| Message ID | 20210823133353.37046-1-dimitri.ledkov@canonical.com |
|---|---|
| Headers | show
Return-Path: <kernel-team-bounces@lists.ubuntu.com> X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=W26JUYhW; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4GtYB02PBXz9sW5; Mon, 23 Aug 2021 23:34:16 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from <kernel-team-bounces@lists.ubuntu.com>) id 1mIA5c-0008KQ-Lz; Mon, 23 Aug 2021 13:34:12 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from <dimitri.ledkov@canonical.com>) id 1mIA5R-0008JG-R2 for kernel-team@lists.ubuntu.com; Mon, 23 Aug 2021 13:34:01 +0000 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id A1EC040791 for <kernel-team@lists.ubuntu.com>; Mon, 23 Aug 2021 13:34:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1629725641; bh=u+64Lr9+gGw08vVtzdOHEKBMHmeOHIHNkb7ZX34RMmM=; h=From:To:Subject:Date:Message-Id:MIME-Version:Content-Type; b=W26JUYhWiGmmgg1FkGSVzwpRJC/++4986HIV9iT7O6dKg9Yd8h34edufrKjnF5FBX sRNIYOFJ2cw0lCf2PbY96yVpvoluSsNHvJn9v06lAsxWzYpn2NSBIfNUqluz743Qze KeDdIYqUY05cETiUaNfYIlCJ26UB1c0PJMYGTcMAye7wd5fyoLosnxAG5HVHf1tcsC REjSAvh8HnD7mbsVzxl1ucwIyIdcGxDkUzn4u0k6WUpkK8fgqvZPfa1ApmrMZrnpP6 BPvwf756LUZBYMguN/Oey11O/RK6buxyNLVwJTILH1m9JqdXOKSmXG2eQIGp57HEQn Qsnq6GpQI8LUA== Received: by mail-wm1-f72.google.com with SMTP id u1-20020a05600c210100b002e74fc5af71so460456wml.1 for <kernel-team@lists.ubuntu.com>; Mon, 23 Aug 2021 06:34:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=u+64Lr9+gGw08vVtzdOHEKBMHmeOHIHNkb7ZX34RMmM=; b=kF0A6b+Z7fJ1YPh3SmaSAgyQLegNFQWBG9TdsQyunrE7bUMMB3rwATcgsNseEAJsE9 wU3ssGHRwafIyx9/gAwa3nytk68d21oNvM66gRKYZSS4pSBszDvhqAIE3MotowAL18SI 0IPq2Vpyt+DKD5GvszNwPXZHl/UnqSLr5BCZiR7J++B+MmA7k1kpN9eNPwSooApF51gs 0zBUeAhY/PFAAnMJJTX3q/36DTitVOcDBp8/DB8nSXmqgiMx4W+7VXBdM2CpI/ed4zaY hou9TTwU45ElJullBQx+Rw2gThkKAzvO5tw3Qo8KPudLwYly9fK1laxkbjs9yfQYgyZ0 40hw== X-Gm-Message-State: AOAM532Vsifirg8gRs/oqS0ESPVFj3FHbYsJkimiFkmjeLSE8WKU2Fq8 1SggkzN3BuhQmnTk/rL9RhbL41FwN2Mx8/gxMoJCtNe8AtCat+849VEPRKy1k43ZW+lXa2dArg4 McHsGO1hS45JuEh4Ya6M7YZw1a6ktkae3wX81Aalb1g== X-Received: by 2002:adf:eb89:: with SMTP id t9mr14302761wrn.66.1629725641139; Mon, 23 Aug 2021 06:34:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfCS5HtChgNhO5pk7bQqY6B+V5ofXojCDE7RPbZ+Wuo5weoTtJTiZ2TIezLIFNLZL/ozopeg== X-Received: by 2002:adf:eb89:: with SMTP id t9mr14302725wrn.66.1629725640863; Mon, 23 Aug 2021 06:34:00 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:79d7:6045:c3:b370]) by smtp.gmail.com with ESMTPSA id r10sm18559094wrq.32.2021.08.23.06.34.00 for <kernel-team@lists.ubuntu.com> (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 23 Aug 2021 06:34:00 -0700 (PDT) From: Dimitri John Ledkov <dimitri.ledkov@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [FOCAL][linux-oem-5.10][PATCH 00/10] Backport builtin revocation certs Date: Mon, 23 Aug 2021 14:33:43 +0100 Message-Id: <20210823133353.37046-1-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com> List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>, <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe> List-Archive: <https://lists.ubuntu.com/archives/kernel-team> List-Post: <mailto:kernel-team@lists.ubuntu.com> List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help> List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>, <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com> |
| Series |
Backport builtin revocation certs
|
expand
|
The patch 02 ~ 05 are included from stable update Applied 01, 06 ~ 10 on top of oem-5.10. applied to oem-5.10, thanks
This is a backport of the recent mokx, blacklist keyring, built-in revoked certificates that are already applied in hirsute and impish. The Eric Snowberg patches are cherry-picks from linux-stable v5.10.47 which has not yet been integrated into linux-oem-5.10. To apply them cleanly, the UBUNTU SAUCE patch to dump stack when X.509 certificates cannot be loaded has been reverted, as it also dropped upstream and hirsute/impish kernels. Then UBUNTU SAUCE patches to load mokx certs from the config table, and add extra information debug messages are cherrypicked from hirsute/impish. They have been submitted upstream, but not yet accepted. And finally packaging changes are cherrypicked to have 2012 UEFI signing certificate as builtin revoked. Context adjusted slightly, to apply config change in both debian.master and debian.oem at the same time. This brings linux-oem-5.10 on par with hirsute & impish, w.r.t. to handling revoked UEFI signing certificates via mokx and as built-in. Submitting this direct to linux-oem-5.10, as it is the last v5.10 based kernel we are currently maintaining. Hirsute review was done in: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html These have been test-built, booted in a UEFI VM, and verified using the ACT test case that was recently merged. Dimitri John Ledkov (6): Revert "UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded" UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table UBUNTU: SAUCE: integrity: add informational messages when revoking certs UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch certs UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys Eric Snowberg (4): certs: Add EFI_CERT_X509_GUID support for dbx entries certs: Move load_system_certificate_list to a common function certs: Add ability to preload revocation certs integrity: Load mokx variables into the blacklist keyring certs/Kconfig | 17 ++++ certs/Makefile | 21 ++++- certs/blacklist.c | 67 +++++++++++++++ certs/blacklist.h | 2 + certs/common.c | 57 ++++++++++++ certs/common.h | 9 ++ certs/revocation_certificates.S | 21 +++++ certs/system_keyring.c | 56 ++---------- debian.master/config/annotations | 1 + debian.master/config/config.common.ubuntu | 2 + debian.oem/config/annotations | 1 + debian.oem/config/config.common.ubuntu | 2 + .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++ debian/rules | 14 ++- include/keys/system_keyring.h | 15 ++++ scripts/Makefile | 1 + .../platform_certs/keyring_handler.c | 12 +++ security/integrity/platform_certs/load_uefi.c | 56 ++++++++---- 18 files changed, 372 insertions(+), 68 deletions(-) create mode 100644 certs/common.c create mode 100644 certs/common.h create mode 100644 certs/revocation_certificates.S create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem