From patchwork Mon Aug 23 13:33:44 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1519697 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=N09MHHB6; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GtYB50t50z9sWq; Mon, 23 Aug 2021 23:34:21 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mIA5h-0008Lf-Qv; Mon, 23 Aug 2021 13:34:17 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mIA5T-0008JV-KJ for kernel-team@lists.ubuntu.com; Mon, 23 Aug 2021 13:34:03 +0000 Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 76F7140793 for ; Mon, 23 Aug 2021 13:34:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629725643; bh=oKn+OCbmEIwFe0s5YrKec3HQ7mqu0KSc7I4IbOiVcXw=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=N09MHHB6/im9/+TYZRhJirGQJHyJh9AZrzr9/ctGNfWb5pzTT35nruMaPYcY00Z97 +w21gosYZ2lzIa+0dtXSx57eUu9ZvluNwsxJqfbPh6nuOWSdyMZI54Zw0oRAHwDXkk MBavoTl/3sMi/GmI137ULRKAGWMiqTkkbaUR9nSD8m5QV2foQDhIL+9oOCPEFEP29S RGlUfYqK7n/cZnZakBiyw73bEwNEv2QTdgDmF3oW+pB0ValgWdauicto/T2hh7GNbB 2cNjg8AeWgS//AgwHEuzCqyEvNboqEN/KHzL8Cr88YNrtLUfd1ZyZE9ePZbAlksBu9 ubKikWZdjkMdg== Received: by mail-wr1-f70.google.com with SMTP id h15-20020adff18f000000b001574654fbc2so1651053wro.10 for ; Mon, 23 Aug 2021 06:34:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=oKn+OCbmEIwFe0s5YrKec3HQ7mqu0KSc7I4IbOiVcXw=; b=c4Gl5pj+oUE5VtRELVUpZr2eXO+oCk7aU+EKh1GEOsN2kL0qoFauclaIFgk/WkDkLN PXAUVDKUKuNGnBg07XAtCK9kcmPiLj5b2t6eur6XFr7tsjwFxquo6/cz0dgdvFH2/XNJ 78lFXKogiF9n6d10Dp7/en9/tw56YQgzpESr8mbADpiw3DKFuE993KpGlS3JdkNE1HWE IXaMjNS7xkDKST+6KR6/jqIbAOkMKbkcH67JP6g481iNAtPXADNHcBJpqfpKO1lfUI6l W9WxfTKXxk7rcHuMUtkPBpCk+e9w8hEKstBFp5guGnY95b2sMoV2yUvPziGqaE4xmNxF gevw== X-Gm-Message-State: AOAM532ycRzkUZJpoDIcGLx8+EQWMGpZlYlNo3SEJ6m433kPU++7RfW8 x5BSMcxsLVpbKdVNkwA4ZULJTI9+QhcuMh1pBMfaDvk8w+YVtAISAQxD9eX+0ZXQj86r7qFfj6V 13Kv61hpVPryPcG9iKG9yZXhRgsIxaacuXYSysW/Vnw== X-Received: by 2002:adf:e4c5:: with SMTP id v5mr14012050wrm.1.1629725642943; Mon, 23 Aug 2021 06:34:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzy3ciqRskS7T7UMGmwsNRUYbCFK/H2aD5V4PuNphLzWL9nrh4SPjaZPD9I28makXORYdmTTg== X-Received: by 2002:adf:e4c5:: with SMTP id v5mr14012024wrm.1.1629725642747; Mon, 23 Aug 2021 06:34:02 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:79d7:6045:c3:b370]) by smtp.gmail.com with ESMTPSA id t7sm11868722wrq.90.2021.08.23.06.34.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Aug 2021 06:34:02 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [FOCAL][linux-oem-5.10][PATCH 01/10] Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded" Date: Mon, 23 Aug 2021 14:33:44 +0100 Message-Id: <20210823133353.37046-2-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210823133353.37046-1-dimitri.ledkov@canonical.com> References: <20210823133353.37046-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" This reverts commit d1a99a474f1afbb44773f16fabd2f5945a1f01b1. Signed-off-by: Dimitri John Ledkov --- certs/system_keyring.c | 1 - 1 file changed, 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 7d4c81653b..7982911771 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -171,7 +171,6 @@ static __init int load_system_certificate_list(void) if (IS_ERR(key)) { pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", PTR_ERR(key)); - WARN_ON_ONCE(1); } else { pr_notice("Loaded X.509 cert '%s'\n", key_ref_to_ptr(key)->description); From patchwork Mon Aug 23 13:33:45 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1519701 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Uh1M/AhG; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GtYBR5ZxYz9sX2; Mon, 23 Aug 2021 23:34:39 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mIA60-0008Ul-6E; Mon, 23 Aug 2021 13:34:36 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mIA5V-0008Jq-Dc for kernel-team@lists.ubuntu.com; Mon, 23 Aug 2021 13:34:05 +0000 Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 3AAA840791 for ; Mon, 23 Aug 2021 13:34:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629725645; bh=tBjiG0MIpyPxPS3rerD8ssU1p15PGURF1W75RUlhj38=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=Uh1M/AhGDHMudYf3rvwMl32LgMyOGE221s1bbZ8V68x8dwpWstTGGSqrYTF7WE3Mw cJ2dxSRYSdRAGaukHmLCYihQYYHZk2dk10sC7LcqIOTWS+AarQpbjelb987aRzunTf Bdwfv1poRfpLuGbnRkN0t4jWl8d6qvfC8WUSOihO6LB01lc5qwaDN1V/pjTVTXKNMp HhZAQadHRcSYIiSiNci9zvkWXht48Hfiw1HPk4xmzxE7Qm1PyejLnzFxXttvKxvZ2h pXTMvz6qymOUhnn3pL7l411pt78Bbps4z7NzgV/6dJCFh2ST7osJhL1xj1P65abtw9 /j+UCd7iaoRvw== Received: by mail-wm1-f70.google.com with SMTP id f19-20020a1c1f13000000b002e6bd83c344so4471229wmf.3 for ; Mon, 23 Aug 2021 06:34:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=tBjiG0MIpyPxPS3rerD8ssU1p15PGURF1W75RUlhj38=; b=M8ujY67QUZu47sGqeh3vvB8z3pHgKbv6WVAOejljfAsSVatzjUdrE/C2R3MyB974/K JvQ7TuodkVnbd20jaRFpEUjoNnNCXw4CI7jnI6wyY6haGuvlfF9Q4JTh/Cvj4hacyHvr M5LtQ6F8TcTOwZExty3bxK00AegisOpk2e2p0miTvSn7VfZLcWepfwKtWmwTB48OCf9H TlPjINVnoQsAMX3x9jWsJvA+e0q8zCTg/lQkpBVgU/hULX6WDqVKT8HDb+qoyGQHoFrf h0/VNSWwXbKfhTKdFyCMNjACHvzFaqf0fIrYrB6aR4k/w/MQ/ORvnpZ2kKYTqlgte07y CpCQ== X-Gm-Message-State: AOAM531FbsotLgFFoAEtGF0qbNgN5YoSD7L7wpWt7imPhXjhNakK/thf RwPVQPRSsSR//1qyNpNM0r4wDlipls7NNjUTB7CEK/nz4hFAikha2nNwofiqf1cvC+3HWe+nXPX Qno0TLoIpaXjIq4+AaM7ZZbvAgxJnd8D1Q62A0ntg/A== X-Received: by 2002:adf:f2d1:: with SMTP id d17mr608344wrp.381.1629725644718; Mon, 23 Aug 2021 06:34:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy7B8GlOnwuUKO7eErWtqmY8TU0Ltl4e8t0je8pLuy2/4IXmhGhrbyTxL6ATpoC4wMOfruyvQ== X-Received: by 2002:adf:f2d1:: with SMTP id d17mr608313wrp.381.1629725644446; Mon, 23 Aug 2021 06:34:04 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:79d7:6045:c3:b370]) by smtp.gmail.com with ESMTPSA id 129sm13308777wmz.26.2021.08.23.06.34.03 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Aug 2021 06:34:04 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [FOCAL][linux-oem-5.10][PATCH 02/10] certs: Add EFI_CERT_X509_GUID support for dbx entries Date: Mon, 23 Aug 2021 14:33:45 +0100 Message-Id: <20210823133353.37046-3-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210823133353.37046-1-dimitri.ledkov@canonical.com> References: <20210823133353.37046-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Snowberg [ Upstream commit 56c5812623f95313f6a46fbf0beee7fa17c68bbf ] This fixes CVE-2020-26541. The Secure Boot Forbidden Signature Database, dbx, contains a list of now revoked signatures and keys previously approved to boot with UEFI Secure Boot enabled. The dbx is capable of containing any number of EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID entries. Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are skipped. Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID is found, it is added as an asymmetrical key to the .blacklist keyring. Anytime the .platform keyring is used, the keys in the .blacklist keyring are referenced, if a matching key is found, the key will be rejected. [DH: Made the following changes: - Added to have a config option to enable the facility. This allows a Kconfig solution to make sure that pkcs7_validate_trust() is enabled.[1][2] - Moved the functions out from the middle of the blacklist functions. - Added kerneldoc comments.] Signed-off-by: Eric Snowberg Signed-off-by: David Howells Reviewed-by: Jarkko Sakkinen cc: Randy Dunlap cc: Mickaël Salaün cc: Arnd Bergmann cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/20200901165143.10295-1-eric.snowberg@oracle.com/ # rfc Link: https://lore.kernel.org/r/20200909172736.73003-1-eric.snowberg@oracle.com/ # v2 Link: https://lore.kernel.org/r/20200911182230.62266-1-eric.snowberg@oracle.com/ # v3 Link: https://lore.kernel.org/r/20200916004927.64276-1-eric.snowberg@oracle.com/ # v4 Link: https://lore.kernel.org/r/20210122181054.32635-2-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428672051.677100.11064981943343605138.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433310942.902181.4901864302675874242.