > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys > > Eric Snowberg (4): > certs: Add EFI_CERT_X509_GUID support for dbx entries > certs: Move load_system_certificate_list to a common function > certs: Add ability to preload revocation certs > integrity: Load mokx variables into the blacklist keyring > > Lenny Szubowicz (3): > efi: Support for MOK variable config table > integrity: Move import of MokListRT certs to a separate routine > integrity: Load certs from the EFI MOK config table > > Linus Torvalds (1): > certs: add 'x509_revocation_list' to gitignore > > Tim Gardner (1): > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > arch/x86/kernel/setup.c | 1 + > arch/x86/platform/efi/efi.c | 3 + > certs/.gitignore | 1 + > certs/Kconfig | 17 + > certs/Makefile | 21 +- > certs/blacklist.c | 67 ++++ > certs/blacklist.h | 2 + > certs/common.c | 58 +++ > certs/common.h | 9 + > certs/revocation_certificates.S | 21 + > certs/system_keyring.c | 56 +-- > debian.hwe-5.8/config/config.common.ubuntu | 2 + > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 2 + > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > debian/rules | 14 +- > drivers/firmware/efi/Makefile | 1 + > drivers/firmware/efi/arm-init.c | 1 + > drivers/firmware/efi/efi.c | 6 + > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > include/keys/system_keyring.h | 15 + > include/linux/efi.h | 34 ++ > scripts/Makefile | 1 + > .../platform_certs/keyring_handler.c | 12 + > security/integrity/platform_certs/load_uefi.c | 107 +++++- > 25 files changed, 830 insertions(+), 70 deletions(-) > create mode 100644 certs/common.c > create mode 100644 certs/common.h > create mode 100644 certs/revocation_certificates.S > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > create mode 100644 drivers/firmware/efi/mokvar-table.c > Disclaimer, I looked at the pull-request but chose to reply to the thread with patches. Generally the content looks roughly ok (concentrated more on the places which modify code than on completely new functions). For hwe-5.8 it would not be necessary to make any modifications to debian.master but it does not hurt either. Maybe only notpick is that we commonly change the cherry pick lines into (cherry picked from <sha1> impish:linux) There are some patches at the beginning which miss the info and personally I found the additional line in other patches easy to be missed when glancing through things. That could be done when applying. Acked-by: Stefan Bader <stefan.bader@canonical.com>
On Mon, Oct 4, 2021 at 2:19 PM Stefan Bader <stefan.bader@canonical.com> wrote: > > On 27.09.21 17:56, Dimitri John Ledkov wrote: > > BugLink: https://bugs.launchpad.net/bugs/1928679 > > BugLink: https://bugs.launchpad.net/bugs/1932029 > > Link: https://trello.com/c/iPc3IqC9 (private) > > > > Same story as before, backport support for builtin revoked > > certificates, add support loading revoked certificates from > > mokvar-table. Note that for v5.8 it also means backporting the > > mokvar-table driver as a whole, since it was only introduced upstream > > in v5.9. > > > > This backport is for hwe-5.8 kernel, which whilst not built/released > > anymore, is used as basis for azure-5.8 kernel. If/when azure-5.8 is > > cranked on top of these changes, it must also adjust the config to > > enable CONFIG_SYSTEM_REVOCATION_KEYS. Without adjusting the config > > boot testing will fail, as it will notice that support is available > > but not turned on. > > > > Built as hwe-5.8 kernel and tested in VM. > > > > Most patches are cherry-picks from upstream, apart from UBUNTU: ones > > which are packaging or SAUCE patch cherry-picks from impish:linux. > > > > Previous backports of this: > > v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html > > v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html > > v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html > > > > > > Ard Biesheuvel (2): > > efi: mokvar-table: fix some issues in new code > > efi: mokvar: add missing include of asm/early_ioremap.h > > > > Borislav Petkov (1): > > efi/mokvar: Reserve the table only if it is in boot services data > > > > Dimitri John Ledkov (6): > > Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be > > loaded" > > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > > table > > UBUNTU: SAUCE: integrity: add informational messages when revoking > > certs > > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > > certs > > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > > keys > > > > Eric Snowberg (4): > > certs: Add EFI_CERT_X509_GUID support for dbx entries > > certs: Move load_system_certificate_list to a common function > > certs: Add