From patchwork Mon Sep 27 15:56:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533430 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=mH7Aflcc; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6jN4QL9z9tkT for ; Tue, 28 Sep 2021 01:57:43 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt0Q-0006fu-JA; Mon, 27 Sep 2021 15:57:26 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt0P-0006fd-58 for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:57:25 +0000 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id DBB7140192 for ; Mon, 27 Sep 2021 15:57:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758244; bh=3kX1a1y4kbDZJJWT5RnBhE73VB4LSTfAS42CFK/GZDE=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=mH7AflccLE/2f+aEuZgjT1I+eGQWxe1X4dy5RbCIqlAgR3jhxyqbF5zM90/NJ8EEM /qbouCqQ7lzWftsJ5GBRxr9m9SanVeAZeQImbXvaS8Ndpue4lJrs3dJri3pqFsCzZm TaEVEN4ceoSLiZKB/vd/YE01ERJKVNTbw0zf6U2kNWYk6luSOqjpZJbDQSX8mi7hMz xq9iN1r1Qv7aBOLS6uRmM8S5asj3VS5cpTnZhFervqaNIouEVNPKPUtdVek8TpshV4 M+uzRXZE5Qz+6VKwztQSSXZo9vw3k0uh2m+MCocAttcg8tqYFc/qlkXnlvvDsZdwyK GG0LWyF+fjubw== Received: by mail-wm1-f72.google.com with SMTP id y142-20020a1c7d94000000b0030cdc76dedeso385647wmc.5 for ; Mon, 27 Sep 2021 08:57:24 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=3kX1a1y4kbDZJJWT5RnBhE73VB4LSTfAS42CFK/GZDE=; b=dmm1YTiwxviF/XNlGnnjPe0tdvElbPdHCb3nhbfloMP5M5DXNVlZjj4ByvP9xL88g0 DrnYs6n3GRs29hb0VDa2uRHvaqgryyWFWagoNIfSMk516F8yMowzLQmRoYhExX6z1jkF Zp3/IabOxAQgzLlXIvUjqFFqIl70bAx+gz4a68ZPz6TuSSL6pYl1RHQVgIMwQyItIqtr k/k0CLsVvCPS32e8I8UHp9kOVM32SfNRajiFTxT5e4AdGEGk3nJtLgEyfqCKTaqvKnaD KyafKO8c2ffjTS53KkaAY5F/Ynn2w2acvYHBWWCxjL6D/KoPFHe1fWimMYPqzv3W7PrR t1KQ== X-Gm-Message-State: AOAM531pw29wkhb6XjCjLaC7azsitkk0F78LrHXxxdI8giKv/KJuc69b zG0GSV/SUUjXYAJ8ICz8dUl2N4UHOF1eP3tO3ytItrzqr7lH+ru4OybsLbm0e1NDGb/Xuo9+Pjx 1+ARuz7mRdUjyqH6mkoivC2ZRcbIT3Vrp2Rq+vagnIg== X-Received: by 2002:a5d:4601:: with SMTP id t1mr680211wrq.298.1632758244196; Mon, 27 Sep 2021 08:57:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzBSbSxYEuqx4KyQozE2ZVs+Q1aCH1UdUUAP+HFoST+vY7gBxg2bdzeifi48xBpEtHM4Ry1MA== X-Received: by 2002:a5d:4601:: with SMTP id t1mr680189wrq.298.1632758243992; Mon, 27 Sep 2021 08:57:23 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id i67sm20293953wmi.41.2021.09.27.08.57.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:57:23 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 01/18] Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded" Date: Mon, 27 Sep 2021 16:56:55 +0100 Message-Id: <20210927155712.164337-2-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155712.164337-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" This reverts commit 7385cef88294e9876019652131801014729a367f. With this revert, all cherry-picks from upstream/later releaseas apply cleanly. And the rebased version of the patch being reverted is cherrypicked back again. BugLink: https://bugs.launchpad.net/bugs/1932029 Signed-off-by: Dimitri John Ledkov --- certs/system_keyring.c | 1 - 1 file changed, 1 deletion(-) diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 7d4c81653b..7982911771 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -171,7 +171,6 @@ static __init int load_system_certificate_list(void) if (IS_ERR(key)) { pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", PTR_ERR(key)); - WARN_ON_ONCE(1); } else { pr_notice("Loaded X.509 cert '%s'\n", key_ref_to_ptr(key)->description); From patchwork Mon Sep 27 15:56:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533427 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=UBNRTbTG; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6jN3tp3z9tk7 for ; Tue, 28 Sep 2021 01:57:43 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt0V-0006ga-Qh; Mon, 27 Sep 2021 15:57:31 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt0R-0006g7-L1 for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:57:27 +0000 Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 6E7994019D for ; Mon, 27 Sep 2021 15:57:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758247; bh=ykOzHlxIhwuqDwxakCfAxr6ZPWhHZRMUaiw5Csl484M=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=UBNRTbTGfgV3CPKCiX32ZHtweTuts0ju7QdbJQZId1dDnvK/Y/uwOd7obWVABUFiK 8B6jHffM3HKLq4aT2Rx8TB/txXSgS5MwuNADdDlNg0jzNcC8uwmzcQlk+fXuubbOfR Hzk2nM6KranWchhBKItkDUdZzrghJY1fdkHqzBn1ihOsEDM27xQ7L0GxSaCJKXBYK6 wlrPQ+PpWg30x0h04hGr8YkI/vbbO7FQQIoia5wTBmbr8+6Gr/CLWKgZ3wrhLCxjfh oCpiTVRBJJ0wETNeeq5snvSVoKDpba/5PKoUtWHgVVPZF7bM5zpYrEj4yvs4NkQzMB 9IYHx6SSoWAZQ== Received: by mail-wm1-f69.google.com with SMTP id v5-20020a1cac05000000b0030b85d2d479so425014wme.9 for ; Mon, 27 Sep 2021 08:57:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ykOzHlxIhwuqDwxakCfAxr6ZPWhHZRMUaiw5Csl484M=; b=QmxhOqvZANwULuWkyYPVtu2a8iRD9KUn+cK+WgEZkQ8y0Ie+na4F50qggNBa4ZfBVi Fo+P81uCAbbKiBByxY7gd1FS4R58Y0bRb2OrN5kiS1gvRY4Y4E1HfAjAR2HomcncJ63Y TYAPmt6FGmknDnz8RjvaZBvuKdEq1+YPYHWR9/MgvZrHQH0bISEZorr6oDCoKVXqhcOk W33mipKq0RdrytHUvyLSf3hTcAcorW4VVFVxxq/d+fwURSqpLgU8zn145+JN5dumFMwD RADaw6iw2LzARs6A/xN7cqb3K80oTg686zyFlBiW2SPNoCeAr7QuLD0gEa2Z5phA5QEG kkFQ== X-Gm-Message-State: AOAM530HzsyyAHulXB97MdxBqTO/lwsufpunE2zSeZ31qbTpGDwoLJRp M+OpNcHlS5fUfniWyb8PTftxTbxixNO0jjzG6NYm6ZrMpii3Ali4O+SpLIZwC0ZQhvccegePkuF yjzcqpndXlZlg3W447Pk6HR9PXObaN3myTWJ6nRcdmQ== X-Received: by 2002:a05:6000:104e:: with SMTP id c14mr731153wrx.130.1632758246546; Mon, 27 Sep 2021 08:57:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy2OzDdKmc0omtUoIpVI3F2dPOrk8hKw6VkQ/n6EJx/RUPrs3PQSjUV09prywtdoidNAXhw5A== X-Received: by 2002:a05:6000:104e:: with SMTP id c14mr731111wrx.130.1632758246088; Mon, 27 Sep 2021 08:57:26 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id 61sm17139124wrl.94.2021.09.27.08.57.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:57:25 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 02/18] efi: Support for MOK variable config table Date: Mon, 27 Sep 2021 16:56:56 +0100 Message-Id: <20210927155712.164337-3-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155712.164337-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lenny Szubowicz , Ard Biesheuvel Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lenny Szubowicz BugLink: https://bugs.launchpad.net/bugs/1928679 Because of system-specific EFI firmware limitations, EFI volatile variables may not be capable of holding the required contents of the Machine Owner Key (MOK) certificate store when the certificate list grows above some size. Therefore, an EFI boot loader may pass the MOK certs via a EFI configuration table created specifically for this purpose to avoid this firmware limitation. An EFI configuration table is a much more primitive mechanism compared to EFI variables and is well suited for one-way passage of static information from a pre-OS environment to the kernel. This patch adds initial kernel support to recognize, parse, and validate the EFI MOK configuration table, where named entries contain the same data that would otherwise be provided in similarly named EFI variables. Additionally, this patch creates a sysfs binary file for each EFI MOK configuration table entry found. These files are read-only to root and are provided for use by user space utilities such as mokutil. A subsequent patch will load MOK certs into the trusted platform key ring using this infrastructure. Signed-off-by: Lenny Szubowicz Link: https://lore.kernel.org/r/20200905013107.10457-2-lszubowi@redhat.com Signed-off-by: Ard Biesheuvel (cherry picked from commit 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5) Signed-off-by: Dimitri John Ledkov --- arch/x86/kernel/setup.c | 1 + arch/x86/platform/efi/efi.c | 3 + drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/arm-init.c | 1 + drivers/firmware/efi/efi.c | 6 + drivers/firmware/efi/mokvar-table.c | 360 ++++++++++++++++++++++++++++ include/linux/efi.h | 34 +++ 7 files changed, 406 insertions(+) create mode 100644 drivers/firmware/efi/mokvar-table.c diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index c619e19ec0..1bdd6a4994 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1086,6 +1086,7 @@ void __init setup_arch(char **cmdline_p) efi_fake_memmap(); efi_find_mirror(); efi_esrt_init(); + efi_mokvar_table_init(); /* * The EFI specification says that boot service code won't be diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c index e966115d10..8a9b86f8fd 100644 --- a/arch/x86/platform/efi/efi.c +++ b/arch/x86/platform/efi/efi.c @@ -91,6 +91,9 @@ static const unsigned long * const efi_tables[] = { &efi.tpm_log, &efi.tpm_final_log, &efi_rng_seed, +#ifdef CONFIG_LOAD_UEFI_KEYS + &efi.mokvar_table, +#endif }; u64 efi_setup; /* efi setup_data physical address */ diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile index f0ef02d733..be5ee0bc09 100644 --- a/drivers/firmware/efi/Makefile +++ b/drivers/firmware/efi/Makefile @@ -29,6 +29,7 @@ obj-$(CONFIG_EFI) += secureboot.o obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o obj-$(CONFIG_EFI_RCI2_TABLE) += rci2-table.o obj-$(CONFIG_EFI_EMBEDDED_FIRMWARE) += embedded-firmware.o +obj-$(CONFIG_LOAD_UEFI_KEYS) += mokvar-table.o fake_map-y += fake_mem.o fake_map-$(CONFIG_X86) += x86_fake_mem.o diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c index 788f227dd5..c8e4481769 100644 --- a/drivers/firmware/efi/arm-init.c +++ b/drivers/firmware/efi/arm-init.c @@ -244,6 +244,7 @@ void __init efi_init(void) reserve_regions(); efi_esrt_init(); + efi_mokvar_table_init(); memblock_reserve(data.phys_map & PAGE_MASK, PAGE_ALIGN(data.size + (data.phys_map & ~PAGE_MASK))); diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index d1f6f77779..a5faafd2b4 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -44,6 +44,9 @@ struct efi __read_mostly efi = { .esrt = EFI_INVALID_TABLE_ADDR, .tpm_log = EFI_INVALID_TABLE_ADDR, .tpm_final_log = EFI_INVALID_TABLE_ADDR, +#ifdef CONFIG_LOAD_UEFI_KEYS + .mokvar_table = EFI_INVALID_TABLE_ADDR, +#endif }; EXPORT_SYMBOL(efi); @@ -519,6 +522,9 @@ static const efi_config_table_type_t common_tables[] __initconst = { {EFI_RT_PROPERTIES_TABLE_GUID, &rt_prop, "RTPROP" }, #ifdef CONFIG_EFI_RCI2_TABLE {DELLEMC_EFI_RCI2_TABLE_GUID, &rci2_table_phys }, +#endif +#ifdef CONFIG_LOAD_UEFI_KEYS + {LINUX_EFI_MOK_VARIABLE_TABLE_GUID, &efi.mokvar_table, "MOKvar" }, #endif {}, }; diff --git a/drivers/firmware/efi/mokvar-table.c b/drivers/firmware/efi/mokvar-table.c new file mode 100644 index 0000000000..b1cd49893d --- /dev/null +++ b/drivers/firmware/efi/mokvar-table.c @@ -0,0 +1,360 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * mokvar-table.c + * + * Copyright (c) 2020 Red Hat + * Author: Lenny Szubowicz + * + * This module contains the kernel support for the Linux EFI Machine + * Owner Key (MOK) variable configuration table, which is identified by + * the LINUX_EFI_MOK_VARIABLE_TABLE_GUID. + * + * This EFI configuration table provides a more robust alternative to + * EFI volatile variables by which an EFI boot loader can pass the + * contents of the Machine Owner Key (MOK) certificate stores to the + * kernel during boot. If both the EFI MOK config table and corresponding + * EFI MOK variables are present, the table should be considered as + * more authoritative. + * + * This module includes code that validates and maps the EFI MOK table, + * if it's presence was detected very early in boot. + * + * Kernel interface routines are provided to walk through all the + * entries in the MOK config table or to search for a specific named + * entry. + * + * The contents of the individual named MOK config table entries are + * made available to user space via read-only sysfs binary files under: + * + * /sys/firmware/efi/mok-variables/ + * + */ +#define pr_fmt(fmt) "mokvar: " fmt + +#include +#include +#include +#include +#include +#include +#include +#include + +/* + * The LINUX_EFI_MOK_VARIABLE_TABLE_GUID config table is a packed + * sequence of struct efi_mokvar_table_entry, one for each named + * MOK variable. The sequence is terminated by an entry with a + * completely NULL name and 0 data size. + * + * efi_mokvar_table_size is set to the computed size of the + * MOK config table by efi_mokvar_table_init(). This will be + * non-zero if and only if the table if present and has been + * validated by efi_mokvar_table_init(). + */ +static size_t efi_mokvar_table_size; + +/* + * efi_mokvar_table_va is the kernel virtual address at which the + * EFI MOK config table has been mapped by efi_mokvar_sysfs_init(). + */ +static struct efi_mokvar_table_entry *efi_mokvar_table_va; + +/* + * Each /sys/firmware/efi/mok-variables/ sysfs file is represented by + * an instance of struct efi_mokvar_sysfs_attr on efi_mokvar_sysfs_list. + * bin_attr.private points to the associated EFI MOK config table entry. + * + * This list is created during boot and then remains unchanged. + * So no synchronization is currently required to walk the list. + */ +struct efi_mokvar_sysfs_attr { + struct bin_attribute bin_attr; + struct list_head node; +}; + +static LIST_HEAD(efi_mokvar_sysfs_list); +static struct kobject *mokvar_kobj; + +/* + * efi_mokvar_table_init() - Early boot validation of EFI MOK config table + * + * If present, validate and compute the size of the EFI MOK variable + * configuration table. This table may be provided by an EFI boot loader + * as an alternative to ordinary EFI variables, due to platform-dependent + * limitations. The memory occupied by this table is marked as reserved. + * + * This routine must be called before efi_free_boot_services() in order + * to guarantee that it can mark the table as reserved. + * + * Implicit inputs: + * efi.mokvar_table: Physical address of EFI MOK variable config table + * or special value that indicates no such table. + * + * Implicit outputs: + * efi_mokvar_table_size: Computed size of EFI MOK variable config table. + * The table is considered present and valid if this + * is non-zero. + */ +void __init efi_mokvar_table_init(void) +{ + efi_memory_desc_t md; + u64 end_pa; + void *va = NULL; + size_t cur_offset = 0; + size_t offset_limit; + size_t map_size = 0; + size_t map_size_needed = 0; + size_t size; + struct efi_mokvar_table_entry *mokvar_entry; + int err = -EINVAL; + + if (!efi_enabled(EFI_MEMMAP)) + return; + + if (efi.mokvar_table == EFI_INVALID_TABLE_ADDR) + return; + /* + * The EFI MOK config table must fit within a single EFI memory + * descriptor range. + */ + err = efi_mem_desc_lookup(efi.mokvar_table, &md); + if (err) { + pr_warn("EFI MOKvar config table is not within the EFI memory map\n"); + return; + } + end_pa = efi_mem_desc_end(&md); + if (efi.mokvar_table >= end_pa) { + pr_err("EFI memory descriptor containing MOKvar config table is invalid\n"); + return; + } + offset_limit = end_pa - efi.mokvar_table; + /* + * Validate the MOK config table. Since there is no table header + * from which we could get the total size of the MOK config table, + * we compute the total size as we validate each variably sized + * entry, remapping as necessary. + */ + while (cur_offset + sizeof(*mokvar_entry) <= offset_limit) { + mokvar_entry = va + cur_offset; + map_size_needed = cur_offset + sizeof(*mokvar_entry); + if (map_size_needed > map_size) { + if (va) + early_memunmap(va, map_size); + /* + * Map a little more than the fixed size entry + * header, anticipating some data. It's safe to + * do so as long as we stay within current memory + * descriptor. + */ + map_size = min(map_size_needed + 2*EFI_PAGE_SIZE, + offset_limit); + va = early_memremap(efi.mokvar_table, map_size); + if (!va) { + pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%zu.