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529605075.163428.14625520893961300757.stgit@warthog.procyon.org.uk/ # v3 Link: https://lore.kernel.org/r/bc2c24e3-ed68-2521-0bf4-a1f6be4a895d@infradead.org/ [1] Link: https://lore.kernel.org/r/20210225125638.1841436-1-arnd@kernel.org/ [2] Signed-off-by: Sasha Levin (cherry picked from commit 45109066f686597116467a53eaf4330450702a96) --- certs/Kconfig | 9 ++++ certs/blacklist.c | 43 +++++++++++++++++++ certs/blacklist.h | 2 + certs/system_keyring.c | 6 +++ include/keys/system_keyring.h | 15 +++++++ .../platform_certs/keyring_handler.c | 11 +++++ 6 files changed, 86 insertions(+) diff --git a/certs/Kconfig b/certs/Kconfig index c94e93d8bc..76e469b56a 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST wrapper to incorporate the list into the kernel. Each should be a string of hex digits. +config SYSTEM_REVOCATION_LIST + bool "Provide system-wide ring of revocation certificates" + depends on SYSTEM_BLACKLIST_KEYRING + depends on PKCS7_MESSAGE_PARSER=y + help + If set, this allows revocation certificates to be stored in the + blacklist keyring and implements a hook whereby a PKCS#7 message can + be checked to see if it matches such a certificate. + endmenu diff --git a/certs/blacklist.c b/certs/blacklist.c index f1c434b04b..59b2f106b2 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -144,6 +144,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len) } EXPORT_SYMBOL_GPL(is_binary_blacklisted); +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +/** + * add_key_to_revocation_list - Add a revocation certificate to the blacklist + * @data: The data blob containing the certificate + * @size: The size of data blob + */ +int add_key_to_revocation_list(const char *data, size_t size) +{ + key_ref_t key; + + key = key_create_or_update(make_key_ref(blacklist_keyring, true), + "asymmetric", + NULL, + data, + size, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW), + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); + + if (IS_ERR(key)) { + pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); + return PTR_ERR(key); + } + + return 0; +} + +/** + * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked + * @pkcs7: The PKCS#7 message to check + */ +int is_key_on_revocation_list(struct pkcs7_message *pkcs7) +{ + int ret; + + ret = pkcs7_validate_trust(pkcs7, blacklist_keyring); + + if (ret == 0) + return -EKEYREJECTED; + + return -ENOKEY; +} +#endif + /* * Initialise the blacklist */ diff --git a/certs/blacklist.h b/certs/blacklist.h index 1efd6fa0dc..51b320cf85 100644 --- a/certs/blacklist.h +++ b/certs/blacklist.h @@ -1,3 +1,5 @@ #include +#include +#include extern const char __initconst *const blacklist_hashes[]; diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 7982911771..cc165b359e 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -241,6 +241,12 @@ int verify_pkcs7_message_sig(const void *data, size_t len, pr_devel("PKCS#7 platform keyring is not available\n"); goto error; } + + ret = is_key_on_revocation_list(pkcs7); + if (ret != -ENOKEY) { + pr_devel("PKCS#7 platform key is on revocation list\n"); + goto error; + } } ret = pkcs7_validate_trust(pkcs7, trusted_keys); if (ret < 0) { diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index fb8b07daa9..875e002a41 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -31,6 +31,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif +extern struct pkcs7_message *pkcs7; #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING extern int mark_hash_blacklisted(const char *hash); extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, @@ -49,6 +50,20 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) } #endif +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +extern int add_key_to_revocation_list(const char *data, size_t size); +extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); +#else +static inline int add_key_to_revocation_list(const char *data, size_t size) +{ + return 0; +} +static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) +{ + return -ENOKEY; +} +#endif + #ifdef CONFIG_IMA_BLACKLIST_KEYRING extern struct key *ima_blacklist_keyring; diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index c5ba695c10..5604bd57c9 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -55,6 +55,15 @@ static __init void uefi_blacklist_binary(const char *source, uefi_blacklist_hash(source, data, len, "bin:", 4); } +/* + * Add an X509 cert to the revocation list. + */ +static __init void uefi_revocation_list_x509(const char *source, + const void *data, size_t len) +{ + add_key_to_revocation_list(data, len); +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI db and MokListRT tables. @@ -76,5 +85,7 @@ __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type) return uefi_blacklist_x509_tbs; if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0) return uefi_blacklist_binary; + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return uefi_revocation_list_x509; return 0; } From patchwork Mon Aug 23 13:33:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1519702 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=qbD9grWw; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GtYBZ00pxz9sWq; Mon, 23 Aug 2021 23:34:45 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mIA65-00006X-Ld; Mon, 23 Aug 2021 13:34:41 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mIA5X-0008Jy-5G for kernel-team@lists.ubuntu.com; Mon, 23 Aug 2021 13:34:07 +0000 Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E533B40202 for ; Mon, 23 Aug 2021 13:34:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629725646; bh=idWmXiNMC5IWWeI6dUszowvG0KsrwnvwFgp9w6yqh7o=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=qbD9grWwreXmOjKOSgaswvMjDlohifKRetTySbja0nc51SoSjf8YRdeDgSQM/lJuv L+NzZkcgCn6PzQL2l9u4uR219XS+KCHX5AA6DP0WmOw5Yrkxlbx6qog2VrWqgUm0qq CcyIUGnZf1lqHnJbSuui7NV47pvNs6qZmRNdjpXqgEaa6c2Ma0gtFvDhHNQypTpiYo dWxVYS/kjU6ZTra5qallXv8bYtAhkPiz0v4JOenKSHesD46QVh4FmxlrZgftFKMQGN 1KQ91L93eRXFfYaUecf7tA609pn7cZxdqUKDRNnVotxtFlw3z0MGtAmXSJ154RfRm5 qQjdTxmoLmOCg== Received: by mail-wr1-f69.google.com with SMTP id v18-20020adfe2920000b029013bbfb19640so5039835wri.17 for ; Mon, 23 Aug 2021 06:34:06 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=idWmXiNMC5IWWeI6dUszowvG0KsrwnvwFgp9w6yqh7o=; b=I+yqFO7bN72H0l3mRbRJ4j2OjEFz+RtdSDcWuWM4VxLdlr17T18FtaNQWuBRkgErV3 zMerOuMQvJ+J7UuON6Dy85EasmkZ8gpwF3yj4rHxl0IAyalvNRGBroEzLnzkL2gYlckD CNyEtRRpj4g7Err8hLMU1qWuyVoQzpeLcCwOKbdOFRek31hJgrBKx5fRi2MSq2WW+htf OEPRWoWf75Gau1AC/s7BdcGwcKuiNGqAaLAfTOFbmmNIZXj+LA4N/hA+P6J8lTWUtfyH iPZMAbI58obnBJpQ1QC1KJ+QElAZ21awyeZD/wXkAXVe4SoXU8rh6LPBv9S0zNatM29m 5DYA== X-Gm-Message-State: AOAM530M6Xgghy4je1Hf5cPqfGsV/fptvFsPvrVITOes9iqIkFDkuOl4 SW6Ck0NhQYutNRpBLPhq7j7GkzD8VORTBml2aUaRsCamcU6bJp0iqOexSl+4mqKVEkmJbZ4GyOT I5jRrONWUWjAeMmtX/hO/+p8wLgNdUZpqvL/+eEHi1Q== X-Received: by 2002:a1c:720f:: with SMTP id n15mr16599792wmc.14.1629725646310; Mon, 23 Aug 2021 06:34:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy9jAxRjIPBIV+Wio7MvH75h57u0id9kNekDiKJDvh+Iu7bQoNKAk6voii14Ji8ooWD5v5GSw== X-Received: by 2002:a1c:720f:: with SMTP id n15mr16599777wmc.14.1629725646107; Mon, 23 Aug 2021 06:34:06 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:79d7:6045:c3:b370]) by smtp.gmail.com with ESMTPSA id q3sm12733237wmf.37.2021.08.23.06.34.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Aug 2021 06:34:05 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [FOCAL][linux-oem-5.10][PATCH 03/10] certs: Move load_system_certificate_list to a common function Date: Mon, 23 Aug 2021 14:33:46 +0100 Message-Id: <20210823133353.37046-4-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210823133353.37046-1-dimitri.ledkov@canonical.com> References: <20210823133353.37046-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Snowberg [ Upstream commit 2565ca7f5ec1a98d51eea8860c4ab923f1ca2c85 ] Move functionality within load_system_certificate_list to a common function, so it can be reused in the future. DH Changes: - Added inclusion of common.h to common.c (Eric [1]). Signed-off-by: Eric Snowberg Acked-by: Jarkko Sakkinen Signed-off-by: David Howells cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/ [1] Link: https://lore.kernel.org/r/20200930201508.35113-2-eric.snowberg@oracle.com/ Link: https://lore.kernel.org/r/20210122181054.32635-3-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428672825.677100.7545516389752262918.