ability to preload revocation certs > > integrity: Load mokx variables into the blacklist keyring > > > > Lenny Szubowicz (3): > > efi: Support for MOK variable config table > > integrity: Move import of MokListRT certs to a separate routine > > integrity: Load certs from the EFI MOK config table > > > > Linus Torvalds (1): > > certs: add 'x509_revocation_list' to gitignore > > > > Tim Gardner (1): > > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > > > arch/x86/kernel/setup.c | 1 + > > arch/x86/platform/efi/efi.c | 3 + > > certs/.gitignore | 1 + > > certs/Kconfig | 17 + > > certs/Makefile | 21 +- > > certs/blacklist.c | 67 ++++ > > certs/blacklist.h | 2 + > > certs/common.c | 58 +++ > > certs/common.h | 9 + > > certs/revocation_certificates.S | 21 + > > certs/system_keyring.c | 56 +-- > > debian.hwe-5.8/config/config.common.ubuntu | 2 + > > debian.master/config/annotations | 1 + > > debian.master/config/config.common.ubuntu | 2 + > > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > > debian/rules | 14 +- > > drivers/firmware/efi/Makefile | 1 + > > drivers/firmware/efi/arm-init.c | 1 + > > drivers/firmware/efi/efi.c | 6 + > > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > > include/keys/system_keyring.h | 15 + > > include/linux/efi.h | 34 ++ > > scripts/Makefile | 1 + > > .../platform_certs/keyring_handler.c | 12 + > > security/integrity/platform_certs/load_uefi.c | 107 +++++- > > 25 files changed, 830 insertions(+), 70 deletions(-) > > create mode 100644 certs/common.c > > create mode 100644 certs/common.h > > create mode 100644 certs/revocation_certificates.S > > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > > create mode 100644 drivers/firmware/efi/mokvar-table.c > > > > Disclaimer, I looked at the pull-request but chose to reply to the thread with > patches. Generally the content looks roughly ok (concentrated more on the places > which modify code than on completely new functions). For hwe-5.8 it would not be > necessary to make any modifications to debian.master but it does not hurt either. > Maybe only notpick is that we commonly change the cherry pick lines into > > (cherry picked from <sha1> impish:linux) > noted. > There are some patches at the beginning which miss the info and personally I > found the additional line in other patches easy to be missed when glancing > through things. That could be done when applying. > > Acked-by: Stefan Bader <stefan.bader@canonical.com> >
On 27.09.21 17:56, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/1928679 > BugLink: https://bugs.launchpad.net/bugs/1932029 > Link: https://trello.com/c/iPc3IqC9 (private) > > Same story as before, backport support for builtin revoked > certificates, add support loading revoked certificates from > mokvar-table. Note that for v5.8 it also means backporting the > mokvar-table driver as a whole, since it was only introduced upstream > in v5.9. > > This backport is for hwe-5.8 kernel, which whilst not built/released > anymore, is used as basis for azure-5.8 kernel. If/when azure-5.8 is > cranked on top of these changes, it must also adjust the config to > enable CONFIG_SYSTEM_REVOCATION_KEYS. Without adjusting the config > boot testing will fail, as it will notice that support is available > but not turned on. > > Built as hwe-5.8 kernel and tested in VM. > > Most patches are cherry-picks from upstream, apart from UBUNTU: ones > which are packaging or SAUCE patch cherry-picks from impish:linux. > > Previous backports of this: > v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html > v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html > v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html > > > Ard Biesheuvel (2): > efi: mokvar-table: fix some issues in new code > efi: mokvar: add missing include of asm/early_ioremap.h > > Borislav Petkov (1): > efi/mokvar: Reserve the table only if it is in boot services data > > Dimitri John Ledkov (6): > Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be > loaded" > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > table > UBUNTU: SAUCE: integrity: add informational messages when revoking > certs > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > certs > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys > > Eric Snowberg (4): > certs: Add EFI_CERT_X509_GUID support for dbx entries > certs: Move load_system_certificate_list to a common function > certs: Add ability to preload revocation certs > integrity: Load mokx variables into the blacklist keyring > > Lenny Szubowicz (3): > efi: Support for MOK variable config table > integrity: Move import of MokListRT certs to a separate routine > integrity: Load certs from the