\n", + efi.mokvar_table, map_size); + return; + } + mokvar_entry = va + cur_offset; + } + + /* Check for last sentinel entry */ + if (mokvar_entry->name[0] == '\0') { + if (mokvar_entry->data_size != 0) + break; + err = 0; + break; + } + + /* Sanity check that the name is null terminated */ + size = strnlen(mokvar_entry->name, + sizeof(mokvar_entry->name)); + if (size >= sizeof(mokvar_entry->name)) + break; + + /* Advance to the next entry */ + cur_offset = map_size_needed + mokvar_entry->data_size; + } + + if (va) + early_memunmap(va, map_size); + if (err) { + pr_err("EFI MOKvar config table is not valid\n"); + return; + } + efi_mem_reserve(efi.mokvar_table, map_size_needed); + efi_mokvar_table_size = map_size_needed; +} + +/* + * efi_mokvar_entry_next() - Get next entry in the EFI MOK config table + * + * mokvar_entry: Pointer to current EFI MOK config table entry + * or null. Null indicates get first entry. + * Passed by reference. This is updated to the + * same value as the return value. + * + * Returns: Pointer to next EFI MOK config table entry + * or null, if there are no more entries. + * Same value is returned in the mokvar_entry + * parameter. + * + * This routine depends on the EFI MOK config table being entirely + * mapped with it's starting virtual address in efi_mokvar_table_va. + */ +struct efi_mokvar_table_entry *efi_mokvar_entry_next( + struct efi_mokvar_table_entry **mokvar_entry) +{ + struct efi_mokvar_table_entry *mokvar_cur; + struct efi_mokvar_table_entry *mokvar_next; + size_t size_cur; + + mokvar_cur = *mokvar_entry; + *mokvar_entry = NULL; + + if (efi_mokvar_table_va == NULL) + return NULL; + + if (mokvar_cur == NULL) { + mokvar_next = efi_mokvar_table_va; + } else { + if (mokvar_cur->name[0] == '\0') + return NULL; + size_cur = sizeof(*mokvar_cur) + mokvar_cur->data_size; + mokvar_next = (void *)mokvar_cur + size_cur; + } + + if (mokvar_next->name[0] == '\0') + return NULL; + + *mokvar_entry = mokvar_next; + return mokvar_next; +} + +/* + * efi_mokvar_entry_find() - Find EFI MOK config entry by name + * + * name: Name of the entry to look for. + * + * Returns: Pointer to EFI MOK config table entry if found; + * null otherwise. + * + * This routine depends on the EFI MOK config table being entirely + * mapped with it's starting virtual address in efi_mokvar_table_va. + */ +struct efi_mokvar_table_entry *efi_mokvar_entry_find(const char *name) +{ + struct efi_mokvar_table_entry *mokvar_entry = NULL; + + while (efi_mokvar_entry_next(&mokvar_entry)) { + if (!strncmp(name, mokvar_entry->name, + sizeof(mokvar_entry->name))) + return mokvar_entry; + } + return NULL; +} + +/* + * efi_mokvar_sysfs_read() - sysfs binary file read routine + * + * Returns: Count of bytes read. + * + * Copy EFI MOK config table entry data for this mokvar sysfs binary file + * to the supplied buffer, starting at the specified offset into mokvar table + * entry data, for the specified count bytes. The copy is limited by the + * amount of data in this mokvar config table entry. + */ +static ssize_t efi_mokvar_sysfs_read(struct file *file, struct kobject *kobj, + struct bin_attribute *bin_attr, char *buf, + loff_t off, size_t count) +{ + struct efi_mokvar_table_entry *mokvar_entry = bin_attr->private; + + if (!capable(CAP_SYS_ADMIN)) + return 0; + + if (off >= mokvar_entry->data_size) + return 0; + if (count > mokvar_entry->data_size - off) + count = mokvar_entry->data_size - off; + + memcpy(buf, mokvar_entry->data + off, count); + return count; +} + +/* + * efi_mokvar_sysfs_init() - Map EFI MOK config table and create sysfs + * + * Map the EFI MOK variable config table for run-time use by the kernel + * and create the sysfs entries in /sys/firmware/efi/mok-variables/ + * + * This routine just returns if a valid EFI MOK variable config table + * was not found earlier during boot. + * + * This routine must be called during a "middle" initcall phase, i.e. + * after efi_mokvar_table_init() but before UEFI certs are loaded + * during late init. + * + * Implicit inputs: + * efi.mokvar_table: Physical address of EFI MOK variable config table + * or special value that indicates no such table. + * + * efi_mokvar_table_size: Computed size of EFI MOK variable config table. + * The table is considered present and valid if this + * is non-zero. + * + * Implicit outputs: + * efi_mokvar_table_va: Start virtual address of the EFI MOK config table. + */ +static int __init efi_mokvar_sysfs_init(void) +{ + void *config_va; + struct efi_mokvar_table_entry *mokvar_entry = NULL; + struct efi_mokvar_sysfs_attr *mokvar_sysfs = NULL; + int err = 0; + + if (efi_mokvar_table_size == 0) + return -ENOENT; + + config_va = memremap(efi.mokvar_table, efi_mokvar_table_size, + MEMREMAP_WB); + if (!config_va) { + pr_err("Failed to map EFI MOKvar config table\n"); + return -ENOMEM; + } + efi_mokvar_table_va = config_va; + + mokvar_kobj = kobject_create_and_add("mok-variables", efi_kobj); + if (!mokvar_kobj) { + pr_err("Failed to create EFI mok-variables sysfs entry\n"); + return -ENOMEM; + } + + while (efi_mokvar_entry_next(&mokvar_entry)) { + mokvar_sysfs = kzalloc(sizeof(*mokvar_sysfs), GFP_KERNEL); + if (!mokvar_sysfs) { + err = -ENOMEM; + break; + } + + sysfs_bin_attr_init(&mokvar_sysfs->bin_attr); + mokvar_sysfs->bin_attr.private = mokvar_entry; + mokvar_sysfs->bin_attr.attr.name = mokvar_entry->name; + mokvar_sysfs->bin_attr.attr.mode = 0400; + mokvar_sysfs->bin_attr.size = mokvar_entry->data_size; + mokvar_sysfs->bin_attr.read = efi_mokvar_sysfs_read; + + err = sysfs_create_bin_file(mokvar_kobj, + &mokvar_sysfs->bin_attr); + if (err) + break; + + list_add_tail(&mokvar_sysfs->node, &efi_mokvar_sysfs_list); + } + + if (err) { + pr_err("Failed to create some EFI mok-variables sysfs entries\n"); + kfree(mokvar_sysfs); + } + return err; +} +device_initcall(efi_mokvar_sysfs_init); diff --git a/include/linux/efi.h b/include/linux/efi.h index 2793a2d547..09c093903e 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -361,6 +361,7 @@ void efi_native_runtime_setup(void); #define LINUX_EFI_TPM_FINAL_LOG_GUID EFI_GUID(0x1e2ed096, 0x30e2, 0x4254, 0xbd, 0x89, 0x86, 0x3b, 0xbe, 0xf8, 0x23, 0x25) #define LINUX_EFI_MEMRESERVE_TABLE_GUID EFI_GUID(0x888eb0c6, 0x8ede, 0x4ff5, 0xa8, 0xf0, 0x9a, 0xee, 0x5c, 0xb9, 0x77, 0xc2) #define LINUX_EFI_INITRD_MEDIA_GUID EFI_GUID(0x5568e427, 0x68fc, 0x4f3d, 0xac, 0x74, 0xca, 0x55, 0x52, 0x31, 0xcc, 0x68) +#define LINUX_EFI_MOK_VARIABLE_TABLE_GUID EFI_GUID(0xc451ed2b, 0x9694, 0x45d3, 0xba, 0xba, 0xed, 0x9f, 0x89, 0x88, 0xa3, 0x89) /* OEM GUIDs */ #define DELLEMC_EFI_RCI2_TABLE_GUID EFI_GUID(0x2d9f28a2, 0xa886, 0x456a, 0x97, 0xa8, 0xf1, 0x1e, 0xf2, 0x4f, 0xf4, 0x55) @@ -550,6 +551,7 @@ extern struct efi { unsigned long esrt; /* ESRT table */ unsigned long tpm_log; /* TPM2 Event Log table */ unsigned long tpm_final_log; /* TPM2 Final Events Log table */ + unsigned long mokvar_table; /* MOK variable config table */ efi_get_time_t *get_time; efi_set_time_t *set_time; @@ -1271,4 +1273,36 @@ void __init efi_arch_mem_reserve(phys_addr_t addr, u64 size); char *efi_systab_show_arch(char *str); +/* + * The LINUX_EFI_MOK_VARIABLE_TABLE_GUID config table can be provided + * to the kernel by an EFI boot loader. The table contains a packed + * sequence of these entries, one for each named MOK variable. + * The sequence is terminated by an entry with a completely NULL + * name and 0 data size. + */ +struct efi_mokvar_table_entry { + char name[256]; + u64 data_size; + u8 data[]; +} __attribute((packed)); + +#ifdef CONFIG_LOAD_UEFI_KEYS +extern void __init efi_mokvar_table_init(void); +extern struct efi_mokvar_table_entry *efi_mokvar_entry_next( + struct efi_mokvar_table_entry **mokvar_entry); +extern struct efi_mokvar_table_entry *efi_mokvar_entry_find(const char *name); +#else +static inline void efi_mokvar_table_init(void) { } +static inline struct efi_mokvar_table_entry *efi_mokvar_entry_next( + struct efi_mokvar_table_entry **mokvar_entry) +{ + return NULL; +} +static inline struct efi_mokvar_table_entry *efi_mokvar_entry_find( + const char *name) +{ + return NULL; +} +#endif + #endif /* _LINUX_EFI_H */ From patchwork Mon Sep 27 15:56:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533429 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=TRloCk/P; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6jN46fNz9tkM for ; Tue, 28 Sep 2021 01:57:44 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt0W-0006go-4V; Mon, 27 Sep 2021 15:57:32 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt0R-0006gD-Vb for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:57:27 +0000 Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id CAA984019D for ; Mon, 27 Sep 2021 15:57:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758247; bh=87ZtbWA/i3Tb/5qUY90mB8Iw2BPx6+MY2FflxE+XRt0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=TRloCk/PVtIHnwG0cK5b8XlcELB2Fmt1CCU26Az8A+KBpbby0Df5K4bW6C1t59gol 3XvUgtbJSt8REZZ3nsQjLc4MpwDwIlXMf6HLPAVyKPz9iRau9f9CrMsJiCoa/jO7pM wkgedS9stcTjK1ImXNL3v5ZF4PHOeNmSNVF/pPvyD/g+QE5cwhV5XXmcUqzDosTPat 8Dwea9vI1g9De6k8kcfV0f0rUe+ZeTxbOyb4nok/bUMOXVrNih5/ywtvbikcpYvujf OlIqf4gAi8+we+o1LreUY+VbTPIaWZGirvt9uK6j7xY10Ke4nQWUfQLbCqDz8vDTxq Z51L23iSSEjVw== Received: by mail-wm1-f70.google.com with SMTP id v5-20020a1cac05000000b0030b85d2d479so425020wme.9 for ; Mon, 27 Sep 2021 08:57:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=87ZtbWA/i3Tb/5qUY90mB8Iw2BPx6+MY2FflxE+XRt0=; b=HS0Ox/oBQJ2DgPBuXxclms8TEGacj8u+2suS3ZSsJJvXjTgEAvuUOBYoLh7Rytz73n LD2m3M9+oFoYW9xu/mCRW8MwOfuik9vpK+3EPEF2gQqcMxu9Mk+Dhb6NO8zgUAFvljaA QVB2p/Y7hRX+A7EHvFD4nYLwI8iwS2PCa1qgh0dgF7pSbZsnkN6hfYZtS92jzCJ9RxAT 0SCYshNAWyDN4uLPqem4iA8vicMl30uK0KXik4anMyF3NxSuiQ/KTqcUqsv1OP0NPuHW /WM7aJRYd406Cq2WA539KQnAv5ETAPeDYi7p3STbOdGZjqUKtMLv0NHLTYVtXi4GiNAW PrmQ== X-Gm-Message-State: AOAM530wEQ1LvNMwrDvVCYLp3ZgKOvGs8i73FWzZaYSSslPPXLNvuMAh chwarWKejh4oZHScJKD6hbpqnvVooT0nuYQk752iQFz9Px2ftD0K+7KolOn7sagpHJlkQfCV75o wHIOoJN5I74rSTRsEEop1alwngij7smt6JfdcRN8Bug== X-Received: by 2002:a5d:5748:: with SMTP id q8mr673025wrw.384.1632758247106; Mon, 27 Sep 2021 08:57:27 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyujGo4jJJj1E5n7dQcbOIrJrW2lMJ8oUvDW7OVhtApwNu1cLUCxOWV/k38WJlE4FKsMpknDA== X-Received: by 2002:a5d:5748:: with SMTP id q8mr673012wrw.384.1632758246915; Mon, 27 Sep 2021 08:57:26 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id 61sm17139189wrl.94.2021.09.27.08.57.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:57:26 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 03/18] efi: mokvar-table: fix some issues in new code Date: Mon, 27 Sep 2021 16:56:57 +0100 Message-Id: <20210927155712.164337-4-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155712.164337-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lenny Szubowicz , Arvind Sankar , Borislav Petkov , Ard Biesheuvel Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Ard Biesheuvel BugLink: https://bugs.launchpad.net/bugs/1928679 Fix a couple of issues in the new mokvar-table handling code, as pointed out by Arvind and Boris: - don't bother checking the end of the physical region against the start address of the mokvar table, - ensure that we enter the loop with err = -EINVAL, - replace size_t with unsigned long to appease pedantic type equality checks. Reviewed-by: Arvind Sankar Reviewed-by: Lenny Szubowicz Tested-by: Borislav Petkov Signed-off-by: Ard Biesheuvel (cherry picked from commit b89114cd018cffa5deb7def1844ce1891efd4f96) Signed-off-by: Dimitri John Ledkov --- drivers/firmware/efi/mokvar-table.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/drivers/firmware/efi/mokvar-table.c b/drivers/firmware/efi/mokvar-table.c index b1cd49893d..72a9e1736f 100644 --- a/drivers/firmware/efi/mokvar-table.c +++ b/drivers/firmware/efi/mokvar-table.c @@ -98,15 +98,14 @@ static struct kobject *mokvar_kobj; void __init efi_mokvar_table_init(void) { efi_memory_desc_t md; - u64 end_pa; void *va = NULL; - size_t cur_offset = 0; - size_t offset_limit; - size_t map_size = 0; - size_t map_size_needed = 0; - size_t size; + unsigned long cur_offset = 0; + unsigned long offset_limit; + unsigned long map_size = 0; + unsigned long map_size_needed = 0; + unsigned long size; struct efi_mokvar_table_entry *mokvar_entry; - int err = -EINVAL; + int err; if (!efi_enabled(EFI_MEMMAP)) return; @@ -122,18 +121,16 @@ void __init efi_mokvar_table_init(void) pr_warn("EFI MOKvar config table is not within the EFI memory map\n"); return; } - end_pa = efi_mem_desc_end(&md); - if (efi.mokvar_table >= end_pa) { - pr_err("EFI memory descriptor containing MOKvar config table is invalid\n"); - return; - } - offset_limit = end_pa - efi.mokvar_table; + + offset_limit = efi_mem_desc_end(&md) - efi.mokvar_table; + /* * Validate the MOK config table. Since there is no table header * from which we could get the total size of the MOK config table, * we compute the total size as we validate each variably sized * entry, remapping as necessary. */ + err = -EINVAL; while (cur_offset + sizeof(*mokvar_entry) <= offset_limit) { mokvar_entry = va + cur_offset; map_size_needed = cur_offset + sizeof(*mokvar_entry); @@ -150,7 +147,7 @@ void __init efi_mokvar_table_init(void) offset_limit); va = early_memremap(efi.mokvar_table, map_size); if (!va) { - pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%zu.