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433311696.902181.3599366124784670368.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529605850.163428.7786675680201528556.stgit@warthog.procyon.org.uk/ # v3 Signed-off-by: Sasha Levin (cherry picked from commit 72d6f5d982f0e823eaa01b9439db23af85fb0ee0) --- certs/Makefile | 2 +- certs/common.c | 57 ++++++++++++++++++++++++++++++++++++++++++ certs/common.h | 9 +++++++ certs/system_keyring.c | 49 +++--------------------------------- 4 files changed, 70 insertions(+), 47 deletions(-) create mode 100644 certs/common.c create mode 100644 certs/common.h diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aa..f4b90bad86 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -3,7 +3,7 @@ # Makefile for the linux kernel signature checking certificates. # -obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o +obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o diff --git a/certs/common.c b/certs/common.c new file mode 100644 index 0000000000..16a220887a --- /dev/null +++ b/certs/common.c @@ -0,0 +1,57 @@ +// SPDX-License-Identifier: GPL-2.0-or-later + +#include +#include +#include "common.h" + +int load_certificate_list(const u8 cert_list[], + const unsigned long list_size, + const struct key *keyring) +{ + key_ref_t key; + const u8 *p, *end; + size_t plen; + + p = cert_list; + end = p + list_size; + while (p < end) { + /* Each cert begins with an ASN.1 SEQUENCE tag and must be more + * than 256 bytes in size. + */ + if (end - p < 4) + goto dodgy_cert; + if (p[0] != 0x30 && + p[1] != 0x82) + goto dodgy_cert; + plen = (p[2] << 8) | p[3]; + plen += 4; + if (plen > end - p) + goto dodgy_cert; + + key = key_create_or_update(make_key_ref(keyring, 1), + "asymmetric", + NULL, + p, + plen, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ), + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN | + KEY_ALLOC_BYPASS_RESTRICTION); + if (IS_ERR(key)) { + pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", + PTR_ERR(key)); + } else { + pr_notice("Loaded X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); + key_ref_put(key); + } + p += plen; + } + + return 0; + +dodgy_cert: + pr_err("Problem parsing in-kernel X.509 certificate list\n"); + return 0; +} diff --git a/certs/common.h b/certs/common.h new file mode 100644 index 0000000000..abdb579593 --- /dev/null +++ b/certs/common.h @@ -0,0 +1,9 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#ifndef _CERT_COMMON_H +#define _CERT_COMMON_H + +int load_certificate_list(const u8 cert_list[], const unsigned long list_size, + const struct key *keyring); + +#endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index cc165b359e..a44a8915c9 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -15,6 +15,7 @@ #include #include #include +#include "common.h" static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING @@ -136,54 +137,10 @@ device_initcall(system_trusted_keyring_init); */ static __init int load_system_certificate_list(void) { - key_ref_t key; - const u8 *p, *end; - size_t plen; - pr_notice("Loading compiled-in X.509 certificates\n"); - p = system_certificate_list; - end = p + system_certificate_list_size; - while (p < end) { - /* Each cert begins with an ASN.1 SEQUENCE tag and must be more - * than 256 bytes in size. - */ - if (end - p < 4) - goto dodgy_cert; - if (p[0] != 0x30 && - p[1] != 0x82) - goto dodgy_cert; - plen = (p[2] << 8) | p[3]; - plen += 4; - if (plen > end - p) - goto dodgy_cert; - - key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), - "asymmetric", - NULL, - p, - plen, - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | - KEY_USR_VIEW | KEY_USR_READ), - KEY_ALLOC_NOT_IN_QUOTA | - KEY_ALLOC_BUILT_IN | - KEY_ALLOC_BYPASS_RESTRICTION); - if (IS_ERR(key)) { - pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", - PTR_ERR(key)); - } else { - pr_notice("Loaded X.509 cert '%s'\n", - key_ref_to_ptr(key)->description); - key_ref_put(key); - } - p += plen; - } - - return 0; - -dodgy_cert: - pr_err("Problem parsing in-kernel X.509 certificate list\n"); - return 0; + return load_certificate_list(system_certificate_list, system_certificate_list_size, + builtin_trusted_keys); } late_initcall(load_system_certificate_list); From patchwork Mon Aug 23 13:33:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1519703 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=dEiG8UAB; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GtYBm4c7Dz9sX2; Mon, 23 Aug 2021 23:34:56 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mIA6H-0000Cr-AX; Mon, 23 Aug 2021 13:34:53 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mIA5Y-0008K5-Gd for kernel-team@lists.ubuntu.com; Mon, 23 Aug 2021 13:34:08 +0000 Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com [209.85.221.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 635FA40202 for ; Mon, 23 Aug 2021 13:34:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629725648; bh=UMyJFZeMs20psf610A5BJKRtJdOIAg7Jgd9oCoPEZv8=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=dEiG8UABZSNlTJHeZIaC4V82L3cPnaDW350QuliDJ1LFF6/TQXhCO4xKXs3YlFW9U oRXi768GjgsnLhuqKcP7s5ZG/KVeDAjdtCoAfAz5RQBvc2CIn54tjXVeaBZtLAIL/0 TWqBKaYNy7HIu2W1LIRE2KbVL+urHZKcUXL2POrP/ShH81oqYcbXQGKP8pcV+rclyM MWBl2qdyEngiyA+8astAl6A3YtqCWDmu0B5WetuvJc8+3byrtoMr2LHuwV0zvR6wbr y2ybnctTgNj+0HwWNHKL/WWxbKEMhOsFifPLW/sKubQdCL1NLKBOjBF1wZlVuyAyps 0Si3mIzOesUsQ== Received: by mail-wr1-f71.google.com with SMTP id n18-20020adfe792000000b00156ae576abdso5016601wrm.9 for ; Mon, 23 Aug 2021 06:34:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UMyJFZeMs20psf610A5BJKRtJdOIAg7Jgd9oCoPEZv8=; b=BPslDmPmgtw0JrCSsCvt5qiGoec7jHKaThSl65iMaHHsAEIf51pKcseeavWYJtPEob CoKn78V2nY0VqIKkzlCOkZJQTRBMkbYtUYM1/hnETre1dl1L1hlfgLsOrL5ge65okhoD nchsWNTbmTmHgJownXY+UsRS3hjq0p1FiTBLqiZIy/TR8NPPv5O9F4ndSJd/Wmx4Omdm aShuR1XrvJmeEku/qp2gOzBFq0SyBWdNtM+HsoEV+VqU1seYN1PRSi73fcKRCO00JZqm TCSfSsxXJ+Y0Q5as55v39Goc94JWSkN0fg413AYmUMAIvHcspzOsYa0Ji4P4ku3KJBn5 fNOA== X-Gm-Message-State: AOAM533sTEO7+8LcXrxZ0h6ZhUv7nQ/v5Gu1lEPGyOYfKiAFkTR9K6WL iu1B54Drgacokm9XJTsxv2se+nMofPrDN+h1nXtSpJCpFqcV6IIhzYR7eHwPiyF3Te15P6VSf0F sywHC6eWJxi6eUvMBFme9LZwkuxeeoU4o3ryvrT9rdQ== X-Received: by 2002:a7b:c935:: with SMTP id h21mr16304064wml.143.1629725647870; Mon, 23 Aug 2021 06:34:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwwCFVBPjm5q8kJjCvOubxxYLZ1lj73etr7tV1BXI0AjFQS5f36VHWwEk5howSy6WeYkrahHQ== X-Received: by 2002:a7b:c935:: with SMTP id h21mr16304040wml.143.1629725647622; Mon, 23 Aug 2021 06:34:07 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:79d7:6045:c3:b370]) by smtp.gmail.com with ESMTPSA id k16sm5068561wrx.87.2021.08.23.06.34.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Aug 2021 06:34:07 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [FOCAL][linux-oem-5.10][PATCH 04/10] certs: Add ability to preload revocation certs Date: Mon, 23 Aug 2021 14:33:47 +0100 Message-Id: <20210823133353.37046-5-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210823133353.37046-1-dimitri.ledkov@canonical.com> References: <20210823133353.37046-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Snowberg [ Upstream commit d1f044103dad70c1cec0a8f3abdf00834fec8b98 ] Add a new Kconfig option called SYSTEM_REVOCATION_KEYS. If set, this option should be the filename of a PEM-formated file containing X.509 certificates to be included in the default blacklist keyring. DH Changes: - Make the new Kconfig option depend on SYSTEM_REVOCATION_LIST. - Fix SYSTEM_REVOCATION_KEYS=n, but CONFIG_SYSTEM_REVOCATION_LIST=y[1][2]. - Use CONFIG_SYSTEM_REVOCATION_LIST for extract-cert[3]. - Use CONFIG_SYSTEM_REVOCATION_LIST for revocation_certificates.o[3]. Signed-off-by: Eric Snowberg Acked-by: Jarkko Sakkinen Signed-off-by: David Howells cc: Randy Dunlap cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/e1c15c74-82ce-3a69-44de-a33af9b320ea@infradead.org/ [1] Link: https://lore.kernel.org/r/20210303034418.106762-1-eric.snowberg@oracle.com/ [2] Link: https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg@oracle.com/ [3] Link: https://lore.kernel.org/r/20200930201508.35113-3-eric.snowberg@oracle.com/ Link: https://lore.kernel.org/r/20210122181054.32635-4-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428673564.677100.4112098280028451629.