EFI MOK config table > > Linus Torvalds (1): > certs: add 'x509_revocation_list' to gitignore > > Tim Gardner (1): > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > arch/x86/kernel/setup.c | 1 + > arch/x86/platform/efi/efi.c | 3 + > certs/.gitignore | 1 + > certs/Kconfig | 17 + > certs/Makefile | 21 +- > certs/blacklist.c | 67 ++++ > certs/blacklist.h | 2 + > certs/common.c | 58 +++ > certs/common.h | 9 + > certs/revocation_certificates.S | 21 + > certs/system_keyring.c | 56 +-- > debian.hwe-5.8/config/config.common.ubuntu | 2 + > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 2 + > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > debian/rules | 14 +- > drivers/firmware/efi/Makefile | 1 + > drivers/firmware/efi/arm-init.c | 1 + > drivers/firmware/efi/efi.c | 6 + > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > include/keys/system_keyring.h | 15 + > include/linux/efi.h | 34 ++ > scripts/Makefile | 1 + > .../platform_certs/keyring_handler.c | 12 + > security/integrity/platform_certs/load_uefi.c | 107 +++++- > 25 files changed, 830 insertions(+), 70 deletions(-) > create mode 100644 certs/common.c > create mode 100644 certs/common.h > create mode 100644 certs/revocation_certificates.S > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > create mode 100644 drivers/firmware/efi/mokvar-table.c > Applied to focal:linux-hwe-5.8/hwe-5.8. Thanks. -Stefan
BugLink: https://bugs.launchpad.net/bugs/1928679 BugLink: https://bugs.launchpad.net/bugs/1932029 Link: https://trello.com/c/iPc3IqC9 (private) Same story as before, backport support for builtin revoked certificates, add support loading revoked certificates from mokvar-table. Note that for v5.8 it also means backporting the mokvar-table driver as a whole, since it was only introduced upstream in v5.9. This backport is for hwe-5.8 kernel, which whilst not built/released anymore, is used as basis for azure-5.8 kernel. If/when azure-5.8 is cranked on top of these changes, it must also adjust the config to enable CONFIG_SYSTEM_REVOCATION_KEYS. Without adjusting the config boot testing will fail, as it will notice that support is available but not turned on. Built as hwe-5.8 kernel and tested in VM. Most patches are cherry-picks from upstream, apart from UBUNTU: ones which are packaging or SAUCE patch cherry-picks from impish:linux. Previous backports of this: v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html Ard Biesheuvel (2): efi: mokvar-table: fix some issues in new code efi: mokvar: add missing include of asm/early_ioremap.h Borislav Petkov (1): efi/mokvar: Reserve the table only if it is in boot services data Dimitri John Ledkov (6): Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded" UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table UBUNTU: SAUCE: integrity: add informational messages when revoking certs UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch certs UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys Eric Snowberg (4): certs: Add EFI_CERT_X509_GUID support for dbx entries certs: Move load_system_certificate_list to a common function certs: Add ability to preload revocation certs integrity: Load mokx variables into the blacklist keyring Lenny Szubowicz (3): efi: Support for MOK variable config table integrity: Move import of MokListRT certs to a separate routine integrity: Load certs from the EFI MOK config table Linus Torvalds (1): certs: add 'x509_revocation_list' to gitignore Tim Gardner (1): UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded arch/x86/kernel/setup.c | 1 + arch/x86/platform/efi/efi.c | 3 + certs/.gitignore | 1 + certs/Kconfig | 17 + certs/Makefile | 21 +- certs/blacklist.c | 67 ++++ certs/blacklist.h | 2 + certs/common.c | 58 +++ certs/common.h | 9 + certs/revocation_certificates.S | 21 + certs/system_keyring.c | 56 +-- debian.hwe-5.8/config/config.common.ubuntu | 2 + debian.master/config/annotations | 1 + debian.master/config/config.common.ubuntu | 2 + .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ debian/rules | 14 +- drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/arm-init.c | 1 + drivers/firmware/efi/efi.c | 6 + drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ include/keys/system_keyring.h | 15 + include/linux/efi.h | 34 ++ scripts/Makefile | 1 + .../platform_certs/keyring_handler.c | 12 + security/integrity/platform_certs/load_uefi.c | 107 +++++- 25 files changed, 830 insertions(+), 70 deletions(-) create mode 100644 certs/common.c create mode 100644 certs/common.h create mode 100644 certs/revocation_certificates.S create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem create mode 100644 drivers/firmware/efi/mokvar-table.c