\n", + pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%lu.\n", efi.mokvar_table, map_size); return; } From patchwork Mon Sep 27 15:56:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533431 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=TWg1giGC; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6jN3y6Kz9tkJ for ; Tue, 28 Sep 2021 01:57:43 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt0X-0006hP-Ay; Mon, 27 Sep 2021 15:57:33 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt0S-0006gJ-Vf for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:57:28 +0000 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id C99A9402E0 for ; Mon, 27 Sep 2021 15:57:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758248; bh=qXILha3NeUJZG1r4v/rNyu20kfvVZhNE86wYZu/4QFs=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=TWg1giGCd9TepnJm3r1UGmxARGzoOKCNbvDHCDXbz4r2Q8F9sgDBLSBfikPU1q8e1 FsCPr+7sKaH52rrqZQsQ2SyMYFMDGLlPQKKmhEXKKqYzj/zGfKenGvujfGTPWwMxUb wQd8OYXmqtFwzpP41WUoLXHsoGwJQaUTdyaB868Q/ZxXB0UeyWqc6ZLvvJJWVqhftq 09vLu3VW28o5r99dJku6eF/mofPhZiLgK1jazf4QjmYYVgfBzitMTDBmowHE2s3vf4 xvmXTMZxRkQ2V11MXzG8cC8PcMQWDLgi+f6N7lXYdzZg+4QFpHiRAy4frIfsWkZJPy kZApU7GiLhWEw== Received: by mail-wm1-f72.google.com with SMTP id 70-20020a1c0149000000b0030b7dd84d81so424935wmb.3 for ; Mon, 27 Sep 2021 08:57:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=qXILha3NeUJZG1r4v/rNyu20kfvVZhNE86wYZu/4QFs=; b=rS5zVLZdTLjDyP9NwRrd8okKTj06ZspX4jkH/uHSAtBHhfc4mjzkCs6Uhbts4H5bw/ AQkW6ivLY7ZHGxl+MypCKt8wBMeB7Y/SufvdpvWax1sAbh9lQPAcNnN44Hcy6PJVoUMl FBO+U7gG5+TLVc65sKEVbp1OQ1LnGCkr0o1Bn8c6rpnKrlW6IEybQ1mUQ7K4htX5Ne5A jHenjIBMWTCziC/XXwm2i1GTCT9fQkTB9AKDo3RhJHWjAC4HbQrCqDPke17wHSU5DAf1 xC8e4NFlErXToIljmnzugVOQIzHRBlSlzRSqGM+gVl3K0ORrjO8+WhzwYk+fYpjSyvFC UUDA== X-Gm-Message-State: AOAM530ItbCKHfh4xElQ+zMVRNTVe8yZyavhr6tshwGYbnh6JIyhKxCh E32vhL+0QXwwQa4MM1kwoJ1UyZuUrQYJReO5X24faOe2nQbT6ME+j5h+/dLBm0nMEshJt8mGjDv 3Wv4U8FLKDPlZxhzPQPOaOnvSt41NS5dl/ddO7qAvUA== X-Received: by 2002:a1c:1d13:: with SMTP id d19mr653144wmd.89.1632758248196; Mon, 27 Sep 2021 08:57:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzAt/IlI6u/4KXXFO4XoDOwZ2ybbEtCpbUQZyA+Wbcx9XPTw17SGbE603fyF8rqYKUhWBzUqA== X-Received: by 2002:a1c:1d13:: with SMTP id d19mr653127wmd.89.1632758247945; Mon, 27 Sep 2021 08:57:27 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id c18sm9638849wmb.27.2021.09.27.08.57.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:57:27 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 04/18] efi: mokvar: add missing include of asm/early_ioremap.h Date: Mon, 27 Sep 2021 16:56:58 +0100 Message-Id: <20210927155712.164337-5-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155712.164337-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Nathan Chancellor , Ard Biesheuvel Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Ard Biesheuvel BugLink: https://bugs.launchpad.net/bugs/1928679 Nathan reports that building the new mokvar table code for 32-bit ARM fails with errors such as error: implicit declaration of function 'early_memunmap' error: implicit declaration of function 'early_memremap' This is caused by the lack of an explicit #include of the appropriate header, and ARM apparently does not inherit that inclusion via another header file. So add the #include. Tested-by: Nathan Chancellor Signed-off-by: Ard Biesheuvel (cherry picked from commit cc383a9e245c527d3175e2cf4cced9dbbedbbac6) Signed-off-by: Dimitri John Ledkov --- drivers/firmware/efi/mokvar-table.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/firmware/efi/mokvar-table.c b/drivers/firmware/efi/mokvar-table.c index 72a9e1736f..d8bc013406 100644 --- a/drivers/firmware/efi/mokvar-table.c +++ b/drivers/firmware/efi/mokvar-table.c @@ -40,6 +40,8 @@ #include #include +#include + /* * The LINUX_EFI_MOK_VARIABLE_TABLE_GUID config table is a packed * sequence of struct efi_mokvar_table_entry, one for each named From patchwork Mon Sep 27 15:56:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533432 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=mOM3/4Am; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6jN4ZJYz9tkg for ; Tue, 28 Sep 2021 01:57:43 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt0X-0006hl-JP; Mon, 27 Sep 2021 15:57:33 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt0T-0006gU-TH for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:57:29 +0000 Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id B2608402D9 for ; Mon, 27 Sep 2021 15:57:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758249; bh=rMMsn29XyJsn0eQc2BJyqFDFK40mEWFJHPrWnVfnEhk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=mOM3/4Am/wEAb53fVzqkuJYP0Ig+EEf5jYQZsYvIuUnQvqLyv0pORNFhmsR61gRxp c2iY32Dlt1sUK77QWP/HHh3zmDhrBdnBJgzniBP0FY0/kjTjkuSK7Y5hfh+xp7Jpaf B5lqgBFvuN1sHA/RkhaXkwFJfXNdkT2oGNge8yJH8a2r4kgy7t5xHUgZGgqb1tgxdc oOd5R403nWViC26T7yuVGq4MDOH1j2/Ekew7Fya7BzrKzs7aNWPAVrg3wNcY4k+ijD 8j5Jt8IZh0IPaYNfnB4YZ+s7hGZmTGgunjt/Lwo+dLf9j1Q+7Zndq7GQDbOzdinHxx gHsG+XNWB8btw== Received: by mail-wm1-f69.google.com with SMTP id m9-20020a05600c4f4900b003057c761567so386115wmq.1 for ; Mon, 27 Sep 2021 08:57:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rMMsn29XyJsn0eQc2BJyqFDFK40mEWFJHPrWnVfnEhk=; b=2eNvS8QsmvFvFmgT30vMk7s5Tb+VlV/vt7KFDUzEoeGyODqmi7kcvOhhKCFxS68dXu UwXnSMSAXrML130g3IBhk6rzL/MlJQsSyilUibsHGOliK2CLaoE3Qvl6FhDI8tZh7/iW mXbbuu4yopTylft3fvdHbqm9uxORbSHjNznGSTNrHQbJqw4yBpbRUjvzFnJVoL45OuxA VsDwQTwv6E35lsXN7XOyDr8pQZe5l7r7rszkrOVfAP0y7/ciWtSd6TKB0TNgLrxEQ8iu 61KPejSY1G0LmhVSG5zS75EzmBah84O+aUo3W6ASGBw8nwdylyDmjCMsayd43ObLIFJm UmrA== X-Gm-Message-State: AOAM530gv9/QXfMeiPcdvDSrUF0680Y/JCqMKirBOIpBf0GNF80srIIv 8qryWZkKJefI2KgQHvRQYCqb+8VtqQxDAd6OgGdt/lzMnU2zZyAv0eDUo/FkRhwb9XsAkolxqfu 5PNDSPzN4k+8DZH7wdao6Sy3xWACTZr6ZcHKYtozCoQ== X-Received: by 2002:a7b:cf02:: with SMTP id l2mr4572579wmg.73.1632758249205; Mon, 27 Sep 2021 08:57:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxvUmRvKr40dkRkJSPPawqfPq9QQDMnj+WFDyi2LkIHr+BWceza7/xLMGhXtJ0XeV4OChhjOA== X-Received: by 2002:a7b:cf02:: with SMTP id l2mr4572563wmg.73.1632758248987; Mon, 27 Sep 2021 08:57:28 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id u14sm15334976wml.24.2021.09.27.08.57.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:57:28 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 05/18] efi/mokvar: Reserve the table only if it is in boot services data Date: Mon, 27 Sep 2021 16:56:59 +0100 Message-Id: <20210927155712.164337-6-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155712.164337-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Borislav Petkov , Ard Biesheuvel Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Borislav Petkov BugLink: https://bugs.launchpad.net/bugs/1928679 One of the SUSE QA tests triggered: localhost kernel: efi: Failed to lookup EFI memory descriptor for 0x000000003dcf8000 which comes from x86's version of efi_arch_mem_reserve() trying to reserve a memory region. Usually, that function expects EFI_BOOT_SERVICES_DATA memory descriptors but the above case is for the MOKvar table which is allocated in the EFI shim as runtime services. That lead to a fix changing the allocation of that table to boot services. However, that fix broke booting SEV guests with that shim leading to this kernel fix 8d651ee9c71b ("x86/ioremap: Map EFI-reserved memory as encrypted for SEV") which extended the ioremap hint to map reserved EFI boot services as decrypted too. However, all that wasn't needed, IMO, because that error message in efi_arch_mem_reserve() was innocuous in this case - if the MOKvar table is not in boot services, then it doesn't need to be reserved in the first place because it is, well, in runtime services which *should* be reserved anyway. So do that reservation for the MOKvar table only if it is allocated in boot services data. I couldn't find any requirement about where that table should be allocated in, unlike the ESRT which allocation is mandated to be done in boot services data by the UEFI spec. Signed-off-by: Borislav Petkov Signed-off-by: Ard Biesheuvel (cherry picked from commit 47e1e233e9d822dfda068383fb9a616451bda703) Signed-off-by: Dimitri John Ledkov --- drivers/firmware/efi/mokvar-table.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/efi/mokvar-table.c b/drivers/firmware/efi/mokvar-table.c index d8bc013406..38722d2009 100644 --- a/drivers/firmware/efi/mokvar-table.c +++ b/drivers/firmware/efi/mokvar-table.c @@ -180,7 +180,10 @@ void __init efi_mokvar_table_init(void) pr_err("EFI MOKvar config table is not valid\n"); return; } - efi_mem_reserve(efi.mokvar_table, map_size_needed); + + if (md.type == EFI_BOOT_SERVICES_DATA) + efi_mem_reserve(efi.mokvar_table, map_size_needed); + efi_mokvar_table_size = map_size_needed; } From patchwork Mon Sep 27 15:58:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533433 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Eusddqoi; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6kl0mXqz9tk6 for ; Tue, 28 Sep 2021 01:58:55 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt1l-0006yu-9j; Mon, 27 Sep 2021 15:58:49 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt1j-0006yo-77 for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:58:47 +0000 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 1162B402D9 for ; Mon, 27 Sep 2021 15:58:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758327; bh=5Bk8A0jbyuG/ByWejbfCkb4PVmJZ+i0dfr8EZ8SN28U=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=EusddqoiQUq2bMCTFN6u4fAcPHNsF/3Gk+yyjTAZTgCicsue9Kcv6+lct08KtT84h S+BlfJtg2/F2++Lnch9BFiec9a0C53f9z1GRTcaFSOJ44UgMg19uswo0Eda43vaWRI Ym/nHuOjfZn/w2VEE+UtOcOyeWYyAApP2qWRXI8aWB0VE1T+VDhYLUZmiROfV4Dl/p 5PjhpDIRYbIC4Yr4pZpCfQkcrE46ydyDcTDYi13baaSpLX6TJYNJ3vjmFlkd3XRTXP 0raYoTNYzXumjM0RrR/UOpQRm2Ca8Iqo2BiVo39eVq0YxPXhi/Cl73bpFxSEyQbV6V hnqHiMoXrKjPA== Received: by mail-wm1-f72.google.com with SMTP id 5-20020a1c00050000b02902e67111d9f0so425880wma.4 for ; Mon, 27 Sep 2021 08:58:47 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5Bk8A0jbyuG/ByWejbfCkb4PVmJZ+i0dfr8EZ8SN28U=; b=KnnhApcalnbmUgiRq3y1ULYyIZB9d2DY9QIG8g/J0s/qU4g13objUZwcmkiUg4kKbP MRXGkuydDv1Nj50/CfoQTfXWYpsNoP2p6PdUjPYMmC0U99GbBQzzkQ6mm0dI0NeRbCcw gN7ibYs8Hk7N4OibXw+mICKHULLifl6gBzDeYfZHv8TmjkOU28nJevyFLL94A0S6Ia0e y6JtoFBPTfzv0bXCs3LoI+18qU7Sajs2Yg5vosEjtlrHhICY4WksM2FOM5To/NjTmMJa ErPFTwwUkqwHJoJO59a0zqvVyjpZl3QIoxmSSUxTUh6fiu7tx/NuOlvl4s9duk022Rci XTqw== X-Gm-Message-State: AOAM531l1PJiR0MUUQT86fFZa0wmXkFxDqHbOC7oBgAG/41SILqIovgS 2Rf5vfOMKiWRC16CvuSlyZ4wU1XsIggwhY7aBRlftUYcrteSvP7Ylmgj5XdMNiTpfGhyMRJZo0u BPJZ6p7d2s8eRakNZs2vR8AcYb81FdBcjA+4TZ9BveA== X-Received: by 2002:a5d:6b82:: with SMTP id n2mr679029wrx.85.1632758326400; Mon, 27 Sep 2021 08:58:46 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw5eZYv7rrgXjCYd8MTfWvPlNFHMMB6hb7NGoZYUtgNbTVBiV6ELU55jwsw8dEeB7it7iH3Hg== X-Received: by 2002:a5d:6b82:: with SMTP id n2mr679007wrx.85.1632758326118; Mon, 27 Sep 2021 08:58:46 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id o17sm16909478wrj.96.2021.09.27.08.58.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:58:45 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 06/18] integrity: Move import of MokListRT certs to a separate routine Date: Mon, 27 Sep 2021 16:58:25 +0100 Message-Id: <20210927155837.164674-1-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155712.164337-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lenny Szubowicz BugLink: https://bugs.launchpad.net/bugs/1932029 Move the loading of certs from the UEFI MokListRT into a separate routine to facilitate additional MokList functionality. There is no visible functional change as a result of this patch. Although the UEFI dbx certs are now loaded before the MokList certs, they are loaded onto different key rings. So the order of the keys on their respective key rings is the same. Signed-off-by: Lenny Szubowicz Reviewed-by: Mimi Zohar Link: https://lore.kernel.org/r/20200905013107.10457-3-lszubowi@redhat.com Signed-off-by: Ard Biesheuvel (cherry picked from commit 38a1f03aa24094b4a8de846700cb6cb21cc06468) Signed-off-by: Dimitri John Ledkov --- security/integrity/platform_certs/load_uefi.c | 63 +++++++++++++------ 1 file changed, 44 insertions(+), 19 deletions(-) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 8c95b68d86..fd03a47272 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -68,6 +68,43 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, } /* + * load_moklist_certs() - Load MokList certs + * + * Load the certs contained in the UEFI MokListRT database into the + * platform trusted keyring. + * + * Return: Status + */ +static int __init load_moklist_certs(void) +{ + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *mok; + unsigned long moksize; + efi_status_t status; + int rc; + + /* Get MokListRT. It might not exist, so it isn't an error + * if we can't get it. + */ + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); + if (mok) { + rc = parse_efi_signature_list("UEFI:MokListRT", + mok, moksize, get_handler_for_db); + kfree(mok); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + return rc; + } + if (status == EFI_NOT_FOUND) + pr_debug("MokListRT variable wasn't found\n"); + else + pr_info("Couldn't get UEFI MokListRT\n"); + return 0; +} + +/* + * load_uefi_certs() - Load certs from UEFI sources + * * Load the certs contained in the UEFI databases into the platform trusted * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist * keyring. @@ -75,17 +112,16 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; - void *db = NULL, *dbx = NULL, *mok = NULL; - unsigned long dbsize = 0, dbxsize = 0, moksize = 0; + void *db = NULL, *dbx = NULL; + unsigned long dbsize = 0, dbxsize = 0; efi_status_t status; int rc = 0; if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE)) return false; - /* Get db, MokListRT, and dbx. They might not exist, so it isn't - * an error if we can't get them. + /* Get db and dbx. They might not exist, so it isn't an error + * if we can't get them. */ if (!uefi_check_ignore_db()) { db = get_cert_list(L"db", &secure_var, &dbsize, &status); @@ -104,20 +140,6 @@ static int __init