| Message ID | 570E70DC.4060209@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Wed, Apr 13, 2016 at 10:16:28AM -0600, Tim Gardner wrote: > This mighty blob of code implements the functionality required to extract > encryption keys and certificates from UEFI and use them to verify signed > modules. This is important for locally compiled modules such as DKMS. A user > would create or acquire a key and enter it into the MOK while also signing > their local module with the same key. Upon reboot said key will appear in > the kernel UEFI keyring which is then used to verify the new module. > > This code is pretty much untested, but I wanted some more eyeballs on it in > order to make sure my interpretation reflects reality. > > This is phase 1 of secure boot signed module enforcement. Subsequent phases > involve backporting this pile to Trusty and all kernels in between. Refer to > https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot in order to > understand why I am pushing for these changes at such a late date. As best as I can tell these look to be a complete set. There is such a lot of code here that a line by line comparison is almost impossible, but the look reasonable to me. Acked-by: Andy Whitcroft <apw@canonical.com> -apw
On 13.04.2016 18:16, Tim Gardner wrote:
> git://kernel.ubuntu.com/rtg/ubuntu-xenial.git uefi-keyring
I would also say its hard to validate correctness but it looks like all parts
are related to the task.
My only complaint would be that the modification of config options seems to be
ordered before applying patches that actually define them. I would rather place
them on top. Also, personally I would favour a bit more reasoning for the
changes at least in the bug report. Or even into the individual commit messages
as that is the first thing one hits when looking for reasons why something is
configured the way it is.
Since that are no hard reasons against, I am ACKing and leave the details to
whomever is slamming stuff in.
-Stefan
This mighty blob of code implements the functionality required to extract encryption keys and certificates from UEFI and use them to verify signed modules. This is important for locally compiled modules such as DKMS. A user would create or acquire a key and enter it into the MOK while also signing their local module with the same key. Upon reboot said key will appear in the kernel UEFI keyring which is then used to verify the new module. This code is pretty much untested, but I wanted some more eyeballs on it in order to make sure my interpretation reflects reality. This is phase 1 of secure boot signed module enforcement. Subsequent phases involve backporting this pile to Trusty and all kernels in between. Refer to https://wiki.ubuntu.com/Spec/InstallingUnsignedSecureBoot in order to understand why I am pushing for these changes at such a late date. rtg ---- The following changes since commit 6b368f5c279310548da1a6de23d8e59567255029: pipe: limit the per-user amount of pages allocated in pipes (2016-04-13 09:52:33 -0600) are available in the git repository at: git://kernel.ubuntu.com/rtg/ubuntu-xenial.git uefi-keyring for you to fetch changes up to a914fecfc873be53d6a1cc486dfd4fb9a481854d: UBUNTU: SAUCE: (noup) efi: Disable secure boot if shim is in insecure mode (2016-04-13 10:00:56 -0600) ---------------------------------------------------------------- Ard Biesheuvel (4): efi: Remove redundant efi_set_variable_nonblocking() prototype efi/runtime-wrappers: Add a nonblocking version of QueryVariableInfo() efi: Add nonblocking option to efi_query_variable_store() efi: stub: implement efi_get_random_bytes() based on EFI_RNG_PROTOCOL Dave Howells (2): UBUNTU: SAUCE: (noup) Add EFI signature data types UBUNTU: SAUCE: (noup) Add an EFI signature blob parser and key loader. David Howells (2): akcipher: Move the RSA DER encoding check to the crypto layer KEYS: Add an alloc flag to convey the builtinness of a key Josh Boyer (4): UBUNTU: SAUCE: (noup) KEYS: Add a system blacklist keyring UBUNTU: SAUCE: (noup) MODSIGN: Import certificates from UEFI Secure Boot UBUNTU: SAUCE: (noup) MODSIGN: Support not importing certs from db UBUNTU: SAUCE: (noup) efi: Disable secure boot if shim is in insecure mode Peter Jones (1): efi: Reformat GUID tables to follow the format in UEFI spec Petko Manolov (1): IMA: create machine owner and blacklist keyrings Robert Elliott (1): efi: Add NV memory attribute Tadeusz Struk (1): crypto: KEYS: convert public key and digsig asym to the akcipher api Tim Gardner (3): UBUNTU: [Config] CONFIG_EFI_SIGNATURE_LIST_PARSER=y UBUNTU: [Config] CONFIG_IMA_MOK_KEYRING=y UBUNTU: [Config] CONFIG_MODULE_SIG_UEFI=y, CONFIG_SYSTEM_BLACKLIST_KEYRING=y arch/x86/boot/compressed/eboot.c | 20 +++++++- arch/x86/platform/efi/quirks.c | 33 +++++++++++- certs/system_keyring.c | 31 +++++++++++- crypto/asymmetric_keys/Kconfig | 15 +++--- crypto/asymmetric_keys/Makefile | 9 ++-- crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++++++ crypto/asymmetric_keys/pkcs7_parser.c | 12 ++--- crypto/asymmetric_keys/pkcs7_trust.c | 2 +- crypto/asymmetric_keys/pkcs7_verify.c | 2 +- crypto/asymmetric_keys/public_key.c | 146 +++++++++++++++++++++++++++++++++++++---------------- crypto/asymmetric_keys/public_key.h | 36 ------------- crypto/asymmetric_keys/rsa.c | 278 ----------------------------------------------------------------------------------------------------- crypto/asymmetric_keys/x509_cert_parser.c | 37 +++----------- crypto/asymmetric_keys/x509_public_key.c | 19 +++---- crypto/asymmetric_keys/x509_rsakey.asn1 | 4 -- debian.master/config/config.common.ubuntu | 9 ++-- drivers/firmware/efi/efi.c | 5 +- drivers/firmware/efi/libstub/Makefile | 2 +- drivers/firmware/efi/libstub/efistub.h | 3 ++ drivers/firmware/efi/libstub/random.c | 35 +++++++++++++ drivers/firmware/efi/runtime-wrappers.c | 22 ++++++++ drivers/firmware/efi/vars.c | 16 +++++- include/crypto/public_key.h | 32 +++--------- include/keys/system_keyring.h | 28 +++++++++++ include/linux/efi.h | 121 ++++++++++++++++++++++++++++++++------------ include/linux/key.h | 1 + init/Kconfig | 20 +++++++- kernel/Makefile | 3 ++ kernel/modsign_uefi.c | 114 ++++++++++++++++++++++++++++++++++++++++++ security/integrity/digsig_asymmetric.c | 15 ++++++ security/integrity/ima/Kconfig | 20 ++++++++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima_mok.c | 54 ++++++++++++++++++++ security/keys/key.c | 2 + 34 files changed, 766 insertions(+), 490 deletions(-) create mode 100644 crypto/asymmetric_keys/efi_parser.c delete mode 100644 crypto/asymmetric_keys/public_key.h delete mode 100644 crypto/asymmetric_keys/rsa.c delete mode 100644 crypto/asymmetric_keys/x509_rsakey.asn1 create mode 100644 drivers/firmware/efi/libstub/random.c create mode 100644 kernel/modsign_uefi.c create mode 100644 security/integrity/ima/ima_mok.c