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433312452.902181.4146169951896577982.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529606657.163428.3340689182456495390.stgit@warthog.procyon.org.uk/ # v3 Signed-off-by: Sasha Levin (cherry picked from commit c6ae6f89fc4f7820d0ce6e8c1340d660b358e791) --- certs/Kconfig | 8 ++++++++ certs/Makefile | 19 +++++++++++++++++-- certs/blacklist.c | 21 +++++++++++++++++++++ certs/revocation_certificates.S | 21 +++++++++++++++++++++ scripts/Makefile | 1 + 5 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 certs/revocation_certificates.S diff --git a/certs/Kconfig b/certs/Kconfig index 76e469b56a..ab88d2a7f3 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -92,4 +92,12 @@ config SYSTEM_REVOCATION_LIST blacklist keyring and implements a hook whereby a PKCS#7 message can be checked to see if it matches such a certificate. +config SYSTEM_REVOCATION_KEYS + string "X.509 certificates to be preloaded into the system blacklist keyring" + depends on SYSTEM_REVOCATION_LIST + help + If set, this option should be the filename of a PEM-formatted file + containing X.509 certificates to be included in the default blacklist + keyring. + endmenu diff --git a/certs/Makefile b/certs/Makefile index f4b90bad86..b6db52ebf0 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -4,7 +4,8 @@ # obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o -obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o +obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o else @@ -29,7 +30,7 @@ $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREF $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) endif # CONFIG_SYSTEM_TRUSTED_KEYRING -clean-files := x509_certificate_list .x509.list +clean-files := x509_certificate_list .x509.list x509_revocation_list ifeq ($(CONFIG_MODULE_SIG),y) ############################################################################### @@ -104,3 +105,17 @@ targets += signing_key.x509 $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) endif # CONFIG_MODULE_SIG + +ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) + +$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) + +$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list + +quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) + cmd_extract_certs = scripts/extract-cert $(2) $@ + +targets += x509_revocation_list +$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE + $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) +endif diff --git a/certs/blacklist.c b/certs/blacklist.c index 59b2f106b2..c973de883c 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -16,9 +16,15 @@ #include #include #include "blacklist.h" +#include "common.h" static struct key *blacklist_keyring; +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +extern __initconst const u8 revocation_certificate_list[]; +extern __initconst const unsigned long revocation_certificate_list_size; +#endif + /* * The description must be a type prefix, a colon and then an even number of * hex digits. The hash is kept in the description. @@ -220,3 +226,18 @@ static int __init blacklist_init(void) * Must be initialised before we try and load the keys into the keyring. */ device_initcall(blacklist_init); + +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +/* + * Load the compiled-in list of revocation X.509 certificates. + */ +static __init int load_revocation_certificate_list(void) +{ + if (revocation_certificate_list_size) + pr_notice("Loading compiled-in revocation X.509 certificates\n"); + + return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size, + blacklist_keyring); +} +late_initcall(load_revocation_certificate_list); +#endif diff --git a/certs/revocation_certificates.S b/certs/revocation_certificates.S new file mode 100644 index 0000000000..f21aae8a8f --- /dev/null +++ b/certs/revocation_certificates.S @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#include +#include + + __INITRODATA + + .align 8 + .globl revocation_certificate_list +revocation_certificate_list: +__revocation_list_start: + .incbin "certs/x509_revocation_list" +__revocation_list_end: + + .align 8 + .globl revocation_certificate_list_size +revocation_certificate_list_size: +#ifdef CONFIG_64BIT + .quad __revocation_list_end - __revocation_list_start +#else + .long __revocation_list_end - __revocation_list_start +#endif diff --git a/scripts/Makefile b/scripts/Makefile index c36106bce8..9adb6d2478 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -14,6 +14,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert +hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include From patchwork Mon Aug 23 13:33:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1519704 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=cD7qOcrI; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GtYBv25Hsz9sWq; Mon, 23 Aug 2021 23:35:03 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mIA6N-0000Gd-Uc; Mon, 23 Aug 2021 13:34:59 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mIA5a-0008KD-2x for kernel-team@lists.ubuntu.com; Mon, 23 Aug 2021 13:34:10 +0000 Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id DF31240791 for ; Mon, 23 Aug 2021 13:34:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629725649; bh=WsfbJNx6iLZNoqZcTlUzXXvE38sd1hfE+XwgIrJB01I=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=cD7qOcrIDyQ8VBULvqrDluyWEA2bLglz70sRFLjFnhMqjjt5ilIvzEVP4VE9uen/m t22BhiaswQ7DfoB50hkcUlPTaI821I1NBcna2RnTB6p4YdNlQbEigzydu6wvdFGcJ1 cTEn9CBEWcmskcx22G8wsRgVGDiGSwA3l+ouXp8xLFTJY/dGAMsYy0JxFjXpj1l9CH F2wJ9zahB6BS3fY7Di6VNL7LYbLJHRHh4xEtWAPtxF3Ugi5zb6o5xps0sNbmmPyOpZ NeZb7qrRRwulEFwOCcVzAEglLPoUPc1CTRVdirUogYlwX57UdNi4qQ+8vwl55vs49O bDRHXkSnQKinA== Received: by mail-wm1-f71.google.com with SMTP id z18-20020a1c7e120000b02902e69f6fa2e0so2997732wmc.9 for ; Mon, 23 Aug 2021 06:34:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=WsfbJNx6iLZNoqZcTlUzXXvE38sd1hfE+XwgIrJB01I=; b=P3cj2b5x1+6KNxQ5V1diaPhjUNr9WDOLcpAsNqhinZyL4JYlAKYQ+CCKjPXTXuyocy 6iviikW9I7jMDz81fV+GWwO7DFADLv9I9JLubFCFhMut01IGeff8pERyTAy2dFebS4l3 lCtZi541yQqgi2J3p/LqRaY+umRNwfA2R6hufpfNbGSh/Ief9XXvScnnjj5M2yPMdaY9 AnqOZL/O5EqSBY1Mm2/ivKBuhpcM+D8+A2odC1EjaQ7kStJd/IawBjCXJ97cBfWXfKXU ZUGmY3j0+sTBSyRbCHoGzcI+K1iAK7qFD8vU508tbpalLYzVjY7VGtwJFA5FF01TRAMy mgfQ== X-Gm-Message-State: AOAM532Vm67zQ4pS2G9NCRelMhyouEoVGfBUtN+K4Ww2UD6JYi8O8AJg U+HyEsWLhCU80ZlUIDCT+5bNP7DakDR1Mdkk1i3W4Dxni+opR9KASZ1L92peFOfMw3VFBlT5in0 ehyr+KZPWa86CLvLXMfr4eYOEKMNv2MjMZNMvUYH0qA== X-Received: by 2002:adf:ed06:: with SMTP id a6mr2918043wro.3.1629725649419; Mon, 23 Aug 2021 06:34:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzhKqTXAUdsTqjuYKkeL1jC4k3teT32lKAWLFAyiImbGJZEgigLqpr2L9w9u7fgSHVoZkybeg== X-Received: by 2002:adf:ed06:: with SMTP id a6mr2918021wro.3.1629725649230; Mon, 23 Aug 2021 06:34:09 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:79d7:6045:c3:b370]) by smtp.gmail.com with ESMTPSA id 17sm701694wmj.20.2021.08.23.06.34.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Aug 2021 06:34:08 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [FOCAL][linux-oem-5.10][PATCH 05/10] integrity: Load mokx variables into the blacklist keyring Date: Mon, 23 Aug 2021 14:33:48 +0100 Message-Id: <20210823133353.37046-6-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210823133353.37046-1-dimitri.ledkov@canonical.com> References: <20210823133353.37046-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Snowberg [ Upstream commit ebd9c2ae369a45bdd9f8615484db09be58fc242b ] During boot the Secure Boot Forbidden Signature Database, dbx, is loaded into the blacklist keyring. Systems booted with shim have an equivalent Forbidden Signature Database called mokx. Currently mokx is only used by shim and grub, the contents are ignored by the kernel. Add the ability to load mokx into the blacklist keyring during boot. Signed-off-by: Eric Snowberg Suggested-by: James Bottomley Signed-off-by: David Howells Reviewed-by: Jarkko Sakkinen cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/c33c8e3839a41e9654f41cc92c7231104931b1d7.camel@HansenPartnership.com/ Link: https://lore.kernel.org/r/20210122181054.32635-5-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428674320.677100.12637282414018170743.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433313205.902181.2502803393898221637.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529607422.163428.13530426573612578854.stgit@warthog.procyon.org.uk/ # v3 Signed-off-by: Sasha Levin (cherry picked from commit 1573d595e2395c4d2742d2217d86f6241ca47b9f) --- security/integrity/platform_certs/load_uefi.c | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index eff9ff5934..d3e7ae04f5 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -134,8 +134,9 @@ static int __init load_moklist_certs(void) static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - void *db = NULL, *dbx = NULL; - unsigned long dbsize = 0, dbxsize = 0; + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *db = NULL, *dbx = NULL, *mokx = NULL; + unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0; efi_status_t status; int rc = 0; @@ -177,6 +178,21 @@ static int __init load_uefi_certs(void) kfree(dbx); } + mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); + if (!mokx) { + if (status == EFI_NOT_FOUND) + pr_debug("mokx variable wasn't found\n"); + else + pr_info("Couldn't get mokx list\n"); + } else { + rc = parse_efi_signature_list("UEFI:MokListXRT", + mokx, mokxsize, + get_handler_for_dbx); + if (rc) + pr_err("Couldn't parse mokx signatures %d\n", rc); + kfree(mokx); + } + /* Load the MokListRT certs */ rc = load_moklist_certs(); From patchwork Mon Aug 23 13:33:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1519705 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=tnXkI7VU; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GtYC054Ksz9sWq; Mon, 23 Aug 2021 23:35:08 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mIA6T-0000Jh-6y; Mon, 23 Aug 2021 13:35:05 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mIA5b-0008KK-Nd for kernel-team@lists.ubuntu.com; Mon, 23 Aug 2021 13:34:11 +0000 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 9403F4075D for ; Mon, 23 Aug 2021 13:34:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629725651; bh=FCleaFZrAjiiqe5t3SK6ndhn+dmu0VwT/BFSnwcbGXU=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=tnXkI7VUlUGcS/uHegVtjlS3FScNvsxZF7GokGiA1gy4xNV7xS/j8ckRdmFbvfYqu meWL3AgIF9Be/8TGVG4RXtF9YiUm40qyNPhsR1KWLgjwV4RT9b6egUwstVpnGSrxEs S/gnBuK0SrAgcQrYZqb6jp0nu+zxv1q/38BMrx4rLb3GfeWWZJVKYXdXk3bSidC8gU mEsry6nmc0wrycB2PZEe+s5VonElKPvKjDxhc284cr8rU3lKCclbYpaxsgRLXua8Wy E+XsDidp+Vr8XiDw9W9rvStDqd4/DpizGlZ3mBw5YL1j8PzFbg4TMpcDHTjeFT9hk9 zKCjH0fjsT58Q== Received: by mail-wm1-f72.google.com with SMTP id h1-20020a05600c350100b002e751bf6733so506060wmq.8 for ; Mon, 23 Aug 2021 06:34:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=FCleaFZrAjiiqe5t3SK6ndhn+dmu0VwT/BFSnwcbGXU=; b=R26+hvl+W/EF4qKI9Tob7RWdwLIr5zqtUlXQcqoRokGp7jfFc9tHB3T/2YsGVcJ8AP SncSODyd+xTKoXXuEPrZry33i9bvyUUPPBucPJUAdVSNbm+Dww0CqBNgvoc7hNXbp3Ug V9oQ96J5O9ncXLCiGgD9Yky/e7EiDoUwa/2MC2G1W2s7cMQ3kLAuvlXlsW19guVyg/mH JqD10RsUpjOHO/n7YflZHejUBEiSANEodpg4g0FXy81m8hxPMCtbeUBTVVLYewJpDwzM 0gS8KBtx/p/8RMR52lv9QXdBmDBNklcu15azY+f5+Y4cuz+DkFlUbSyxf6g5hrxFjyn9 AwOQ== X-Gm-Message-State: AOAM533lNlGwgdrDrFPlljZ1Y0V6u+dOZDSJuRvaIUyvHLoz/4sB0S6H EKJnGxLiRnjYRWoVKqWLUwjfok6X2YVahdrXz0G6rWAQ9eCkroXFLber4d2KhManq8xvaVjc/3b RU0K5tDhfuAzD0uTofn2Q2NRrIa7OjiIuLhKq11Cdpw== X-Received: by 2002:adf:eb4c:: with SMTP id u12mr14147011wrn.111.1629725651047; Mon, 23 Aug 2021 06:34:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw1xGosdWJcGa53Pl2fl/CU7yes/aA5MmhifqgpyopHstskXaTbaZCF91jxRUbB17Hlg2mTYg== X-Received: by 2002:adf:eb4c:: with SMTP id u12mr14146980wrn.111.1629725650819; Mon, 23 Aug 2021 06:34:10 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:79d7:6045:c3:b370]) by smtp.gmail.com with ESMTPSA id e26sm1899979wrc.6.2021.08.23.06.34.10 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Aug 2021 06:34:10 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [FOCAL][linux-oem-5.10][PATCH 06/10] UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table Date: Mon, 23 Aug 2021 14:33:49 +0100 Message-Id: <20210823133353.37046-7-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210823133353.37046-1-dimitri.ledkov@canonical.com> References: <20210823133353.37046-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Refactor load_moklist_certs() to load either MokListRT into db, or MokListXRT into dbx. Call load_moklist_certs() twice - first to load mokx certs into dbx, then mok certs into db. This thus now attempts to load mokx certs via the EFI MOKvar config table first, and if that fails, via the EFI variable. Previously mokx certs were only loaded via the EFI variable. Which fails when MokListXRT is large. Instead of large MokListXRT variable, only MokListXRT{1,2,3} are available which are not loaded. This is the case with Ubuntu's 15.4 based shim. This patch is required to address CVE-2020-26541 when certificates are revoked via MokListXRT. Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring") BugLink: https://bugs.launchpad.net/bugs/1928679 Signed-off-by: Dimitri John Ledkov Acked-by: Krzysztof Kozlowski Signed-off-by: Seth Forshee (cherry picked from commit a9e3aae16235d6af12509a64f1337da4485ccbae) Signed-off-by: Dimitri John Ledkov Acked-by: Stefan Bader Acked-by: Andy Whitcroft [KelseyS: SHA1 from cherry pick line is from Impish. Patch has been submitted to upstream, though not yet reviewed/applied.] Signed-off-by: Kelsey Skunberg --- security/integrity/platform_certs/load_uefi.c | 74 ++++++++++--------- 1 file changed, 40 insertions(+), 34 deletions(-) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index d3e7ae04f5..b010b4ab5d 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -68,17 +68,18 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, } /* - * load_moklist_certs() - Load MokList certs + * load_moklist_certs() - Load Mok(X)List certs + * @load_db: Load MokListRT into db when true; MokListXRT into dbx when false * - * Load the certs contained in the UEFI MokListRT database into the - * platform trusted keyring. + * Load the certs contained in the UEFI MokList(X)RT database into the + * platform trusted/denied keyring. * * This routine checks the EFI MOK config table first. If and only if - * that fails, this routine uses the MokListRT ordinary UEFI variable. + * that fails, this routine uses the MokList(X)RT ordinary UEFI variable. * * Return: Status */ -static int __init load_moklist_certs(void) +static int __init load_moklist_certs(const bool load_db) { struct efi_mokvar_table_entry *mokvar_entry; efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; @@ -86,41 +87,55 @@ static int __init load_moklist_certs(void) unsigned long moksize; efi_status_t status; int rc; + const char *mokvar_name = "MokListRT"; + /* Should be const, but get_cert_list() doesn't have it as const yet */ + efi_char16_t *efivar_name = L"MokListRT"; + const char *parse_mokvar_name = "UEFI:MokListRT (MOKvar table)"; + const char *parse_efivar_name = "UEFI:MokListRT"; + efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *) = get_handler_for_db; + + if (!load_db) { + mokvar_name = "MokListXRT"; + efivar_name = L"MokListXRT"; + parse_mokvar_name = "UEFI:MokListXRT (MOKvar table)"; + parse_efivar_name = "UEFI:MokListXRT"; + get_handler_for_guid = get_handler_for_dbx; + } /* First try to load certs from the EFI MOKvar config table. * It's not an error if the MOKvar config table doesn't exist * or the MokListRT entry is not found in it. */ - mokvar_entry = efi_mokvar_entry_find("MokListRT"); + mokvar_entry = efi_mokvar_entry_find(mokvar_name); if (mokvar_entry) { - rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", + rc = parse_efi_signature_list(parse_mokvar_name, mokvar_entry->data, mokvar_entry->data_size, - get_handler_for_db); + get_handler_for_guid); /* All done if that worked. */ if (!rc) return rc; - pr_err("Couldn't parse MokListRT signatures from EFI MOKvar config table: %d\n", - rc); + pr_err("Couldn't parse %s signatures from EFI MOKvar config table: %d\n", + mokvar_name, rc); } /* Get MokListRT. It might not exist, so it isn't an error * if we can't get it. */ - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); + mok = get_cert_list(efivar_name, &mok_var, &moksize, &status); if (mok) { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); + rc = parse_efi_signature_list(parse_efivar_name, + mok, moksize, get_handler_for_guid); kfree(mok); if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + pr_err("Couldn't parse %s signatures: %d\n", mokvar_name, rc); return rc; } if (status == EFI_NOT_FOUND) - pr_debug("MokListRT variable wasn't found\n"); + pr_debug("%s variable wasn't found\n", mokvar_name); else - pr_info("Couldn't get UEFI MokListRT\n"); + pr_info("Couldn't get UEFI %s\n", mokvar_name); return 0; } @@ -134,9 +149,8 @@ static int __init load_moklist_certs(void) static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; - void *db = NULL, *dbx = NULL, *mokx = NULL; - unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0; + void *db = NULL, *dbx = NULL; + unsigned long dbsize = 0, dbxsize = 0; efi_status_t status; int rc = 0; @@ -178,23 +192,15 @@ static int __init load_uefi_certs(void) kfree(dbx); } - mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); - if (!mokx) { - if (status == EFI_NOT_FOUND) - pr_debug("mokx variable wasn't found\n"); - else - pr_info("Couldn't get mokx list\n"); - } else { - rc = parse_efi_signature_list("UEFI:MokListXRT", - mokx, mokxsize, - get_handler_for_dbx); - if (rc) - pr_err("Couldn't parse mokx signatures %d\n", rc); - kfree(mokx); - } + /* Load the MokListXRT certs */ + rc = load_moklist_certs(false); + if (rc) + pr_err("Couldn't parse mokx signatures: %d\n", rc); /* Load the MokListRT certs */ - rc = load_moklist_certs(); + rc = load_moklist_certs(true); + if (rc) + pr_err("Couldn't parse mok signatures: %d\n", rc); return rc; } From patchwork Mon Aug 23 13:33:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1519698 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=T449Mncm; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GtYB91Vl1z9sWq; Mon, 23 Aug 2021 23:34:25 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mIA5m-0008Nc-2X; Mon, 23 Aug 2021 13:34:22 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mIA5d-0008Kj-A6 for kernel-team@lists.ubuntu.com; Mon, 23 Aug 2021 13:34:13 +0000 Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 25CC44075D for ; Mon, 23 Aug 2021 13:34:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629725653; bh=zL5RCN/aE1zSoyJXmTma4c/JNDeaNitjV6OCScRnDnA=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=T449MncmqpjA8eyl+slAxDZhTWq9vLXkvlvpV6O7aLDU+0rk4fWkJ0l7qNkYp7YNN ATXS+svS/UvpOtfRjKR49ihPMc5WhtZIDFL9IugRYak0JUsXeSfv+sywgHPVaBjtMI MbhC6XQSVnKRMVXsXs97YDhWjJi4dhNZvSSgakeGJS3Cxr2nk3sGYmYTQc9B7HOOej uAketHfMEIko6StA9e2N+cn1M0EtOlAl4G4V83EMEsXkNAGx8LaqhE74czNMET3ANJ e6HOXmdMPJE8gWLEWxm+jwgplH2ciCEjaKS5BGejSbnMPRe62sBoWRRIdDxsWoKEhK Xq9uhoWX5AHtQ== Received: by mail-wr1-f72.google.com with SMTP id t15-20020a5d42cf000000b001565f9c9ee8so5068303wrr.2 for ; Mon, 23 Aug 2021 06:34:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=zL5RCN/aE1zSoyJXmTma4c/JNDeaNitjV6OCScRnDnA=; b=ACGa6/HUV9N3pBpuU6sgAQEmlqFLOMC7bM3SVXIan8r7tmclgphRRgmkE8GqA4IZ0u 2RVEduu4HSrGO3ppNcpGWUWqKsu8ZaMk0JjQrHv2bE+Zrot7UFhxslSg+dBNkN+kRauW hoMNwEbzYbZEXVFj2T3a0BMhvtXnBK5BUSVIG8lSvsGF8Csf3wIUEqCdkFYPnMkUO10Z egHvkXCbvacOueqWrN9ESOkIpFKEsBUX9XuO5cDsaPHVYO2XgAwUoVHPNRwAspHkqs/9 saj36+4nU2PZ2WeX+YGAT4timX2PwLcMb+0mU5INqE/orN1soi0T/sbwHi2LktsyuBGJ wwiw== X-Gm-Message-State: AOAM531jzndhR1Mx7vCt6zCfVL9wG60OOdr81zSEDZDc8IhU3ka1V8zf 8bc7qjkaX7JAqt7zJZ55ATwlSnHdtisrQPPsAp7ps6+zpyz8UOIyRl354Chkh3YZYQCg70mmnV6 vy/JVw4oHoyhUAq9wQXWNFAqyFrNn06jhFWl1RgVdOw== X-Received: by 2002:a1c:1d87:: with SMTP id d129mr1310120wmd.185.1629725652552; Mon, 23 Aug 2021 06:34:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzqiALv3xf4Q91dwYQNTYT8QkHoouy47cTG2NHPdGnOXQw+lHODAxtugBavbcqOeRQrG35aUg== X-Received: by 2002:a1c:1d87:: with SMTP id d129mr1310094wmd.185.1629725652372; Mon, 23 Aug 2021 06:34:12 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:79d7:6045:c3:b370]) by smtp.gmail.com with ESMTPSA id n15sm7335855wmq.7.2021.08.23.06.34.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Aug 2021 06:34:12 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [FOCAL][linux-oem-5.10][PATCH 07/10] UBUNTU: SAUCE: integrity: add informational messages when revoking certs Date: Mon, 23 Aug 2021 14:33:50 +0100 Message-Id: <20210823133353.37046-8-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210823133353.37046-1-dimitri.ledkov@canonical.com> References: <20210823133353.37046-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" integrity_load_cert() prints messages of the source and cert details when adding certs as trusted. Mirror those messages in uefi_revocation_list_x509() when adding certs as revoked. Sample dmesg with this change: integrity: Platform Keyring initialized integrity: Loading X.509 certificate: UEFI:db integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' integrity: Revoking X.509 certificate: UEFI:MokListXRT (MOKvar table) blacklist: Revoked X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0' integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63' BugLink: https://bugs.launchpad.net/bugs/1928679 Signed-off-by: Dimitri John Ledkov Acked-by: Krzysztof Kozlowski Signed-off-by: Seth Forshee (cherry picked from commit ba9fb788f89cb81c5ed836db2355a7a3b0f8c248) Signed-off-by: Dimitri John Ledkov Acked-by: Stefan Bader Acked-by: Andy Whitcroft [KelseyS: SHA1 from cherry pick line is from Impish. Patch has been submitted to upstream, though not yet reviewed/applied.] Signed-off-by: Kelsey Skunberg --- certs/blacklist.c | 3 +++ security/integrity/platform_certs/keyring_handler.c | 1 + 2 files changed, 4 insertions(+) diff --git a/certs/blacklist.c b/certs/blacklist.c index c973de883c..7638dfaca7 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -171,6 +171,9 @@ int add_key_to_revocation_list(const char *data, size_t size) if (IS_ERR(key)) { pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); return PTR_ERR(key); + } else { + pr_notice("Revoked X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); } return 0; diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 5604bd57c9..9f85626702 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -61,6 +61,7 @@ static __init void uefi_blacklist_binary(const char *source, static __init void uefi_revocation_list_x509(const char *source, const void *data, size_t len) { + pr_info("Revoking X.509 certificate: %s\n", source); add_key_to_revocation_list(data, len); } From patchwork Mon Aug 23 13:33:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1519700 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=RxiV37U6; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GtYBM3Htvz9sWq; Mon, 23 Aug 2021 23:34:35 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mIA5v-0008SV-L8; Mon, 23 Aug 2021 13:34:31 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mIA5e-0008L5-Ko for kernel-team@lists.ubuntu.com; Mon, 23 Aug 2021 13:34:14 +0000 Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 7E0314075D for ; Mon, 23 Aug 