load_uefi_certs(void) } } - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); - if (!mok) { - if (status == EFI_NOT_FOUND) - pr_debug("MokListRT variable wasn't found\n"); - else - pr_info("Couldn't get UEFI MokListRT\n"); - } else { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); - if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); - kfree(mok); - } - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize, &status); if (!dbx) { if (status == EFI_NOT_FOUND) @@ -133,6 +155,9 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* Load the MokListRT certs */ + rc = load_moklist_certs(); + return rc; } late_initcall(load_uefi_certs); From patchwork Mon Sep 27 15:58:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533434 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=aCCp2EpG; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6kr5ly4z9tk6 for ; Tue, 28 Sep 2021 01:59:00 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt1q-000705-JJ; Mon, 27 Sep 2021 15:58:54 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt1o-0006zX-DB for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:58:52 +0000 Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 38DDF40192 for ; Mon, 27 Sep 2021 15:58:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758332; bh=C53HoTNpN0sndL7w8J/U5wEoXXZ7EDEkrhtxfi24Gvg=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=aCCp2EpGEWHTUwqhxdTkOnD2sUbYXWs9EBAzmjCmjnQAcKm0Sw/QzWUzlsCWrr39V FJWiShAn8m6dCp8SninfXbOpeWF7Qipn4Xy8bBuK3Uxbc+LdWnY3FrLB7sBQnhfISr zQmfj2nObSKcS3AqN/3/F3uh3JVCW6tW+N6RRpajq0yVtF7lY8W4WjrKODsMzHAuyD Fo0BXelOwlZsW3talmXxL3WOAgpS6bFcSqY8074GOLlxzU3k8sJO30TQ/ScSbtJDiL TVHFFTPR30EGN/xsrRs6Dw+pPppP87JeiaGyxXbkf0CbWQ2Lk8EvRtcv5DbZwJRnrQ 996y9mwauqOjw== Received: by mail-wr1-f69.google.com with SMTP id j16-20020adfa550000000b0016012acc443so14285431wrb.14 for ; Mon, 27 Sep 2021 08:58:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=C53HoTNpN0sndL7w8J/U5wEoXXZ7EDEkrhtxfi24Gvg=; b=c2KLTwLTve84F5deqrIlBFGp/XqU/HmuW7/jEa0kJH8r4mXytepd7Kj8LPqINT8Nla eSi51CUUJ97lLg2P/XjjvhAYFP3z1OcV/ElAtlKnoKKDMt0epPd8zzBTNPNRBu+YEOb/ JC2AN31zAK3QxnaF0UVp/thai/kaHIKpl5dF6QcBSoDjtRd8VAj7gk0pLJBHaYeP/pIY WtOl0mAeUJ1IH+hBhknxJzKclA3Sc9mdVF9kQXvpiAtUcXDJi3R1K4iGvFEL/d7FsFmc 57u9p9Lk8m31AxsJ/2Bi4davCBBGUci1OEdUPfrkudbuHmD0BpjQDH08xrP9OYQYuEbY I+ZQ== X-Gm-Message-State: AOAM530mgw0bKXmXmpcD29x6byI4RVxf8fqxA0i2JyH/H0L1TL8odA6m m/cp20yYODvWy7SgpZ36gTAJ24rxTqd+WegrIT6ylcHzw5hW8vx/w6JG5c6zMMb2qUJIUnbzvGZ KG8UKepPtbWvQwDy7nUzXLguihKVpX8K54I1ltU4NUw== X-Received: by 2002:a05:600c:a08:: with SMTP id z8mr16680921wmp.165.1632758331641; Mon, 27 Sep 2021 08:58:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwELuEVEWgv3vI4ugfehtnrOJkJp+vH5M1tY0Y+GXaG1VCqPOhLq5WRmZcnXVTJpaHrMtKGxQ== X-Received: by 2002:a05:600c:a08:: with SMTP id z8mr16680903wmp.165.1632758331351; Mon, 27 Sep 2021 08:58:51 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id y197sm24402520wmc.18.2021.09.27.08.58.50 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:58:51 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 07/18] integrity: Load certs from the EFI MOK config table Date: Mon, 27 Sep 2021 16:58:26 +0100 Message-Id: <20210927155837.164674-2-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155837.164674-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> <20210927155837.164674-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lenny Szubowicz BugLink: https://bugs.launchpad.net/bugs/1932029 Because of system-specific EFI firmware limitations, EFI volatile variables may not be capable of holding the required contents of the Machine Owner Key (MOK) certificate store when the certificate list grows above some size. Therefore, an EFI boot loader may pass the MOK certs via a EFI configuration table created specifically for this purpose to avoid this firmware limitation. An EFI configuration table is a much more primitive mechanism compared to EFI variables and is well suited for one-way passage of static information from a pre-OS environment to the kernel. This patch adds the support to load certs from the MokListRT entry in the MOK variable configuration table, if it's present. The pre-existing support to load certs from the MokListRT EFI variable remains and is used if the EFI MOK configuration table isn't present or can't be successfully used. Signed-off-by: Lenny Szubowicz Link: https://lore.kernel.org/r/20200905013107.10457-4-lszubowi@redhat.com Signed-off-by: Ard Biesheuvel (cherry picked from commit 726bd8965a5f112d9601f7ce68effa1e46e02bf2) Signed-off-by: Dimitri John Ledkov --- security/integrity/platform_certs/load_uefi.c | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index fd03a47272..eff9ff5934 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -73,16 +73,38 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, * Load the certs contained in the UEFI MokListRT database into the * platform trusted keyring. * + * This routine checks the EFI MOK config table first. If and only if + * that fails, this routine uses the MokListRT ordinary UEFI variable. + * * Return: Status */ static int __init load_moklist_certs(void) { + struct efi_mokvar_table_entry *mokvar_entry; efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; void *mok; unsigned long moksize; efi_status_t status; int rc; + /* First try to load certs from the EFI MOKvar config table. + * It's not an error if the MOKvar config table doesn't exist + * or the MokListRT entry is not found in it. + */ + mokvar_entry = efi_mokvar_entry_find("MokListRT"); + if (mokvar_entry) { + rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", + mokvar_entry->data, + mokvar_entry->data_size, + get_handler_for_db); + /* All done if that worked. */ + if (!rc) + return rc; + + pr_err("Couldn't parse MokListRT signatures from EFI MOKvar config table: %d\n", + rc); + } + /* Get MokListRT. It might not exist, so it isn't an error * if we can't get it. */ From patchwork Mon Sep 27 15:58:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533435 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=R/GvqGd6; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6kw2pF7z9tk6 for ; Tue, 28 Sep 2021 01:59:04 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt1u-00072C-3B; Mon, 27 Sep 2021 15:58:58 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt1q-00070F-UN for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:58:54 +0000 Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 942253F4B9 for ; Mon, 27 Sep 2021 15:58:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758334; bh=e4fybMM5nwZCqsB9x/9ouhnjpnjSwyFcl2ueHjLQdBM=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=R/GvqGd6aiz2Wt8TXu80LV7ABfvZHXbKxzTBV6J08TTBbXRuV+B+nWRGL00o1KqWl Iu97z0vR++H6g94mIXmIL6YDIzHQ2n4uXRL/BWziBSEL72RE5pq5ofxEgwVJO8jDAy aXDOSTS1QtmGdx0SRWkkTjGwjIP6Gu53srTD32GPVK9ZgDED0Bvk9yOzUWcP+RRqo0 Qr8zpEyg+1st7/jagq1f6WAkF0c6wZbtg3Ap9rXDPpK3yTiWsGcMDF2jmlLid0jAkX OTkkmGuFOmlPuX1B0mxKY/+C76AY4SjO9wI1lyYwrr84GDfXAA0p1GO73+Pxg+ZGxX VDFkJ3WcGLAGg== Received: by mail-wm1-f70.google.com with SMTP id z137-20020a1c7e8f000000b0030cd1800d86so427196wmc.2 for ; Mon, 27 Sep 2021 08:58:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=e4fybMM5nwZCqsB9x/9ouhnjpnjSwyFcl2ueHjLQdBM=; b=ZwmAYQO71cc3alq5DrmWMEt1/n/dVXB0YccezdPosU7QFAcwPdVQq9bo0cWrYjXVMu cEi495M9KFApckcJiyQQumzJRerqA2iTGPmEaGD/vUHGHg36S4tjSVNSpLBj22L60qgq EKYMIGdVJwNoAo0BugWKSpTeM7+xz3tG3QZoDnAEDP+UUUSOX7NUThrKy+AqPx3Jbcq4 UgyyDBZtu+r31GcXIMBKm+zT6WbnD89b7clFJGjW0dXtBdPHjiwyyzjh883LVLobECAV X9T4QOIBkmkA9FxQ5mhfYWzf5j2eEGAwD/1qh1dyxXmKV4Gu9eJ3grU2Olp0Ei9vEkui ltaQ== X-Gm-Message-State: AOAM533WsInNeSIqC1df7nqpVBBQemWUz2ET3ImaeDzHB14s/S4ev3aP IK8NMij8MmxlIMDCt33sl6De520+oHpndmB4aCSE19p4boxtl8ms3Alvtiztciv8fOol/pnSDr3 V/H7fHrfM1fCE9DlB2/liFGGnWlcgbxGgl6eB1q3FVg== X-Received: by 2002:a5d:6292:: with SMTP id k18mr731524wru.110.1632758333930; Mon, 27 Sep 2021 08:58:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyDIxPI0MdRso0syQauMrSnBxyrjGto6n5SrCErRyFUBacdHPXusku2WslIIkEcps47Byxehg== X-Received: by 2002:a5d:6292:: with SMTP id k18mr731504wru.110.1632758333647; Mon, 27 Sep 2021 08:58:53 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id u25sm19318954wmm.5.2021.09.27.08.58.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:58:53 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 08/18] certs: Add EFI_CERT_X509_GUID support for dbx entries Date: Mon, 27 Sep 2021 16:58:27 +0100 Message-Id: <20210927155837.164674-3-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155837.164674-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> <20210927155837.164674-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Snowberg BugLink: https://bugs.launchpad.net/bugs/1932029 This fixes CVE-2020-26541. The Secure Boot Forbidden Signature Database, dbx, contains a list of now revoked signatures and keys previously approved to boot with UEFI Secure Boot enabled. The dbx is capable of containing any number of EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID entries. Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are skipped. Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID is found, it is added as an asymmetrical key to the .blacklist keyring. Anytime the .platform keyring is used, the keys in the .blacklist keyring are referenced, if a matching key is found, the key will be rejected. [DH: Made the following changes: - Added to have a config option to enable the facility. This allows a Kconfig solution to make sure that pkcs7_validate_trust() is enabled.[1][2] - Moved the functions out from the middle of the blacklist functions. - Added kerneldoc comments.] Signed-off-by: Eric Snowberg Signed-off-by: David Howells Reviewed-by: Jarkko Sakkinen cc: Randy Dunlap cc: Mickaël Salaün cc: Arnd Bergmann cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/20200901165143.10295-1-eric.snowberg@oracle.com/ # rfc Link: https://lore.kernel.org/r/20200909172736.73003-1-eric.snowberg@oracle.com/ # v2 Link: https://lore.kernel.org/r/20200911182230.62266-1-eric.snowberg@oracle.com/ # v3 Link: https://lore.kernel.org/r/20200916004927.64276-1-eric.snowberg@oracle.com/ # v4 Link: https://lore.kernel.org/r/20210122181054.32635-2-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428672051.677100.11064981943343605138.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433310942.902181.4901864302675874242.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529605075.163428.14625520893961300757.stgit@warthog.procyon.org.uk/ # v3 Link: https://lore.kernel.org/r/bc2c24e3-ed68-2521-0bf4-a1f6be4a895d@infradead.org/ [1] Link: https://lore.kernel.org/r/20210225125638.1841436-1-arnd@kernel.org/ [2] (cherry picked from commit 56c5812623f95313f6a46fbf0beee7fa17c68bbf) Signed-off-by: Dimitri John Ledkov --- certs/Kconfig | 9 ++++ certs/blacklist.c | 43 +++++++++++++++++++ certs/blacklist.h | 2 + certs/system_keyring.c | 6 +++ include/keys/system_keyring.h | 15 +++++++ .../platform_certs/keyring_handler.c | 11 +++++ 6 files changed, 86 insertions(+) diff --git a/certs/Kconfig b/certs/Kconfig index c94e93d8bc..76e469b56a 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST wrapper to incorporate the list into the kernel. Each should be a string of hex digits. +config SYSTEM_REVOCATION_LIST + bool "Provide system-wide ring of revocation certificates" + depends on SYSTEM_BLACKLIST_KEYRING + depends on PKCS7_MESSAGE_PARSER=y + help + If set, this allows revocation certificates to be stored in the + blacklist keyring and implements a hook whereby a PKCS#7 message can + be checked to see if it matches such a certificate. + endmenu diff --git a/certs/blacklist.c b/certs/blacklist.c index f1c434b04b..59b2f106b2 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -144,6 +144,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len) } EXPORT_SYMBOL_GPL(is_binary_blacklisted); +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +/** + * add_key_to_revocation_list - Add a revocation certificate to the blacklist + * @data: The data blob containing the certificate + * @size: The size of data blob + */ +int add_key_to_revocation_list(const char *data, size_t size) +{ + key_ref_t key; + + key = key_create_or_update(make_key_ref(blacklist_keyring, true), + "asymmetric", + NULL, + data, + size, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW), + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); + + if (IS_ERR(key)) { + pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); + return PTR_ERR(key); + } + + return 0; +} + +/** + * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked + * @pkcs7: The PKCS#7 message to check + */ +int is_key_on_revocation_list(struct pkcs7_message *pkcs7) +{ + int ret; + + ret = pkcs7_validate_trust(pkcs7, blacklist_keyring); + + if (ret == 0) + return -EKEYREJECTED; + + return -ENOKEY; +} +#endif + /* * Initialise the blacklist */ diff --git a/certs/blacklist.h b/certs/blacklist.h index 1efd6fa0dc..51b320cf85 100644 --- a/certs/blacklist.h +++ b/certs/blacklist.h @@ -1,3 +1,5 @@ #include +#include +#include extern const char __initconst *const blacklist_hashes[]; diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 7982911771..cc165b359e 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -241,6 +241,12 @@ int verify_pkcs7_message_sig(const void *data, size_t len, pr_devel("PKCS#7 platform keyring is not available\n"); goto error; } + + ret = is_key_on_revocation_list(pkcs7); + if (ret != -ENOKEY) { + pr_devel("PKCS#7 platform key is on revocation list\n"); + goto error; + } } ret = pkcs7_validate_trust(pkcs7, trusted_keys); if (ret < 0) { diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index fb8b07daa9..875e002a41 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -31,6 +31,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif +extern struct pkcs7_message *pkcs7; #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING extern int mark_hash_blacklisted(const char *hash); extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, @@ -49,6 +50,20 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) } #endif +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +extern int add_key_to_revocation_list(const char *data, size_t size); +extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); +#else +static inline int add_key_to_revocation_list(const char *data, size_t size) +{ + return 0; +} +static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) +{ + return -ENOKEY; +} +#endif + #ifdef CONFIG_IMA_BLACKLIST_KEYRING extern struct key *ima_blacklist_keyring; diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index c5ba695c10..5604bd57c9 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -55,6 +55,15 @@ static __init void uefi_blacklist_binary(const char *source, uefi_blacklist_hash(source, data, len, "bin:", 4); } +/* + * Add an X509 cert to the revocation list. + */ +static __init void uefi_revocation_list_x509(const char *source, + const void *data, size_t len) +{ + add_key_to_revocation_list(data, len); +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI db and MokListRT tables. @@ -76,5 +85,7 @@ __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type) return uefi_blacklist_x509_tbs; if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0) return uefi_blacklist_binary; + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return uefi_revocation_list_x509; return 0; } From patchwork Mon Sep 27 15:58:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533438 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=sQ++WyXm; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6l538cnz9tk6 for ; Tue, 28 Sep 2021 01:59:13 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt21-00077C-Hz; Mon, 27 Sep 2021 15:59:05 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt1t-00070j-2V for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:58:57 +0000 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 27F273F4B9 for ; Mon, 27 Sep 2021 15:58:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758336; bh=/0uGt2GSEgGOejGl/PrFVMZu+CmpkWOyF9e2emxi75E=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=sQ++WyXmrRpcAMInsGVZfLaSe3v5rbVYyEbpP9eo4tGYMNKn8WG+M0ClECcvQHRc/ mxaS/534jkszdkINoh86FpO6Qhd1Z19sifFSFoMz0LwTo7+hZo6iWujQ9JMwWV7TjX CyciMP7an2CKHC2dBqY/tDrKrK/x4EDxIdEiRJvdYKV5brkQWfQEpQU91oLg592auR Me5Hs4Y1g3Ptn1jmkguOV2AAFWxAgmduiTDLHDoL+0qV2BlX7cK37iuZETC7km7PZa r2PRTNSpY/ZQ0StVG75sgfERyCIViw/EyW/GtnC+m6TZZm4e7S16Mqp6DmYqTOrsbP 6pbwy6ya/Gr5A== Received: by mail-wm1-f72.google.com with SMTP id j142-20020a1c2394000000b0030d06638a56so132622wmj.9 for ; Mon, 27 Sep 2021 08:58:56 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/0uGt2GSEgGOejGl/PrFVMZu+CmpkWOyF9e2emxi75E=; b=AIphQhh2Us/PxdWFGEQPjMd/ZFJSaqkPyJljT5ySnM0dg21s8L+/MF0ckTwk7/L0uf PHX01z3L6+5M4IcyMPnKuTA33ZXtOJ6jY2fvJWLJoEvCjvfiVSNgQDCCXWqDMbtJg4Cm XQBwKRaVEcCmPMnKH7UZJBHPJPO+QLAAtQ3qJWEaFCTSQEswLZNBBjutyVkFiyFTRsru H51V3FUDqrD7zDp1xTiRr3Aa3uvLYiHACziNRcB7Ofl0SjRHf6dM/thIy1DFlRz51qB1 ofbK0jprCPltQ1azAbFhNqqMLfiu/zddqfW2MPWWDYhD0fn3bC4hmS9n63kuuunsQiaQ owDA== X-Gm-Message-State: AOAM532BloXLTMAKFH1Qbw+3LDXKo+KBuGvi95dMtvcORywDBrY91jva N7JZrjPrrkvkS2TFApI2ZlkCroTGON1Gw/4is+WFPPaJnABNd9gvUwu9NkXL5TelOS1uPvlL/nt 4oGO3rCfBKxaelwzHlaqHTXpugpRt79Q4IPneP045ZA== X-Received: by 2002:a7b:c194:: with SMTP id y20mr16511392wmi.37.1632758335515; Mon, 27 Sep 2021 08:58:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxr1MxXURcbF1n6/kdYl2rovxs8fcKnF81j6Jg1EzU0uKi7UQ0orNm+OgUTW62s2hJemrKGcg== X-Received: by 2002:a7b:c194:: with SMTP id y20mr16511366wmi.37.1632758335144; Mon, 27 Sep 2021 08:58:55 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id x5sm21133250wmk.32.2021.09.27.08.58.54 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:58:54 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 09/18] certs: Move load_system_certificate_list to a common function Date: Mon, 27 Sep 2021 16:58:28 +0100 Message-Id: <20210927155837.164674-4-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155837.164674-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> <20210927155837.164674-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Snowberg BugLink: https://bugs.launchpad.net/bugs/1932029 Move functionality within load_system_certificate_list to a common function, so it can be reused in the future. DH Changes: - Added inclusion of common.h to common.c (Eric [1]). Signed-off-by: Eric Snowberg Acked-by: Jarkko Sakkinen Signed-off-by: David Howells cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/ [1] Link: https://lore.kernel.org/r/20200930201508.35113-2-eric.snowberg@oracle.com/ Link: https://lore.kernel.org/r/20210122181054.32635-3-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428672825.677100.7545516389752262918.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433311696.902181.3599366124784670368.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529605850.163428.7786675680201528556.stgit@warthog.procyon.org.uk/ # v3 (cherry picked from commit 2565ca7f5ec1a98d51eea8860c4ab923f1ca2c85) Signed-off-by: Dimitri John Ledkov --- certs/Makefile | 2 +- certs/common.c | 57 ++++++++++++++++++++++++++++++++++++++++++ certs/common.h | 9 +++++++ certs/system_keyring.c | 49 +++--------------------------------- 4 files changed, 70 insertions(+), 47 deletions(-) create mode 100644 certs/common.c create mode 100644 certs/common.h diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aa..f4b90bad86 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -3,7 +3,7 @@ # Makefile for the linux kernel signature checking certificates. # -obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o +obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o diff --git a/certs/common.c b/certs/common.c new file mode 100644 index 0000000000..16a220887a --- /dev/null +++ b/certs/common.c @@ -0,0 +1,57 @@ +// SPDX-License-Identifier: GPL-2.0-or-later + +#include +#include +#include "common.h" + +int load_certificate_list(const u8 cert_list[], + const unsigned long list_size, + const struct key *keyring) +{ + key_ref_t key; + const u8 *p, *end; + size_t plen; + + p = cert_list; + end = p + list_size; + while (p < end) { + /* Each cert begins with an ASN.1 SEQUENCE tag and must be more + * than 256 bytes in size. + */ + if (end - p < 4) + goto dodgy_cert; + if (p[0] != 0x30 && + p[1] != 0x82) + goto dodgy_cert; + plen = (p[2] << 8) | p[3]; + plen += 4; + if (plen > end - p) + goto dodgy_cert; + + key = key_create_or_update(make_key_ref(keyring, 1), + "asymmetric", + NULL, + p, + plen, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ), + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN | + KEY_ALLOC_BYPASS_RESTRICTION); + if (IS_ERR(key)) { + pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", + PTR_ERR(key)); + } else { + pr_notice("Loaded X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); + key_ref_put(key); + } + p += plen; + } + + return 0; + +dodgy_cert: + pr_err("Problem parsing in-kernel X.509 certificate list\n"); + return 0; +} diff --git a/certs/common.h b/certs/common.h new file mode 100644 index 0000000000..abdb579593 --- /dev/null +++ b/certs/common.h @@ -0,0 +1,9 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#ifndef _CERT_COMMON_H +#define _CERT_COMMON_H + +int load_certificate_list(const u8 cert_list[], const unsigned long list_size, + const struct key *keyring); + +#endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index cc165b359e..a44a8915c9 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -15,6 +15,7 @@ #include #include #include +#include "common.h" static struct key *builtin_trusted_keys; #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING @@ -136,54 +137,10 @@ device_initcall(system_trusted_keyring_init); */ static __init int load_system_certificate_list(void) { - key_ref_t key; - const u8 *p, *end; - size_t plen; - pr_notice("Loading compiled-in X.509 certificates\n"); - p = system_certificate_list; - end = p + system_certificate_list_size; - while (p < end) { - /* Each cert begins with an ASN.1 SEQUENCE tag and must be more - * than 256 bytes in size. - */ - if (end - p < 4) - goto dodgy_cert; - if (p[0] != 0x30 && - p[1] != 0x82) - goto dodgy_cert; - plen = (p[2] << 8) | p[3]; - plen += 4; - if (plen > end - p) - goto dodgy_cert; - - key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), - "asymmetric", - NULL, - p, - plen, - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | - KEY_USR_VIEW | KEY_USR_READ), - KEY_ALLOC_NOT_IN_QUOTA | - KEY_ALLOC_BUILT_IN | - KEY_ALLOC_BYPASS_RESTRICTION); - if (IS_ERR(key)) { - pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", - PTR_ERR(key)); - } else { - pr_notice("Loaded X.509 cert '%s'\n", - key_ref_to_ptr(key)->description); - key_ref_put(key); - } - p += plen; - } - - return 0; - -dodgy_cert: - pr_err("Problem parsing in-kernel X.509 certificate list\n"); - return 0; + return load_certificate_list(system_certificate_list, system_certificate_list_size, + builtin_trusted_keys); } late_initcall(load_system_certificate_list); From patchwork Mon Sep 27 15:58:29 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533437 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Ur84rHT8; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6l3693rz9tk6 for ; Tue, 28 Sep 2021 01:59:11 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt20-000766-0K; Mon, 27 Sep 2021 15:59:04 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt1t-00071s-OI for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:58:57 +0000 Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 976BD40192 for ; Mon, 27 Sep 2021 15:58:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758337; bh=wcbchUwV7WiJg0au7sXe4/jQ1MzW2KtvPdlZe4kpWrY=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Ur84rHT8I68c20v4HW0rA2vAoBYyYjv5giwEQXZFprfVsFJlZaZRjEPyok+DnY634 09WBupnEmo/MQ2WIA1krByrAP4HiGQU2qWdoRR4CNBFUUWYKllzKWxj8EoaBpI3t1U OKC03edlL0QEwjD8Fid+glR4HgeZKvm1H6iBmaUg+58eh+PAv9vxlO+ZKqKc1kD6qD wKhmydzaY03mW7g2CpPJlBuG8tXmP62dPWey149fOpJgnmE1bztwRhcy2CPlqo/CM8 uePwhaQeP1QIQk2GGVhR8JCDbYcBm0LfAJoFl7bCalj5dpY+Ofo1EQqUJ6PVLu7oR+ CNZonlr7OWhbQ== Received: by mail-wm1-f69.google.com with SMTP id b139-20020a1c8091000000b002fb33c467c8so426957wmd.5 for ; Mon, 27 Sep 2021 08:58:57 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=wcbchUwV7WiJg0au7sXe4/jQ1MzW2KtvPdlZe4kpWrY=; b=aVhjH234wZp3eKXIITyDtCpXkSax5zhOtHfwNGFWvoggCGaLB6U6oyfujLQua4x7RI NCvEKbrrmHSDsuHCh27yIc8zjiaEZxanCxERGny7SmreqeTk0hqphh7ARjUEcPi9LL9C 7yBTcBj6rf3PMWk/gJcIiHmvc4N82LSBfSEi25R1rmoqNpW5j+ApK0gFtyNuSqa7OJFz R+hCaaf1lAfBTjOmSv6myE1O8W6IizdKjIOUWhz1UlFzwwfmO7URja3vXG4xoSu0XMbn mw2Vg4kHrtH9z0VEBhMDU/tshLZxCYYFUJUdeF9DQWElbIyq2AqwidodedW4OMHGA/0W QsoA== X-Gm-Message-State: AOAM533JUHo6rwShVaBHZLZ2wRJD2ywMhuKxV7b0YQgvOEWeJgsxTiUR t59BrKRDha0Slw2gBf02qqR//k4ueTrFHL7MuhJUdgvKn5qmFC33BDvTYz9lrC9pwo0QPlDBQ4Y uEhOYYmameKjlmXhGDOYlB+2bQ9P30cOwIe857+BGwA== X-Received: by 2002:a05:6000:1b8d:: with SMTP id r13mr749755wru.230.1632758337021; Mon, 27 Sep 2021 08:58:57 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyItwIzgoVPTxAQBzBeLN4oEcgeWFH0mTduUCrE7lki6RWjs279JgvN2/znTXux/VgqqkHPwg== X-Received: by 2002:a05:6000:1b8d:: with SMTP id r13mr749729wru.230.1632758336720; Mon, 27 Sep 2021 08:58:56 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id i27sm21529563wmb.40.2021.09.27.08.58.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:58:56 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 10/18] certs: Add ability to preload revocation certs Date: Mon, 27 Sep 2021 16:58:29 +0100 Message-Id: <20210927155837.164674-5-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155837.164674-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> <20210927155837.164674-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Snowberg BugLink: https://bugs.launchpad.net/bugs/1932029 Add a new Kconfig option called SYSTEM_REVOCATION_KEYS. If set, this option should be the filename of a PEM-formated file containing X.509 certificates to be included in the default blacklist keyring. DH Changes: - Make the new Kconfig option depend on SYSTEM_REVOCATION_LIST. - Fix SYSTEM_REVOCATION_KEYS=n, but CONFIG_SYSTEM_REVOCATION_LIST=y[1][2]. - Use CONFIG_SYSTEM_REVOCATION_LIST for extract-cert[3]. - Use CONFIG_SYSTEM_REVOCATION_LIST for revocation_certificates.o[3]. Signed-off-by: Eric Snowberg Acked-by: Jarkko Sakkinen Signed-off-by: David Howells cc: Randy Dunlap cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/e1c15c74-82ce-3a69-44de-a33af9b320ea@infradead.org/ [1] Link: https://lore.kernel.org/r/20210303034418.106762-1-eric.snowberg@oracle.com/ [2] Link: https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg@oracle.com/ [3] Link: https://lore.kernel.org/r/20200930201508.35113-3-eric.snowberg@oracle.com/ Link: https://lore.kernel.org/r/20210122181054.32635-4-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428673564.677100.4112098280028451629.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433312452.902181.4146169951896577982.