2021 13:34:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629725654; bh=tmRlYxUp0BXa5Z+tU+CW745dvErNiwRI5Syj2/tbC7Y=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=RxiV37U6ZUzsZ8qObxCLm9HSRqKzgQCfGmgm9WX3jR3ggurZnmgYw+wXeWLhiWpEp 2bkcm3G+o5UuRneHZDng+cD/L/5s4bwR9Smg0s399kM+0wiY99N+T5s8UJl5PbIGzj tUV2LjvOT2PrKdOMfThdk4MqwQK4Cp8xWSFedJ4yGO2orkKudAkjvkn7HxinxTIm7D oKllVuhgtAR146rF/EmoRVv00Ds3I7GYMz1aWmY3qRb/wXRnX0gDTVf94/Kz+bnOM3 jJabXkvf2scgxhQbL7enlIZRGSjq0kBb8Vcm/S8zKUOXJJnNi1otS1kL/SCheEXsBU ArfkSn2GKXDJg== Received: by mail-wm1-f70.google.com with SMTP id o20-20020a05600c379400b002e755735eedso5340wmr.0 for ; Mon, 23 Aug 2021 06:34:14 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=tmRlYxUp0BXa5Z+tU+CW745dvErNiwRI5Syj2/tbC7Y=; b=U5bgSCng5+luv2dZQvm5K9EgiR52YgTAl9Kq39Cna4XWZQgAF1ooR9jG10NI/PMJ8R wH3qA7hywxys0leux/G+WWn82GysqBrQPIGZSqj1+WUP+BOJ/bwAO2oGMPjyRwyACvRA Huc0tfzIQoTrPnleIliV/OtdPqgiZx1rApjoil4NH7Sdc47jDjGSF3Ez0+ltlxraBvdK GjCbWbfIi623b/rHGLmpUnK1CVs5/8EQTkbCLFtwEM7tvXmKPjurWWt5PfEbhBtJ6awU TicKgZgJ3BcR2YDuPpVG3Jp7iiqkIhzgLbUSf96i2k7Kcl0uZ5d/h/hTDqFqAjefk49n zGiA== X-Gm-Message-State: AOAM532AxDyDmf7006+Vzxmlv/fxyAg9c9vRL2eauiz39c0uYOZR/ClQ oI+aZ1w5a/6LGk77fCcUw1Vg5O6g0YL70IWMpremS/jX+OWNePhg5soabwBOjhdizfVNPO/iyJd psslSm+hrDGWMaUUSOJIk4uAfXHt4fWVyBXC6pMy0Mw== X-Received: by 2002:a1c:cc03:: with SMTP id h3mr15495399wmb.73.1629725654028; Mon, 23 Aug 2021 06:34:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwGWUr8wE79OrtDpRYBYj0FR+bDLHfaec6AQd5n7Ie4xANUtAek2P1iwPeseTIF0Z6MQGMniQ== X-Received: by 2002:a1c:cc03:: with SMTP id h3mr15495376wmb.73.1629725653843; Mon, 23 Aug 2021 06:34:13 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:79d7:6045:c3:b370]) by smtp.gmail.com with ESMTPSA id d124sm1552139wmd.2.2021.08.23.06.34.13 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Aug 2021 06:34:13 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [FOCAL][linux-oem-5.10][PATCH 08/10] UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch certs Date: Mon, 23 Aug 2021 14:33:51 +0100 Message-Id: <20210823133353.37046-9-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210823133353.37046-1-dimitri.ledkov@canonical.com> References: <20210823133353.37046-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1932029 Signed-off-by: Dimitri John Ledkov Signed-off-by: Andrea Righi (cherry picked from commit 3e44f229eef829ee3044651975512569824c4e5f) Signed-off-by: Dimitri John Ledkov Acked-by: Stefan Bader Acked-by: Andy Whitcroft [KelseyS: SHA1 from cherry pick line is from Impish. Patch has been submitted to upstream, though not yet reviewed/applied.] Signed-off-by: Kelsey Skunberg --- debian/rules | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index e6af4aa887..6f9f20d56b 100755 --- a/debian/rules +++ b/debian/rules @@ -129,7 +129,7 @@ binary: binary-indep binary-arch build: build-arch build-indep -clean: debian/control debian/canonical-certs.pem +clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs.pem dh_testdir dh_testroot dh_clean @@ -239,3 +239,15 @@ debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DR fi; \ done; \ done >"$@" + +debian/canonical-revoked-certs.pem: $(wildcard $(DROOT)/revoked-certs/*-all.pem) $(wildcard $(DROOT)/revoked-certs/*-$(arch).pem) $(wildcard $(DEBIAN)/revoked-certs/*-all.pem) $(wildcard $(DEBIAN)/revoked-certs/*-$(arch).pem) + for cert in $(sort $(notdir $^)); \ + do \ + for dir in $(DEBIAN) $(DROOT); \ + do \ + if [ -f "$$dir/revoked-certs/$$cert" ]; then \ + cat "$$dir/revoked-certs/$$cert"; \ + break; \ + fi; \ + done; \ + done >"$@" From patchwork Mon Aug 23 13:33:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1519699 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=RFDDIIzG; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GtYBG6KYLz9sWq; Mon, 23 Aug 2021 23:34:30 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mIA5r-0008Q0-DK; Mon, 23 Aug 2021 13:34:27 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mIA5g-0008LQ-II for kernel-team@lists.ubuntu.com; Mon, 23 Aug 2021 13:34:16 +0000 Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 5D6E440202 for ; Mon, 23 Aug 2021 13:34:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629725656; bh=CgxNPtggAhqkSBZQS4UMlVSOczX2fttmSUe+kEKMigY=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=RFDDIIzGsDR4MzOycIOe+dJU4zZcDzRcN4UR+xkUVCxLGRRIzQRWgtdpKkxnuHZbd 0oXykFqNb65r6K3Ye3RUt7Q+iD3Bd2Hq/bHE9zT3KE/OyJwAQg5/x+Lxt4HlSKLSz+ vJCsaPAGYvIUKlkBTv8IipPyc4tLTQP3BEdx0be4A4+4X7Zhrtj5lRQsCNel30jVTk 8QIIAVJuq7Sw98pxiQmqtTWLmtEuxNGwV+/xMp32FeSIsjxDYcmvuS3/VivnBidKQE /yLZN/a/7QBSLzaGlmhczAJDRontI50qz1SvReXd0IcmJjxlfr6zHA3Q5WA/56MWU4 zJj5C9J0Ha7Og== Received: by mail-wm1-f69.google.com with SMTP id z15-20020a7bc7cf0000b02902e6a68ffd3cso4473612wmk.2 for ; Mon, 23 Aug 2021 06:34:16 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=CgxNPtggAhqkSBZQS4UMlVSOczX2fttmSUe+kEKMigY=; b=DgnvJDMBaXJwBoPo5IaUPkL4fkQuFyWZvhdX2yaIKOeWJrRw5OiClCPCx97BnHBO2j 7UuwYyb62HecM0QK5uZiTq6TRG1vtHzOfWUYqRPgdxTxTlKbL3BdBWA4MLLRLs6wTPgE IrDb4zgPFHA8NcuDW2q93AIQoW1g080zDQYmWwOaJLHsWpJ49ftwA4rXV6zsQHm/U9UB 03/3YKjxBdjcDiQl6aulTHC+hnXNwxwVqUU/Gb0wjUhD+z57hnjDsvzFij0M3vK1vFa3 lx/6CGdAWI7fGgq9p7HacsqLIISf8ZV/4YttmouVIyBfUmYepUyDAPh29VN3TP6fkscb sLgA== X-Gm-Message-State: AOAM5325Cda4NZff20bWrvEY217tWX3+n0qFukucJ44rgd20/lvCsoQH IAMrrgBvTA+94f9rhJmq40YGSGlEd3SUQ7MHsRAbRss2vzCx7P+VPxL6ICZZqzxYmS3Fm5MMcPg OJC6L997zDAzauPi5JInB8YYoId8CoqmsTX+5gppvoQ== X-Received: by 2002:a7b:c0d2:: with SMTP id s18mr2735806wmh.75.1629725655785; Mon, 23 Aug 2021 06:34:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwb8lGTI5FmgihCQ1m1kYZzXviNkxQNO9PlYUyjPHIPuGmE/55NMPou/zsOyQFvuCpF1SNTvQ== X-Received: by 2002:a7b:c0d2:: with SMTP id s18mr2735753wmh.75.1629725655477; Mon, 23 Aug 2021 06:34:15 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:79d7:6045:c3:b370]) by smtp.gmail.com with ESMTPSA id h4sm15267231wrm.42.2021.08.23.06.34.14 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Aug 2021 06:34:14 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [FOCAL][linux-oem-5.10][PATCH 09/10] UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in Date: Mon, 23 Aug 2021 14:33:52 +0100 Message-Id: <20210823133353.37046-10-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210823133353.37046-1-dimitri.ledkov@canonical.com> References: <20210823133353.37046-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1932029 Signed-off-by: Dimitri John Ledkov Signed-off-by: Andrea Righi (cherry picked from commit 3f72ce72f0b51b6da2638cdded93bb32b9dad2ec) Signed-off-by: Dimitri John Ledkov Acked-by: Stefan Bader Acked-by: Andy Whitcroft [KelseyS: SHA1 from cherry pick line is from Impish. Patch has been submitted to upstream, though not yet reviewed/applied.] Signed-off-by: Kelsey Skunberg --- .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem diff --git a/debian/revoked-certs/canonical-uefi-2012-all.pem b/debian/revoked-certs/canonical-uefi-2012-all.pem new file mode 100644 index 0000000000..06c116eec5 --- /dev/null +++ b/debian/revoked-certs/canonical-uefi-2012-all.pem @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority + Validity + Not Before: Apr 12 11:39:08 2012 GMT + Not After : Apr 11 11:39:08 2042 GMT + Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c9:5f:9b:62:8f:0b:b0:64:82:ac:be:c9:e2:62: + e3:4b:d2:9f:1e:8a:d5:61:1a:2b:5d:38:f4:b7:ce: + b9:9a:b8:43:b8:43:97:77:ab:4f:7f:0c:70:46:0b: + fc:7f:6d:c6:6d:ea:80:5e:01:d2:b7:66:1e:87:de: + 0d:6d:d0:41:97:a8:a5:af:0c:63:4f:f7:7c:c2:52: + cc:a0:31:a9:bb:89:5d:99:1e:46:6f:55:73:b9:76: + 69:ec:d7:c1:fc:21:d6:c6:07:e7:4f:bd:22:de:e4: + a8:5b:2d:db:95:34:19:97:d6:28:4b:21:4c:ca:bb: + 1d:79:a6:17:7f:5a:f9:67:e6:5c:78:45:3d:10:6d: + b0:17:59:26:11:c5:57:e3:7f:4e:82:ba:f6:2c:4e: + c8:37:4d:ff:85:15:84:47:e0:ed:3b:7c:7f:bc:af: + e9:01:05:a7:0c:6f:c3:e9:8d:a3:ce:be:a6:e3:cd: + 3c:b5:58:2c:9e:c2:03:1c:60:22:37:39:ff:41:02: + c1:29:a4:65:51:ff:33:34:aa:42:15:f9:95:78:fc: + 2d:f5:da:8a:85:7c:82:9d:fb:37:2c:6b:a5:a8:df: + 