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529606657.163428.3340689182456495390.stgit@warthog.procyon.org.uk/ # v3 (cherry picked from commit d1f044103dad70c1cec0a8f3abdf00834fec8b98) Signed-off-by: Dimitri John Ledkov --- certs/Kconfig | 8 ++++++++ certs/Makefile | 19 +++++++++++++++++-- certs/blacklist.c | 21 +++++++++++++++++++++ certs/revocation_certificates.S | 21 +++++++++++++++++++++ scripts/Makefile | 1 + 5 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 certs/revocation_certificates.S diff --git a/certs/Kconfig b/certs/Kconfig index 76e469b56a..ab88d2a7f3 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -92,4 +92,12 @@ config SYSTEM_REVOCATION_LIST blacklist keyring and implements a hook whereby a PKCS#7 message can be checked to see if it matches such a certificate. +config SYSTEM_REVOCATION_KEYS + string "X.509 certificates to be preloaded into the system blacklist keyring" + depends on SYSTEM_REVOCATION_LIST + help + If set, this option should be the filename of a PEM-formatted file + containing X.509 certificates to be included in the default blacklist + keyring. + endmenu diff --git a/certs/Makefile b/certs/Makefile index f4b90bad86..b6db52ebf0 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -4,7 +4,8 @@ # obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o -obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o +obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o else @@ -29,7 +30,7 @@ $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREF $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) endif # CONFIG_SYSTEM_TRUSTED_KEYRING -clean-files := x509_certificate_list .x509.list +clean-files := x509_certificate_list .x509.list x509_revocation_list ifeq ($(CONFIG_MODULE_SIG),y) ############################################################################### @@ -104,3 +105,17 @@ targets += signing_key.x509 $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) endif # CONFIG_MODULE_SIG + +ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) + +$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) + +$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list + +quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) + cmd_extract_certs = scripts/extract-cert $(2) $@ + +targets += x509_revocation_list +$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE + $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) +endif diff --git a/certs/blacklist.c b/certs/blacklist.c index 59b2f106b2..c973de883c 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -16,9 +16,15 @@ #include #include #include "blacklist.h" +#include "common.h" static struct key *blacklist_keyring; +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +extern __initconst const u8 revocation_certificate_list[]; +extern __initconst const unsigned long revocation_certificate_list_size; +#endif + /* * The description must be a type prefix, a colon and then an even number of * hex digits. The hash is kept in the description. @@ -220,3 +226,18 @@ static int __init blacklist_init(void) * Must be initialised before we try and load the keys into the keyring. */ device_initcall(blacklist_init); + +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +/* + * Load the compiled-in list of revocation X.509 certificates. + */ +static __init int load_revocation_certificate_list(void) +{ + if (revocation_certificate_list_size) + pr_notice("Loading compiled-in revocation X.509 certificates\n"); + + return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size, + blacklist_keyring); +} +late_initcall(load_revocation_certificate_list); +#endif diff --git a/certs/revocation_certificates.S b/certs/revocation_certificates.S new file mode 100644 index 0000000000..f21aae8a8f --- /dev/null +++ b/certs/revocation_certificates.S @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#include +#include + + __INITRODATA + + .align 8 + .globl revocation_certificate_list +revocation_certificate_list: +__revocation_list_start: + .incbin "certs/x509_revocation_list" +__revocation_list_end: + + .align 8 + .globl revocation_certificate_list_size +revocation_certificate_list_size: +#ifdef CONFIG_64BIT + .quad __revocation_list_end - __revocation_list_start +#else + .long __revocation_list_end - __revocation_list_start +#endif diff --git a/scripts/Makefile b/scripts/Makefile index b3f6415859..99ff04d9c8 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -14,6 +14,7 @@ always-$(CONFIG_ASN1) += asn1_compiler always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert +hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include From patchwork Mon Sep 27 15:58:30 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533436 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=rctUz5aW; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6l00SW3z9tk6 for ; Tue, 28 Sep 2021 01:59:08 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt1x-00073x-FH; Mon, 27 Sep 2021 15:59:01 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt1v-00072s-Dk for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:58:59 +0000 Received: from mail-wm1-f69.google.com (mail-wm1-f69.google.com [209.85.128.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 3D3EE40192 for ; Mon, 27 Sep 2021 15:58:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758339; bh=CugZy0ymKxU/WuzPvTCKLk0d3yxLxjUQqkYGnHV7N/k=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=rctUz5aWPT5xBzS598h0xgwxg9/u9YKbVVXRQWWwcBuKOWevRaXd0RqKz2EHmCF1V CDSThWsXkMhrP4L2lUPapgECRd2IBhUOXaz5uzLdRxufliJOd0To7oeGDAiFjO4UVK 3U9COlEaBmEOaalj5Vn5wWAewdzByYlcbmFEvk/75Rhk/9Yg3FQoFwMkYVEteToyOb 8bCVcPYqyhW0o9e7RisxIuRGcPIAdKPqE/qKBl7vgeWt5itu6HuY2FsWIymosE0fvk Vv1d1c+s60pa32FlaI3vJksqcTPFVZgXRt0TAvyuk2wn1ulrg9eL+ZoD9SEXgY5b79 u56+Zz/3OLmIQ== Received: by mail-wm1-f69.google.com with SMTP id 200-20020a1c00d1000000b0030b3dce20e1so386403wma.0 for ; Mon, 27 Sep 2021 08:58:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=CugZy0ymKxU/WuzPvTCKLk0d3yxLxjUQqkYGnHV7N/k=; b=hDHrtFQrcg2tJk3fqjt/aW4eJDHtF3hfts2TMLzZsXgIK11kNdy4+K2KAYa2Cp5G5I dhJq++W0ve2qzbq1lNBjuhm4edFmkW4IDD69fokDGZqaKIdK1+Qj+mgGGJm/oTL6txXO RZ+L0uVw+1FpPiWpXkJuaOhe2lIGqOymePq8lK0HZqfvwfWHX+ldepipRO42+7M3HVdF XwHv8+YdsMaCEPKid/Qd+XkLAf7/ZMsDEE9RjU+17NDFu562z7ffz9SP5Vkgr8xjzW+f +0WexsMHeWj87lRMZmQ54vNdigWW4nLIY7rnQiYTkRGuJx50B4H8JXrq06QDNfDg8sHy /0RQ== X-Gm-Message-State: AOAM530sHH1BBrSWaWsnAePh2GhkBUcy2G/JQ0qHmrx58uRY4Pfrfm2d SZsm0GH+qw+KD9ANlCgY1vnWKzyGUX7bQNgof3Zeg8JiQ4iBF/Q1qIwL+J6CYMIQH1ARxpUwo+C WtLDJwPF97e4d+8ebEsAbQlfPXtCatgzAIQGCgo8qCg== X-Received: by 2002:adf:f94b:: with SMTP id q11mr698698wrr.408.1632758338690; Mon, 27 Sep 2021 08:58:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw+BTM+A5qQUp213RdTOZGMxNOwzr7EcYhY0GCInsjnKEpPy/NF4qedZtoYAipuAjZQGdGiIA== X-Received: by 2002:adf:f94b:: with SMTP id q11mr698679wrr.408.1632758338446; Mon, 27 Sep 2021 08:58:58 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id s24sm16376938wmh.34.2021.09.27.08.58.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:58:58 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 11/18] integrity: Load mokx variables into the blacklist keyring Date: Mon, 27 Sep 2021 16:58:30 +0100 Message-Id: <20210927155837.164674-6-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155837.164674-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> <20210927155837.164674-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Snowberg BugLink: https://bugs.launchpad.net/bugs/1932029 During boot the Secure Boot Forbidden Signature Database, dbx, is loaded into the blacklist keyring. Systems booted with shim have an equivalent Forbidden Signature Database called mokx. Currently mokx is only used by shim and grub, the contents are ignored by the kernel. Add the ability to load mokx into the blacklist keyring during boot. Signed-off-by: Eric Snowberg Suggested-by: James Bottomley Signed-off-by: David Howells Reviewed-by: Jarkko Sakkinen cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/c33c8e3839a41e9654f41cc92c7231104931b1d7.camel@HansenPartnership.com/ Link: https://lore.kernel.org/r/20210122181054.32635-5-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428674320.677100.12637282414018170743.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433313205.902181.2502803393898221637.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529607422.163428.13530426573612578854.stgit@warthog.procyon.org.uk/ # v3 (cherry picked from commit ebd9c2ae369a45bdd9f8615484db09be58fc242b) Signed-off-by: Dimitri John Ledkov --- security/integrity/platform_certs/load_uefi.c | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index eff9ff5934..d3e7ae04f5 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -134,8 +134,9 @@ static int __init load_moklist_certs(void) static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - void *db = NULL, *dbx = NULL; - unsigned long dbsize = 0, dbxsize = 0; + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *db = NULL, *dbx = NULL, *mokx = NULL; + unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0; efi_status_t status; int rc = 0; @@ -177,6 +178,21 @@ static int __init load_uefi_certs(void) kfree(dbx); } + mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); + if (!mokx) { + if (status == EFI_NOT_FOUND) + pr_debug("mokx variable wasn't found\n"); + else + pr_info("Couldn't get mokx list\n"); + } else { + rc = parse_efi_signature_list("UEFI:MokListXRT", + mokx, mokxsize, + get_handler_for_dbx); + if (rc) + pr_err("Couldn't parse mokx signatures %d\n", rc); + kfree(mokx); + } + /* Load the MokListRT certs */ rc = load_moklist_certs(); From patchwork Mon Sep 27 15:58:31 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533439 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=pQ+bigGA; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6lC0ssqz9tk6 for ; Tue, 28 Sep 2021 01:59:19 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt23-000793-Sj; Mon, 27 Sep 2021 15:59:07 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt1x-00073g-3J for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:59:01 +0000 Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id DC1B940192 for ; Mon, 27 Sep 2021 15:59:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758340; bh=fW3j2puRVfqCO1T162tebW5D+7WuDiGyIKwRpvI4VGA=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=pQ+bigGAzoMuKQJyCs0VYc4hlXOVwvQ7FM7UylTwouHyB+M3iu3mtzUS7kYx2ugCz sUU0LPc9hlNvD7BsoPMyCBwxZEh2GJZlfvgtzW6GcjEoGcJfWNWQJ2CtB8aP3TrqxD hZPIPN2f6tD/ki18ioS1HLxDBSK8H+/uws1atTTxEElo00NnxQf/sjmheIC7TdRO+X yOkIEOHcyXlOTkE4DccVeIVFQ3Dc0nr66PMW2QZJVPvDCWl/WFu51Syg0YLl6vptHn UVXVv7uSdafH5ixQGfDqtJDyTst8iHduWfdmQEgu399ptJFAfgZVwbjiawI3UPU9QT 4k86/fzNoUa7g== Received: by mail-wm1-f70.google.com with SMTP id z137-20020a1c7e8f000000b0030cd1800d86so427297wmc.2 for ; Mon, 27 Sep 2021 08:59:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=fW3j2puRVfqCO1T162tebW5D+7WuDiGyIKwRpvI4VGA=; b=gCvTN/Jw9uCO6ouQplpudyCkM4rm7R98yCoNioCFUL0x662OCfhgWg6I/J/jaUURTL s53Z10aHygfF2elfTVxNZoPJcIceBy8dPPS7spqXdnsFBC5DXQsK7YmanMLEmxYq27lP FOaXrATpBD58AzZNKh/g1Hytycnk+if3fHCSGOhZQ70nSJ99PrFWaO6EJuSD5kJGJp4e u5fXYj2OyRP4nb6SC5dY3pzyjBWuwsKN2tuVbiVn4s7R8Mp8Uwt7dfPDSVhUUSEkGLPq tGa6/cyHD8xYrVhg5g8jIAQNc2ji9QhAG24U/EJvHN/c9rLlIBwA0pc1Byjx+eN7Z3Dr gwbA== X-Gm-Message-State: AOAM531X8DJ2uUAMiuXmF0DZygKctJFqeyHNBm8csX3OLJtRaUedOMBd QlBrnZ8XlYdRj5wDzfGF0ocMgOpvXKRMmAiJvQ5SRGVx2Q0+ls6ppbjKKxPrx94gGtclmnWE1UV bQ3jaigqvaB/pVU3bEURaN2Wrj830kbysX+WMbr5D2Q== X-Received: by 2002:a05:600c:4106:: with SMTP id j6mr664183wmi.99.1632758340348; Mon, 27 Sep 2021 08:59:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzY/qzO3IrFk+WTX073aYBPFsvTNRcghgvUy+5kaFPT0KaC9FKmxkwMCAigyL7qkuCr6OZxsA== X-Received: by 2002:a05:600c:4106:: with SMTP id j6mr664167wmi.99.1632758340156; Mon, 27 Sep 2021 08:59:00 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id y11sm20714095wrg.18.2021.09.27.08.58.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:58:59 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 12/18] certs: add 'x509_revocation_list' to gitignore Date: Mon, 27 Sep 2021 16:58:31 +0100 Message-Id: <20210927155837.164674-7-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155837.164674-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> <20210927155837.164674-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Linus Torvalds BugLink: https://bugs.launchpad.net/bugs/1932029 Commit d1f044103dad ("certs: Add ability to preload revocation certs") created a new generated file for revocation certs, but didn't tell git to ignore it. Thus causing unnecessary "git status" noise after a kernel build with CONFIG_SYSTEM_REVOCATION_LIST enabled. Add the proper gitignore magic. Signed-off-by: Linus Torvalds (cherry picked from commit 81f202315856edb75a371f3376aa3a47543c16f0) Signed-off-by: Dimitri John Ledkov --- certs/.gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/.gitignore b/certs/.gitignore index 2a24839906..6cbd1f1a58 100644 --- a/certs/.gitignore +++ b/certs/.gitignore @@ -1,2 +1,3 @@ # SPDX-License-Identifier: GPL-2.0-only x509_certificate_list +x509_revocation_list From patchwork Mon Sep 27 15:58:32 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533440 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=SGFk0MC8; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6lC16H8z9tk7 for ; Tue, 28 Sep 2021 01:59:19 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt26-0007Ak-1Z; Mon, 27 Sep 2021 15:59:10 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt1z-000755-2I for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:59:03 +0000 Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id AFC5C3F4B9 for ; Mon, 27 Sep 2021 15:59:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758342; bh=qHaaFKNySUxGp6i527ZRYdQNVg9ZEuqFjTCuTW8nNN0=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=SGFk0MC8fFHAX5O7GNeUCGMnaZoMrV5zzJgmN0GoRchPiSPsqZfrt1i7SlvNorT0G FCwTL6EmjZK/+ULebtpI0AH1eQ2PmaLfr7DZHetRdtrLbl0TP/pQeFZkzQ3HZVjSs7 oux8orEs7t20E+ncObf9TWecitxRm6IJO/oPlC+vT951tdvmu0/JpC7Qnwlfl5fQrx FIsGDR++XTCSOTEeUui7/ID9Y0J6AhsmrlLgQ+2LMlqA5PVLT8j7wuBgjU1ATZjNMK 8ThNzYYkR1uGw2jBOYvTxw3xAolNEaNnrLYW1Jlv6qGPP2xM+DuS2v+24GEDqLOKCZ IX63dMGXgUSkQ== Received: by mail-wr1-f70.google.com with SMTP id c15-20020a5d4ccf000000b0015dff622f39so14218202wrt.21 for ; Mon, 27 Sep 2021 08:59:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=qHaaFKNySUxGp6i527ZRYdQNVg9ZEuqFjTCuTW8nNN0=; b=FZ50DO8NYCllvUhGlsy6+WU5USe7pjV4KleYQWvB2R7iu0MdjF2pN/uKEl1U8LP5Bl +kcxdwkFKqjfKxBmsV8eVf037crT/1ujjmrEEthRPBZeqogjqrnt4ecb4icEbKStxIJS w0GGhqBx4+Fj6ze8U06hz2vPCPo9R9dIPN/ZbU8kzop1+NDONrKvoW3ny9UKg66g3qu2 uGih36iqo6qzXMX617WvSiKBjWmGgAGmA7MtLn6C3gMQRiDaa1wl/jijMduKFYD+S74q 3XBbL0ZH2wG9aTFEaJw9baWM75GiMWJgzXqce2WzNDk/V2x0r8Ej8FiwB4q9JM48WQHg AoVA== X-Gm-Message-State: AOAM5310hQng1tgTsoVRJdJZtFUzooIXnGxsA2t/xmvvybe4NZkoRnjq ZY5GNyR/tkBd855TjPOFtLhsfZGEacZOMQbANZuXkq3DqPfIotA4pbhGceXi4N5eYjQSp3VuOlD aSjrJao/pZa9VuxrfyNVXeHbEwSS6rqIEUU3CgnVdnw== X-Received: by 2002:adf:f687:: with SMTP id v7mr647174wrp.347.1632758342071; Mon, 27 Sep 2021 08:59:02 -0700 (PDT) X-Google-Smtp-Source: ABdhPJydLG/Xv4neHE7d+Q79R4M+dBWffCv8Sx+9IEHXYjz6VmpgOh1PZyPyRrsV9n4NCjnDXptkVg== X-Received: by 2002:adf:f687:: with SMTP id v7mr647144wrp.347.1632758341727; Mon, 27 Sep 2021 08:59:01 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id z12sm8818153wmf.21.2021.09.27.08.59.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:59:01 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 13/18] UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table Date: Mon, 27 Sep 2021 16:58:32 +0100 Message-Id: <20210927155837.164674-8-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155837.164674-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> <20210927155837.164674-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Refactor load_moklist_certs() to load either MokListRT into db, or MokListXRT into dbx. Call load_moklist_certs() twice - first to load mokx certs into dbx, then mok certs into db. This thus now attempts to load mokx certs via the EFI MOKvar config table first, and if that fails, via the EFI variable. Previously mokx certs were only loaded via the EFI variable. Which fails when MokListXRT is large. Instead of large MokListXRT variable, only MokListXRT{1,2,3} are available which are not loaded. This is the case with Ubuntu's 15.4 based shim. This patch is required to address CVE-2020-26541 when certificates are revoked via MokListXRT. Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring") BugLink: https://bugs.launchpad.net/bugs/1928679 Signed-off-by: Dimitri John Ledkov Acked-by: Krzysztof Kozlowski Signed-off-by: Seth Forshee (cherry picked from commit a9e3aae16235d6af12509a64f1337da4485ccbae) (xnox: cherry-pick is from impish:linux SAUCE) Signed-off-by: Dimitri John Ledkov --- security/integrity/platform_certs/load_uefi.c | 74 ++++++++++--------- 1 file changed, 40 insertions(+), 34 deletions(-) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index d3e7ae04f5..b010b4ab5d 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -68,17 +68,18 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, } /* - * load_moklist_certs() - Load MokList certs + * load_moklist_certs() - Load Mok(X)List certs + * @load_db: Load MokListRT into db when true; MokListXRT into dbx when false * - * Load the certs contained in the UEFI MokListRT database into the - * platform trusted keyring. + * Load the certs contained in the UEFI MokList(X)RT database into the + * platform trusted/denied keyring. * * This routine checks the EFI MOK config table first. If and only if - * that fails, this routine uses the MokListRT ordinary UEFI variable. + * that fails, this routine uses the MokList(X)RT ordinary UEFI variable. * * Return: Status */ -static int __init load_moklist_certs(void) +static int __init load_moklist_certs(const bool load_db) { struct efi_mokvar_table_entry *mokvar_entry; efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; @@ -86,41 +87,55 @@ static int __init load_moklist_certs(void) unsigned long moksize; efi_status_t status; int rc; + const char *mokvar_name = "MokListRT"; + /* Should be const, but get_cert_list() doesn't have it as const yet */ + efi_char16_t *efivar_name = L"MokListRT"; + const char *parse_mokvar_name = "UEFI:MokListRT (MOKvar table)"; + const char *parse_efivar_name = "UEFI:MokListRT"; + efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *) = get_handler_for_db; + + if (!load_db) { + mokvar_name = "MokListXRT"; + efivar_name = L"MokListXRT"; + parse_mokvar_name = "UEFI:MokListXRT (MOKvar table)"; + parse_efivar_name = "UEFI:MokListXRT"; + get_handler_for_guid = get_handler_for_dbx; + } /* First try to load certs from the EFI MOKvar config table. * It's not an error if the MOKvar config table doesn't exist * or the MokListRT entry is not found in it. */ - mokvar_entry = efi_mokvar_entry_find("MokListRT"); + mokvar_entry = efi_mokvar_entry_find(mokvar_name); if (mokvar_entry) { - rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", + rc = parse_efi_signature_list(parse_mokvar_name, mokvar_entry->data, mokvar_entry->data_size, - get_handler_for_db); + get_handler_for_guid); /* All done if that worked. */ if (!rc) return rc; - pr_err("Couldn't parse MokListRT signatures from EFI MOKvar config table: %d\n", - rc); + pr_err("Couldn't parse %s signatures from EFI MOKvar config table: %d\n", + mokvar_name, rc); } /* Get MokListRT. It might not exist, so it isn't an error * if we can't get it. */ - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); + mok = get_cert_list(efivar_name, &mok_var, &moksize, &status); if (mok) { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); + rc = parse_efi_signature_list(parse_efivar_name, + mok, moksize, get_handler_for_guid); kfree(mok); if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + pr_err("Couldn't parse %s signatures: %d\n", mokvar_name, rc); return rc; } if (status == EFI_NOT_FOUND) - pr_debug("MokListRT variable wasn't found\n"); + pr_debug("%s variable wasn't found\n", mokvar_name); else - pr_info("Couldn't get UEFI MokListRT\n"); + pr_info("Couldn't get UEFI %s\n", mokvar_name); return 0; } @@ -134,9 +149,8 @@ static int __init load_moklist_certs(void) static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; - void *db = NULL, *dbx = NULL, *mokx = NULL; - unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0; + void *db = NULL, *dbx = NULL; + unsigned long dbsize = 0, dbxsize = 0; efi_status_t status; int rc = 0; @@ -178,23 +192,15 @@ static int __init load_uefi_certs(void) kfree(dbx); } - mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); - if (!mokx) { - if (status == EFI_NOT_FOUND) - pr_debug("mokx variable wasn't found\n"); - else - pr_info("Couldn't get mokx list\n"); - } else { - rc = parse_efi_signature_list("UEFI:MokListXRT", - mokx, mokxsize, - get_handler_for_dbx); - if (rc) - pr_err("Couldn't parse mokx signatures %d\n", rc); - kfree(mokx); - } + /* Load the MokListXRT certs */ + rc = load_moklist_certs(false); + if (rc) + pr_err("Couldn't parse mokx signatures: %d\n", rc); /* Load the MokListRT certs */ - rc = load_moklist_certs(); + rc = load_moklist_certs(true); + if (rc) + pr_err("Couldn't parse mok signatures: %d\n", rc); return rc; } From patchwork Mon Sep 27 15:58:33 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533441 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=mvDUzWBH; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6lH3FZKz9tk6 for ; Tue, 28 Sep 2021 01:59:23 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt29-0007D4-D6; Mon, 27 Sep 2021 15:59:13 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt20-00076O-Pe for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:59:04 +0000 Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 198B53F4B9 for ; Mon, 27 Sep 2021 15:59:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758344; bh=/Sf2gE95wFug7fip4TOxhHwe3luJcTCi8x6Aog8mhCk=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=mvDUzWBHZ8HcLM1e1tGPKFL6AZQO4yV9WxlnKMI9gzCf0b9NCM8HbNUiRI02QhYLM R0rywLxaCwj4cNP81KbqRFVMqMJ1QeW3c71d//gWZ8jNmGZouT5k7lxRu0H0K+x0I3 5AOEAkPTK6E/a1QeTylsKRCPnjOohX9GcxeWnGh9oGZul/xm4OQnocF99zgGYwjs1q Qj36hnDd+You4JHHB4/pb9lCUn+5WFueovJRYG0+F49wQo+fP34gduIjGUWGgTuwSW nZC2FMfK3N8jaZPB/Yk/3aS1RqaZGOmH1t9V4dhCE+nlTQ0hPb8qC6Intz9+k/bGv8 qb6qXANJYuiZg== Received: by mail-wr1-f72.google.com with SMTP id x7-20020a5d6507000000b0015dada209b1so14223864wru.15 for ; Mon, 27 Sep 2021 08:59:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/Sf2gE95wFug7fip4TOxhHwe3luJcTCi8x6Aog8mhCk=; b=zkamy4cJkxhvEYejInh6bNtdQUmB/FYCszBMiLX5g7vx9QFY8SlDL0RwAkznRAwtad 1JxQ/9Y4O31QI1WhIRxzE2LoqdAptV6U9udrevcA/2TI+8CIR828Dzt2SVwk8In8d/s6 lnUJ85+SHe+wEsAoN9jpceMLuU9gXyfCEQlSYSSk2bKY9/oldQ14AjhtZM8NbvrKHW2S U92q5vfyi8EhpgLSf7gnEVTbnezP6QvWS6L0irszVxAIT6j6fVxjRETl0tVJ/woEkynp 6X5119MW29FopgDjvwW4Y/2wh8BtcaHZJ22Vkdtx2e/WRIkp0/qzBL/8pVg3itJfqTpU gaxQ== X-Gm-Message-State: AOAM532OBPwWjkeNHIyIjvaSls37JwcJChCab7q/OGlbj0XZOXZwx+YC EaeooEGq1TqkToOSKQxygkrVXkHQj+N9R/YxVNNHlcVzV6PqoxZNfMga0yQ5FhiCDhNGU96sBGB Dnawvie0pLjLCtsay/iKcmE7b44vlKd4yU5OPigoLDg== X-Received: by 2002:a7b:cb04:: with SMTP id u4mr16339309wmj.176.1632758343493; Mon, 27 Sep 2021 08:59:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw4IKTaGqfphVxq6N3c0Z5kCaVVQ24HvldmDLTcCdPKPPF0k0C700LH82c5PZODHfGd3K6tQQ== X-Received: by 2002:a7b:cb04:: with SMTP id u4mr16339285wmj.176.1632758343218; Mon, 27 Sep 2021 08:59:03 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id z7sm16771954wmi.43.2021.09.27.08.59.02 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:59:02 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 14/18] UBUNTU: SAUCE: integrity: add informational messages when revoking certs Date: Mon, 27 Sep 2021 16:58:33 +0100 Message-Id: <20210927155837.164674-9-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155837.164674-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> <20210927155837.164674-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" integrity_load_cert() prints messages of the source and cert details when adding certs as trusted. Mirror those messages in uefi_revocation_list_x509() when adding certs as revoked. Sample dmesg with this change: integrity: Platform Keyring initialized integrity: Loading X.509 certificate: UEFI:db integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' integrity: Revoking X.509 certificate: UEFI:MokListXRT (MOKvar table) blacklist: Revoked X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0' integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63' BugLink: https://bugs.launchpad.net/bugs/1928679 Signed-off-by: Dimitri John Ledkov Acked-by: Krzysztof Kozlowski Signed-off-by: Seth Forshee (cherry picked from commit ba9fb788f89cb81c5ed836db2355a7a3b0f8c248) (xnox: cherry-pick is from impish:linux SAUCE) Signed-off-by: Dimitri John Ledkov --- certs/blacklist.c | 3 +++ security/integrity/platform_certs/keyring_handler.c | 1 + 2 files changed, 4 insertions(+) diff --git a/certs/blacklist.c b/certs/blacklist.c index c973de883c..7638dfaca7 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -171,6 +171,9 @@ int add_key_to_revocation_list(const char *data, size_t size) if (IS_ERR(key)) { pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); return PTR_ERR(key); + } else { + pr_notice("Revoked X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); } return 0; diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 5604bd57c9..9f85626702 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -61,6 +61,7 @@ static __init void uefi_blacklist_binary(const char *source, static __init void uefi_revocation_list_x509(const char *source, const void *data, size_t len) { + pr_info("Revoking X.509 certificate: %s\n", source); add_key_to_revocation_list(data, len); } From patchwork Mon Sep 27 15:58:34 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533442 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=XY/bv7d1; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6lL38prz9tk6 for ; Tue, 28 Sep 2021 01:59:26 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt2E-0007Gm-5r; Mon, 27 Sep 2021 15:59:18 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt22-00077i-Gc for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:59:06 +0000 Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 9C4723F4B9 for ; Mon, 27 Sep 2021 15:59:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758345; bh=jyD8QsTHqcNKhv4L/9yBWXd/IwWlE9q7ivdJ7fxeC+E=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=XY/bv7d12MDXutWu26/OqzZhhBBARYm1MjlGLsgLAjuHJjPHen1+P30aia8TuFm04 oUc+F6NWgLWhZNZKshl9nu+P3RQHGDjEGYFLAjCDY/d3TLT/IPKaDM4oRgjEGYAqXO HN+wvf0VqM9N1sy0ds0WLZyAGYkIGstEjDlsCzJHYaQk9RjqWEkaInhMjFKGb48w4b a2xG03fGyY1lX0XxCg+9pY97GzL5q4pa0X7utcSm+A7a8qx701ubhkR+Zz6/Kgfvvs KeSOazw1zQSpdtkRG9GMNOKGv8jQ9tO9wSqcodKrvkAhVP6pniOQYNK4gX0/HP6iKn kD4HCr5owN+7w== Received: by mail-wm1-f71.google.com with SMTP id 75-20020a1c004e000000b00307b9b32cc9so137303wma.1 for ; Mon, 27 Sep 2021 08:59:05 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=jyD8QsTHqcNKhv4L/9yBWXd/IwWlE9q7ivdJ7fxeC+E=; b=Um11V5weEoWMWDbDi6Mk5RlW0c+q1P/ILicJ8kp9IoF4ydGsZ+TUnf2ZjZicAK+Oqp bhE2xwTMP6IIaZ6B+xnjXFpe9a5OnwG0AYNhIfdjtDftlPG6q9KZ+irMZKK4iCxKS+vK vP/hHzONQPSDgHZdq6Dokb+XIXb8uFvsPxbZBg4i4kvHv77A9FEyVW4t6+XC7KAZB8X5 4VnzI/rEikpvn21XgpeR1D5sN6fsExEaNJ/F7w7RnI79ocRg85JI4Oc56EZ5hpIiXm0g N4Gi3v5AMPCqX+oP3MVmS+n//o2wCbJ/UrU8VhBVPqymqV+4OF1Lb6CTOLRUrK6QzXe1 fjhA== X-Gm-Message-State: AOAM530x2vSDJMqn0x5ucPNF7eaBrcoMWmvCrwHbhRWKY4oj/4l0rFJx QXumt4qoFt/ul0v7PZ7zey0+NeLCb0uX49FBKYygyU4JQb1pXqIkkq34GAdPPhx/cSSHoHHPAIX XxWvo2tFHWPH4zNTiRVqEGE5z2lFeIVBjp+bGze6eBg== X-Received: by 2002:a5d:4344:: with SMTP id u4mr771715wrr.106.1632758345021; Mon, 27 Sep 2021 08:59:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJztVi+F1M9FiEZzUhUxPAd2Z4RvlcVUXAOFj4AIIJIhLassusb8hI7L5lKqTXy405Mg6eKKIg== X-Received: by 2002:a5d:4344:: with SMTP id u4mr771686wrr.106.1632758344777; Mon, 27 Sep 2021 08:59:04 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id o16sm3398850wrx.11.2021.09.27.08.59.04 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:59:04 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 15/18] UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded Date: Mon, 27 Sep 2021 16:58:34 +0100 Message-Id: <20210927155837.164674-10-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155837.164674-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> <20210927155837.164674-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Tim Gardner BugLink: https://bugs.launchpad.net/bugs/1932029 Signed-off-by: Tim Gardner (cherry picked from commit b5b4085dc5547a01593cd79dbf51bd9108f84e9f) (xnox: cherry-pick is from impish:linux SAUCE) Signed-off-by: Dimitri John Ledkov --- certs/common.c | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/common.c b/certs/common.c index 16a220887a..23af4fc392 100644 --- a/certs/common.c +++ b/certs/common.c @@ -41,6 +41,7 @@ int load_certificate_list(const u8 cert_list[], if (IS_ERR(key)) { pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", PTR_ERR(key)); + WARN_ON_ONCE(1); } else { pr_notice("Loaded X.509 cert '%s'\n", key_ref_to_ptr(key)->description); From patchwork Mon Sep 27 15:58:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533443 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=N2wwgG3d; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6lN4kVtz9tk6 for ; Tue, 28 Sep 2021 01:59:28 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt2G-0007Ic-NA; Mon, 27 Sep 2021 15:59:20 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt23-00078g-Fc for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:59:07 +0000 Received: from mail-wr1-f69.google.com (mail-wr1-f69.google.com [209.85.221.