7c:55:0b:80:2e:3c:b0:63:e1:cd:38:48:89:e8:14: + 06:0b:82:bc:fd:d4:07:68:1b:0f:3e:d9:15:dd:94: + 11:1b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Extended Key Usage: + Code Signing, 1.3.6.1.4.1.311.10.3.6 + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 61:48:2A:A2:83:0D:0A:B2:AD:5A:F1:0B:72:50:DA:90:33:DD:CE:F0 + X509v3 Authority Key Identifier: + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 + + Signature Algorithm: sha256WithRSAEncryption + 8f:8a:a1:06:1f:29:b7:0a:4a:d5:c5:fd:81:ab:25:ea:c0:7d: + e2:fc:6a:96:a0:79:93:67:ee:05:0e:25:12:25:e4:5a:f6:aa: + 1a:f1:12:f3:05:8d:87:5e:f1:5a:5c:cb:8d:23:73:65:1d:15: + b9:de:22:6b:d6:49:67:c9:a3:c6:d7:62:4e:5c:b5:f9:03:83: + 40:81:dc:87:9c:3c:3f:1c:0d:51:9f:94:65:0a:84:48:67:e4: + a2:f8:a6:4a:f0:e7:cd:cd:bd:94:e3:09:d2:5d:2d:16:1b:05: + 15:0b:cb:44:b4:3e:61:42:22:c4:2a:5c:4e:c5:1d:a3:e2:e0: + 52:b2:eb:f4:8b:2b:dc:38:39:5d:fb:88:a1:56:65:5f:2b:4f: + 26:ff:06:78:10:12:eb:8c:5d:32:e3:c6:45:af:25:9b:a0:ff: + 8e:ef:47:09:a3:e9:8b:37:92:92:69:76:7e:34:3b:92:05:67: + 4e:b0:25:ed:bc:5e:5f:8f:b4:d6:ca:40:ff:e4:e2:31:23:0c: + 85:25:ae:0c:55:01:ec:e5:47:5e:df:5b:bc:14:33:e3:c6:f5: + 18:b6:d9:f7:dd:b3:b4:a1:31:d3:5a:5c:5d:7d:3e:bf:0a:e4: + e4:e8:b4:59:7d:3b:b4:8c:a3:1b:b5:20:a3:b9:3e:84:6f:8c: + 21:00:c3:39 +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjA0MTIxMTM5MDhaFw00MjA0MTEx +MTM5MDhaMH8xCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9mIE1hbjEXMBUG +A1UECgwOQ2Fub25pY2FsIEx0ZC4xFDASBgNVBAsMC1NlY3VyZSBCb290MSswKQYD +VQQDDCJDYW5vbmljYWwgTHRkLiBTZWN1cmUgQm9vdCBTaWduaW5nMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyV+bYo8LsGSCrL7J4mLjS9KfHorVYRor +XTj0t865mrhDuEOXd6tPfwxwRgv8f23GbeqAXgHSt2Yeh94NbdBBl6ilrwxjT/d8 +wlLMoDGpu4ldmR5Gb1VzuXZp7NfB/CHWxgfnT70i3uSoWy3blTQZl9YoSyFMyrsd +eaYXf1r5Z+ZceEU9EG2wF1kmEcVX439Ogrr2LE7IN03/hRWER+DtO3x/vK/pAQWn +DG/D6Y2jzr6m4808tVgsnsIDHGAiNzn/QQLBKaRlUf8zNKpCFfmVePwt9dqKhXyC +nfs3LGulqN98VQuALjywY+HNOEiJ6BQGC4K8/dQHaBsPPtkV3ZQRGwIDAQABo4Gg +MIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQBgjcK +AwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl +MB0GA1UdDgQWBBRhSCqigw0Ksq1a8QtyUNqQM93O8DAfBgNVHSMEGDAWgBStkZkL +wiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEAj4qhBh8ptwpK1cX9 +gasl6sB94vxqlqB5k2fuBQ4lEiXkWvaqGvES8wWNh17xWlzLjSNzZR0Vud4ia9ZJ +Z8mjxtdiTly1+QODQIHch5w8PxwNUZ+UZQqESGfkovimSvDnzc29lOMJ0l0tFhsF +FQvLRLQ+YUIixCpcTsUdo+LgUrLr9Isr3Dg5XfuIoVZlXytPJv8GeBAS64xdMuPG +Ra8lm6D/ju9HCaPpizeSkml2fjQ7kgVnTrAl7bxeX4+01spA/+TiMSMMhSWuDFUB +7OVHXt9bvBQz48b1GLbZ992ztKEx01pcXX0+vwrk5Oi0WX07tIyjG7Ugo7k+hG+M +IQDDOQ== +-----END CERTIFICATE----- From patchwork Mon Aug 23 13:33:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1519706 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Pt1Nn11t; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GtYC53JPKz9sWq; Mon, 23 Aug 2021 23:35:13 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mIA6Y-0000MT-Dd; Mon, 23 Aug 2021 13:35:10 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mIA5i-0008Ly-2g for kernel-team@lists.ubuntu.com; Mon, 23 Aug 2021 13:34:18 +0000 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E00B240202 for ; Mon, 23 Aug 2021 13:34:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629725657; bh=w4KkQOQDzBTTvdZc0FUr6cpFQMFTURDfVORc5Qcm/fQ=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Pt1Nn11tTPSfzeTFuEUwlJxMD/m4cwg65ampKhh3tq5UQskkElZSIuEND9JA18G6R q7UMBWz0jT3cWAPTUEE/yNjcywyl4TCTJkLMOxNZKaaN0Zs6Ow4CsvD9y8E0WRSNgh 8upmSKQFuK+pDn3Sug1srtEKOpH5ToEntL9R+FdkiC7tm2q5Z2eOF1xSEwo7VDkxZp EDntYYdXkjq1AEtbNsVjVkW590rs4XC0FypRxfiKVqbD477AC9x1loM2VqNoL89YVr SGdjPSdmL4clBc0CbSRrUzANpKbtPboTkKRbVIOWG/WXDUWloTlkqvqeF20pYqACGF f3wuOFg4LjjaA== Received: by mail-wm1-f72.google.com with SMTP id r11-20020a05600c35cb00b002e706077614so4187960wmq.5 for ; Mon, 23 Aug 2021 06:34:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=w4KkQOQDzBTTvdZc0FUr6cpFQMFTURDfVORc5Qcm/fQ=; b=EGVVMMpSS+Hw4skwG2D8IpvniHUoYT3qLlFR+gLtnf99AhWHd22D2DTa/v0EGwprMq Ab82MGplz473GEs/S4C6TGmurmsIdnAG0PjUhodOc4hGnQ5CoFgWgcNIPA1HBgu6XJKI hLH5tPmedXQR74FfjbibYz1+abXu1vKotIdkz/bvjAoLNlelY0UZKK16AMHs981KKar+ EonRysduzkeW7VdrGbOPeQEX+TIwP4rhVPCT+PNnxVYq1cfl0DOZO+M9lv6Y3Uti1bSp KHTn1EreP8atzq2JLfAIrEVuTrn9wBtgoySFpnT9JIy6EjMAFkYtQ35H8xEA1VNDIJAT jxiQ== X-Gm-Message-State: AOAM531HW0PW0CwNMEtlg6k+0YL/mFVQ/pc4XxYTvTY5q4zjrh28uRKG IjGHL9vBBoM3wvO9vRLrv+xrinCplbrFnS0kwbZZBwtUoGSOmTfLu1/l78ta+TIyl+jGHpiog9S +0ftprBy8QaXifDOVHRgnVIFOX1fPDrlUOyi7XKPVKg== X-Received: by 2002:a1c:f610:: with SMTP id w16mr10488663wmc.116.1629725657300; Mon, 23 Aug 2021 06:34:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwmpWawa3Sa3+UDCZMTGG9nlOusGZZugjrSLp5VtI5let33javRD9HDk4WFx6jwG4OK3/O4OQ== X-Received: by 2002:a1c:f610:: with SMTP id w16mr10488636wmc.116.1629725657034; Mon, 23 Aug 2021 06:34:17 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:79d7:6045:c3:b370]) by smtp.gmail.com with ESMTPSA id b201sm18089040wmb.6.2021.08.23.06.34.16 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Aug 2021 06:34:16 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [FOCAL][linux-oem-5.10][PATCH 10/10] UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys Date: Mon, 23 Aug 2021 14:33:53 +0100 Message-Id: <20210823133353.37046-11-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210823133353.37046-1-dimitri.ledkov@canonical.com> References: <20210823133353.37046-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1932029 Signed-off-by: Dimitri John Ledkov Signed-off-by: Andrea Righi (cherry picked from commit 741f622c4dbc162b82f8c9045f9c6c6446f57eb5) Signed-off-by: Dimitri John Ledkov Acked-by: Stefan Bader Acked-by: Andy Whitcroft [KelseyS: SHA1 from cherry pick line is from Impish. Patch has been submitted to upstream, though not yet reviewed/applied.] Signed-off-by: Kelsey Skunberg --- debian.master/config/annotations | 1 + debian.master/config/config.common.ubuntu | 2 ++ debian.oem/config/annotations | 1 + debian.oem/config/config.common.ubuntu | 2 ++ 4 files changed, 6 insertions(+) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 62fb726d1c..1a4eb7a030 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -361,6 +361,7 @@ CONFIG_SYSTEM_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': ' CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'ppc64el': '4096', 's390x': '4096'}> +CONFIG_SYSTEM_REVOCATION_KEYS policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}> CONFIG_SECONDARY_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> # Menu: Cryptographic API >> Hardware crypto devices diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index 791cef4b80..7b63a9bc38 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -10402,6 +10402,8 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 +CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem" +CONFIG_SYSTEM_REVOCATION_LIST=y CONFIG_SYSTEM_TRUSTED_KEYRING=y CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" CONFIG_SYSVIPC=y diff --git a/debian.oem/config/annotations b/debian.oem/config/annotations index 74691ad759..2cd570875f 100644 --- a/debian.oem/config/annotations +++ b/debian.oem/config/annotations @@ -360,6 +360,7 @@ CONFIG_SYSTEM_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': ' CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'ppc64el': '4096', 's390x': '4096'}> +CONFIG_SYSTEM_REVOCATION_KEYS policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}> CONFIG_SECONDARY_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> # Menu: Cryptographic API >> Hardware crypto devices diff --git a/debian.oem/config/config.common.ubuntu b/debian.oem/config/config.common.ubuntu index e3ccc02f91..7689259bfa 100644 --- a/debian.oem/config/config.common.ubuntu +++ b/debian.oem/config/config.common.ubuntu @@ -7700,6 +7700,8 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 +CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem" +CONFIG_SYSTEM_REVOCATION_LIST=y CONFIG_SYSTEM_TRUSTED_KEYRING=y CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" CONFIG_SYSV68_PARTITION=y