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 18A6940192 for ; Mon, 27 Sep 2021 15:59:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758347; bh=29Rcrw6RQqgsH7JO5TngNL0X/Zn24fL/rkfLJEnD22E=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=N2wwgG3doM1mwaCvwKIg3jbWglJh2BRaa/1kgSro/RkxGw+O22VK+YiTMicbimZg2 pxB9Chz65eCHZ+LloHaYC0A3SqssHepX1j05wadL2n25Qzlsjt1VS+vgO6i35GPY4Q bMiWl/Rn6bPH3eAHGG9WqOBEqpgHEyHdSp5sdTN7E00IRDYAKpEcKczwcdKZgDxJ3e NtwmGbawEU5jCIwfdk4B/DBBpNKKgi6qoe89ZAPO9GS5iesdml2Td7xZ4xs3kUq0MC aJom8VLQl6/l0CobSlWHRYVfxpMtkcsDH7AkHDIsHmKfER1jJIpwOrsX0vOTNXzqji oyfXGOdyj5ONA== Received: by mail-wr1-f69.google.com with SMTP id f7-20020a5d50c7000000b0015e288741a4so14278542wrt.9 for ; Mon, 27 Sep 2021 08:59:07 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=29Rcrw6RQqgsH7JO5TngNL0X/Zn24fL/rkfLJEnD22E=; b=zg0I0/PBaCyAB5Na1lZ11UFW1MLV1zSu5NLcoTn+xlYmoDoLXFHnMJ5hz/3YrBThDW ZAzfpYT8TCRidU4cagdcsGTM5kp087eBLUyrdsjAg4H5lQIXHqxBy904WQGXiMVQkAEd K5rxfkwkZ4CuYYBbq8o+xr5IeorK87PWIqlSWoiG/LjAagMD4QiMWNvltOGjhgEGlSSR VP24HYU9RhSKhm9TRiLNvja4NvWg52bj1TxMPYFr23BXHOtNOWjX6EZHQ2g0PXoLrSHi wljZgSCTEDZgRvliJ1E9DTApoNmlZARkjMczC5miMvyQWpK2T6lAUnkXjJin8Crb2O59 NjWw== X-Gm-Message-State: AOAM532iOW6CP+cIU/ewPbPxwLFQWABgXfJ69pQv/WXC37zgR5/R0j2F ZaT3IzMBYRkpVyNOMM/QzMmNno0pG1/ItsziGZkB0FmXhJswzfYj+aWiaHbOHfsnnP1vMGgYKx5 EBZvVbUuG3aEIZXjPKGc4URviEUfDHhRjtOW/RS4oJQ== X-Received: by 2002:a05:600c:2312:: with SMTP id 18mr683121wmo.192.1632758346579; Mon, 27 Sep 2021 08:59:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz3grkL2IV00qEFJBO1TbWYBuF22lnP1gmX1e/DSKWZ55JVZV/6NobwUAZvLIQRFvYNHbLLhQ== X-Received: by 2002:a05:600c:2312:: with SMTP id 18mr683101wmo.192.1632758346298; Mon, 27 Sep 2021 08:59:06 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id 15sm8276671wmk.48.2021.09.27.08.59.05 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:59:05 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 16/18] UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch certs Date: Mon, 27 Sep 2021 16:58:35 +0100 Message-Id: <20210927155837.164674-11-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155837.164674-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> <20210927155837.164674-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1932029 Signed-off-by: Dimitri John Ledkov Signed-off-by: Andrea Righi (cherry picked from commit 3e44f229eef829ee3044651975512569824c4e5f) (xnox: cherry-pick is from impish:linux) Signed-off-by: Dimitri John Ledkov --- debian/rules | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index 33558795e3..557c9b12ed 100755 --- a/debian/rules +++ b/debian/rules @@ -127,7 +127,7 @@ binary: binary-indep binary-arch build: build-arch build-indep -clean: debian/control debian/canonical-certs.pem +clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs.pem dh_testdir dh_testroot dh_clean @@ -237,3 +237,15 @@ debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DR fi; \ done; \ done >"$@" + +debian/canonical-revoked-certs.pem: $(wildcard $(DROOT)/revoked-certs/*-all.pem) $(wildcard $(DROOT)/revoked-certs/*-$(arch).pem) $(wildcard $(DEBIAN)/revoked-certs/*-all.pem) $(wildcard $(DEBIAN)/revoked-certs/*-$(arch).pem) + for cert in $(sort $(notdir $^)); \ + do \ + for dir in $(DEBIAN) $(DROOT); \ + do \ + if [ -f "$$dir/revoked-certs/$$cert" ]; then \ + cat "$$dir/revoked-certs/$$cert"; \ + break; \ + fi; \ + done; \ + done >"$@" From patchwork Mon Sep 27 15:58:36 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533444 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=gLvYPh5M; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6lQ20BYz9tk6 for ; Tue, 28 Sep 2021 01:59:30 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt2I-0007Kr-Q9; Mon, 27 Sep 2021 15:59:22 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt25-0007A0-Th for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:59:10 +0000 Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id D15ED40192 for ; Mon, 27 Sep 2021 15:59:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758348; bh=2hzjUsxuiQ/qlBl8xM1Qkqq1mhUtK8/UO1lzCLU46OE=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=gLvYPh5MQViL2uwyAFtS2+z90uxc9VPrh1neGr/DWy/VZIwsahzZaOJx8wVATRYvA mGmol+UXtESz5l7F5uvQ9+7fT/TboDi+Q3EfoDWB6Chr4ujnr1u0hKjuhC4F3EuC8U gd7UURkAQut5W1JBmMWtohvnmoVVKNs1PDMjLXTAdCTnhP4q0wDqJYjoDsqJ049G5u AZWD9b5IsEcg1UUqWF5mWHG8tfJvM+12k89dggqmusaurQ2VE27eNpVDs++p8Yi/93 kPKitQbXLJfuUtExJfE/E1Bi7eBoIG2L+rBGRBchZXraHzDJfSMZvXukiR5aBrruE9 LKczheyqRMx2w== Received: by mail-wr1-f72.google.com with SMTP id j16-20020adfa550000000b0016012acc443so14285625wrb.14 for ; Mon, 27 Sep 2021 08:59:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=2hzjUsxuiQ/qlBl8xM1Qkqq1mhUtK8/UO1lzCLU46OE=; b=uNDkMd3Aia9SrxrH430Wl2PHrdWkl7LBud3i+A8iq5x3OTT7OwUtdX94oTWfb4zmMn tM4mMSv1+C+hrgYYFFEzJmJXabS8Q71iUEe6Orx2Nu7220ybQ0cwjeQY0L62waoc2/S/ khb0d6H59XnFFL7KNdmjdxRCuZLOcBuM4rTWdCwJ3sqCY98taRw1/tS9uc1tiPXlhpn/ GSHyP4bih6W3KGUVysAxTqZrsPgJVmZYJjglt3i9CejSN2s4Jn9KoqiIP92999H8y+/u D2DdHYBzOUhnqxYI8FZNTOJ4Fzq/a5j4yf2zhcE8kU7E7LXNaOQx2XAXtmY7of+hl/YC XZgg== X-Gm-Message-State: AOAM531JYLyJUSPqoNg16YMHXTB5C+vRNFMhtucSRIemfBBj/XhoZ4hH WfqqdOhfkTtg4CmPK+XaN9G9mirvUqt2rdeSIQnN2ZJQ51fv1UKBwN+BwSHkT+Y4YQLx4kdRqg+ v3CtcZFmaM52Ouocupgf5Cd6Z1HJebBFJEUWVuLarMg== X-Received: by 2002:a5d:4411:: with SMTP id z17mr736325wrq.146.1632758348167; Mon, 27 Sep 2021 08:59:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzorLNr7XRdp+wyu9z2KGeQ8q/fxfF3sNlH/wuKLXT0KgUe2ID6GOnX8h/H5V5X/Ij5CP0tgA== X-Received: by 2002:a5d:4411:: with SMTP id z17mr736293wrq.146.1632758347840; Mon, 27 Sep 2021 08:59:07 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id x9sm8409719wrv.82.2021.09.27.08.59.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:59:07 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 17/18] UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in Date: Mon, 27 Sep 2021 16:58:36 +0100 Message-Id: <20210927155837.164674-12-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155837.164674-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> <20210927155837.164674-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1932029 Signed-off-by: Dimitri John Ledkov Signed-off-by: Andrea Righi (cherry picked from commit 3f72ce72f0b51b6da2638cdded93bb32b9dad2ec) (xnox: cherry-pick is from impish:linux) Signed-off-by: Dimitri John Ledkov --- .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem diff --git a/debian/revoked-certs/canonical-uefi-2012-all.pem b/debian/revoked-certs/canonical-uefi-2012-all.pem new file mode 100644 index 0000000000..06c116eec5 --- /dev/null +++ b/debian/revoked-certs/canonical-uefi-2012-all.pem @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority + Validity + Not Before: Apr 12 11:39:08 2012 GMT + Not After : Apr 11 11:39:08 2042 GMT + Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c9:5f:9b:62:8f:0b:b0:64:82:ac:be:c9:e2:62: + e3:4b:d2:9f:1e:8a:d5:61:1a:2b:5d:38:f4:b7:ce: + b9:9a:b8:43:b8:43:97:77:ab:4f:7f:0c:70:46:0b: + fc:7f:6d:c6:6d:ea:80:5e:01:d2:b7:66:1e:87:de: + 0d:6d:d0:41:97:a8:a5:af:0c:63:4f:f7:7c:c2:52: + cc:a0:31:a9:bb:89:5d:99:1e:46:6f:55:73:b9:76: + 69:ec:d7:c1:fc:21:d6:c6:07:e7:4f:bd:22:de:e4: + a8:5b:2d:db:95:34:19:97:d6:28:4b:21:4c:ca:bb: + 1d:79:a6:17:7f:5a:f9:67:e6:5c:78:45:3d:10:6d: + b0:17:59:26:11:c5:57:e3:7f:4e:82:ba:f6:2c:4e: + c8:37:4d:ff:85:15:84:47:e0:ed:3b:7c:7f:bc:af: + e9:01:05:a7:0c:6f:c3:e9:8d:a3:ce:be:a6:e3:cd: + 3c:b5:58:2c:9e:c2:03:1c:60:22:37:39:ff:41:02: + c1:29:a4:65:51:ff:33:34:aa:42:15:f9:95:78:fc: + 2d:f5:da:8a:85:7c:82:9d:fb:37:2c:6b:a5:a8:df: + 7c:55:0b:80:2e:3c:b0:63:e1:cd:38:48:89:e8:14: + 06:0b:82:bc:fd:d4:07:68:1b:0f:3e:d9:15:dd:94: + 11:1b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Extended Key Usage: + Code Signing, 1.3.6.1.4.1.311.10.3.6 + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 61:48:2A:A2:83:0D:0A:B2:AD:5A:F1:0B:72:50:DA:90:33:DD:CE:F0 + X509v3 Authority Key Identifier: + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 + + Signature Algorithm: sha256WithRSAEncryption + 8f:8a:a1:06:1f:29:b7:0a:4a:d5:c5:fd:81:ab:25:ea:c0:7d: + e2:fc:6a:96:a0:79:93:67:ee:05:0e:25:12:25:e4:5a:f6:aa: + 1a:f1:12:f3:05:8d:87:5e:f1:5a:5c:cb:8d:23:73:65:1d:15: + b9:de:22:6b:d6:49:67:c9:a3:c6:d7:62:4e:5c:b5:f9:03:83: + 40:81:dc:87:9c:3c:3f:1c:0d:51:9f:94:65:0a:84:48:67:e4: + a2:f8:a6:4a:f0:e7:cd:cd:bd:94:e3:09:d2:5d:2d:16:1b:05: + 15:0b:cb:44:b4:3e:61:42:22:c4:2a:5c:4e:c5:1d:a3:e2:e0: + 52:b2:eb:f4:8b:2b:dc:38:39:5d:fb:88:a1:56:65:5f:2b:4f: + 26:ff:06:78:10:12:eb:8c:5d:32:e3:c6:45:af:25:9b:a0:ff: + 8e:ef:47:09:a3:e9:8b:37:92:92:69:76:7e:34:3b:92:05:67: + 4e:b0:25:ed:bc:5e:5f:8f:b4:d6:ca:40:ff:e4:e2:31:23:0c: + 85:25:ae:0c:55:01:ec:e5:47:5e:df:5b:bc:14:33:e3:c6:f5: + 18:b6:d9:f7:dd:b3:b4:a1:31:d3:5a:5c:5d:7d:3e:bf:0a:e4: + e4:e8:b4:59:7d:3b:b4:8c:a3:1b:b5:20:a3:b9:3e:84:6f:8c: + 21:00:c3:39 +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjA0MTIxMTM5MDhaFw00MjA0MTEx +MTM5MDhaMH8xCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9mIE1hbjEXMBUG +A1UECgwOQ2Fub25pY2FsIEx0ZC4xFDASBgNVBAsMC1NlY3VyZSBCb290MSswKQYD +VQQDDCJDYW5vbmljYWwgTHRkLiBTZWN1cmUgQm9vdCBTaWduaW5nMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyV+bYo8LsGSCrL7J4mLjS9KfHorVYRor +XTj0t865mrhDuEOXd6tPfwxwRgv8f23GbeqAXgHSt2Yeh94NbdBBl6ilrwxjT/d8 +wlLMoDGpu4ldmR5Gb1VzuXZp7NfB/CHWxgfnT70i3uSoWy3blTQZl9YoSyFMyrsd +eaYXf1r5Z+ZceEU9EG2wF1kmEcVX439Ogrr2LE7IN03/hRWER+DtO3x/vK/pAQWn +DG/D6Y2jzr6m4808tVgsnsIDHGAiNzn/QQLBKaRlUf8zNKpCFfmVePwt9dqKhXyC +nfs3LGulqN98VQuALjywY+HNOEiJ6BQGC4K8/dQHaBsPPtkV3ZQRGwIDAQABo4Gg +MIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQBgjcK +AwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl +MB0GA1UdDgQWBBRhSCqigw0Ksq1a8QtyUNqQM93O8DAfBgNVHSMEGDAWgBStkZkL +wiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEAj4qhBh8ptwpK1cX9 +gasl6sB94vxqlqB5k2fuBQ4lEiXkWvaqGvES8wWNh17xWlzLjSNzZR0Vud4ia9ZJ +Z8mjxtdiTly1+QODQIHch5w8PxwNUZ+UZQqESGfkovimSvDnzc29lOMJ0l0tFhsF +FQvLRLQ+YUIixCpcTsUdo+LgUrLr9Isr3Dg5XfuIoVZlXytPJv8GeBAS64xdMuPG +Ra8lm6D/ju9HCaPpizeSkml2fjQ7kgVnTrAl7bxeX4+01spA/+TiMSMMhSWuDFUB +7OVHXt9bvBQz48b1GLbZ992ztKEx01pcXX0+vwrk5Oi0WX07tIyjG7Ugo7k+hG+M +IQDDOQ== +-----END CERTIFICATE----- From patchwork Mon Sep 27 15:58:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1533445 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=i1JRkL5N; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HJ6lR3C0Mz9tk6 for ; Tue, 28 Sep 2021 01:59:31 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mUt2K-0007Me-Gp; Mon, 27 Sep 2021 15:59:24 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mUt28-0007Bd-0I for kernel-team@lists.ubuntu.com; Mon, 27 Sep 2021 15:59:12 +0000 Received: from mail-wm1-f70.google.com (mail-wm1-f70.google.com [209.85.128.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 863C940192 for ; Mon, 27 Sep 2021 15:59:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1632758350; bh=vHO5MeH/jBvQI175OPta9O9qfY2YBvfeK9M3FG+s4vY=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=i1JRkL5Nn7tVPHzuTshNY74M8i/kvufzjCnCEzCgV/kkABRbbzWe361q10B9crDT+ ooIRe/7yWpWLeiOochLyaJpc6O7/HR+2u5DvWNJuVle4u6Bw2OdYamR6n+3KFw+Z+z mdUMIUGHK5sXbZVL7z3DpreYMfOoSnoY3onwd3HXXP+KsKvsFuE9466c7A9MNGQ8E0 YcPDf1ngAsrvzkhRe6d13wHTUeaHOZCT//lGGymIgadWNR95XobiRNOFckSf1pVz53 0OIyT8vYAHqS2nxHTdf8XGGDotDdbyuXYyrYX24Uz5/ZLhECJvLXqHCCiC2IdCRweq zq/xKEGivfUkg== Received: by mail-wm1-f70.google.com with SMTP id v5-20020a1cac05000000b0030b85d2d479so426909wme.9 for ; Mon, 27 Sep 2021 08:59:10 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vHO5MeH/jBvQI175OPta9O9qfY2YBvfeK9M3FG+s4vY=; b=ALR8ml4VvyRVQaDXEHu7CHZLArXXCR/vNcGH37YX3iOo4xcYzQVuMsrD9VALGjlfMG lPRWz2zvaHac6XMb6OYDsXkvlBfhaSLXR29Tof8szbKLC6WYmkEpfGKPzJExTMfmUf/D Mob5z4Xgg1HzWPBvVl3M+gtQzNV6WclZz5/OcqOIVW+0gXUgBVgxhJANocI1n5SiBvor iaYK49dHa+OfvyifGJf+5H/Seq8quoSq4qsHbynbvc5UAuYhc0RTN1mvcZwAlBB4w0AG DO2zAlRam+uADMGXTl6qttyapm6SeyeNhusuSHE2o5lUJuwP6tGFK85dVWb0gM6fb4in gbOQ== X-Gm-Message-State: AOAM530Jho9STDA3cWOV1LkMjSKp9GdEy+9HzvR4Sw6NLvs/fpXIXXGC gRENseFBEWvDRcIdLj1bavGe3k+QvViIqjaMqTlafJgxIUT2e0rFHDoHvcirpjFcO7UaJGhpbm3 2W3wXMEt8dEczmEX29jLoMB5r0miCtvrS8Av5ZNy4lQ== X-Received: by 2002:a05:6000:1866:: with SMTP id d6mr647063wri.205.1632758349973; Mon, 27 Sep 2021 08:59:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxC8UhoEFcy66A2EANzmYYSij4YS+fLd0NtZrg1o9Q2VwmnnixAB6VyHaYMxqHwPJQOdWxV5g== X-Received: by 2002:a05:6000:1866:: with SMTP id d6mr647033wri.205.1632758349702; Mon, 27 Sep 2021 08:59:09 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:86ad:7d9c:de94:eed0]) by smtp.gmail.com with ESMTPSA id y8sm16714164wrh.44.2021.09.27.08.59.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 27 Sep 2021 08:59:09 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][F/hwe-5.8][PATCH 18/18] UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys Date: Mon, 27 Sep 2021 16:58:37 +0100 Message-Id: <20210927155837.164674-13-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210927155837.164674-1-dimitri.ledkov@canonical.com> References: <20210927155712.164337-1-dimitri.ledkov@canonical.com> <20210927155837.164674-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1932029 Signed-off-by: Dimitri John Ledkov Signed-off-by: Andrea Righi (cherry picked from commit 741f622c4dbc162b82f8c9045f9c6c6446f57eb5) (xnox: cherry-pick is from impish:linux) Signed-off-by: Dimitri John Ledkov --- debian.hwe-5.8/config/config.common.ubuntu | 2 ++ debian.master/config/annotations | 1 + debian.master/config/config.common.ubuntu | 2 ++ 3 files changed, 5 insertions(+) diff --git a/debian.hwe-5.8/config/config.common.ubuntu b/debian.hwe-5.8/config/config.common.ubuntu index c3597d436e..2a0d711e20 100644 --- a/debian.hwe-5.8/config/config.common.ubuntu +++ b/debian.hwe-5.8/config/config.common.ubuntu @@ -10197,6 +10197,8 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 +CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem" +CONFIG_SYSTEM_REVOCATION_LIST=y CONFIG_SYSTEM_TRUSTED_KEYRING=y CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" CONFIG_SYSVIPC=y diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 47c71de9a2..ef064b0c4b 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -369,6 +369,7 @@ CONFIG_SYSTEM_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': ' CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'ppc64el': '4096', 's390x': '4096'}> +CONFIG_SYSTEM_REVOCATION_KEYS policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}> CONFIG_SECONDARY_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'ppc64el': 'y', 's390x': 'y'}> # Menu: Cryptographic API >> Hardware crypto devices diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index f9392ab576..fd4f39aca7 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -10198,6 +10198,8 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 +CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem" +CONFIG_SYSTEM_REVOCATION_LIST=y CONFIG_SYSTEM_TRUSTED_KEYRING=y CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" CONFIG_SYSVIPC=y