From patchwork Mon May 17 13:18:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1479505 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FkKTx12pKz9sX1; Mon, 17 May 2021 23:19:17 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lid9M-0005K8-Ei; Mon, 17 May 2021 13:19:12 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lid99-0005GU-Hu for kernel-team@lists.ubuntu.com; Mon, 17 May 2021 13:18:59 +0000 Received: from mail-wr1-f70.google.com ([209.85.221.70]) by youngberry.canonical.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1lid99-00012P-9X for kernel-team@lists.ubuntu.com; Mon, 17 May 2021 13:18:59 +0000 Received: by mail-wr1-f70.google.com with SMTP id 1-20020adf93810000b029010fd5ac4ed7so3804596wrp.15 for ; Mon, 17 May 2021 06:18:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=S6mY4eCa00Tvlf5CbyyKMFXsIREKun2UJZymxgMkqxg=; b=Guh1Ql2HMIVTikxt2po2H7dH/ELvrYAb/2Ic1eqj7c+xPBke49kkl8YDaX8aHLk9pg 48rwogd8v3ca8h1YXeVPP8UiLNfXOQ0pFh1rW6Ns+RyUJ7RVB4IPGnVmkpCr5LAW+nXB vOfkYfcvHO7ricdbuDeTK9l8K4BBFafyYNu6gpKpD3YM0u3SKGy9j5sBMaWSuaZI3a5+ 5xi3RhASfoLUwuScuTh9Y13/X6+UMzNhUukvODojhhy5qjBp0/346dBWtQ1MdrOn2Vi4 hpdVz7tmfbIT82YuTxZUFbbJb+oj/9hzASa3XAJeppNVcaiYahrX2vC7VQlnbioTXQgC Dnhw== X-Gm-Message-State: AOAM530wIvGI27N+ev2vIP/ZyjNl7WZwsOPx6xtftz+2IpOamN6qrcxn 4G96sil5871EtDxQvSjVBxBmIqpdwo2L5dquTNc57gFbvTWzOQpYmo/K1M+uAcvGre86klCcTos XFs3NViw0bIq9NZNLt900Hqf4pS28S73chZ8c+xVl3Q== X-Received: by 2002:a5d:500b:: with SMTP id e11mr6077299wrt.209.1621257538669; Mon, 17 May 2021 06:18:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwV8iSF8le8NjIA6gQeOK3WqtNw7PLQgpGRuumV+O2dAcRn8UaBOvs52jRQiQgPiifYaywcfw== X-Received: by 2002:a5d:500b:: with SMTP id e11mr6077280wrt.209.1621257538398; Mon, 17 May 2021 06:18:58 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:65e7:8a9b:295:b9e6]) by smtp.gmail.com with ESMTPSA id a1sm11751852wmm.7.2021.05.17.06.18.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 May 2021 06:18:57 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [UNSTABLE][PATCH 1/2] UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table Date: Mon, 17 May 2021 14:18:47 +0100 Message-Id: <20210517131848.61153-2-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210517131848.61153-1-dimitri.ledkov@canonical.com> References: <20210517131848.61153-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Refactor load_moklist_certs() to load either MokListRT into db, or MokListXRT into dbx. Call load_moklist_certs() twice - first to load mokx certs into dbx, then mok certs into db. This thus now attempts to load mokx certs via the EFI MOKvar config table first, and if that fails, via the EFI variable. Previously mokx certs were only loaded via the EFI variable. Which fails when MokListXRT is large. Instead of large MokListXRT variable, only MokListXRT{1,2,3} are available which are not loaded. This is the case with Ubuntu's 15.4 based shim. This patch is required to address CVE-2020-26541 when certificates are revoked via MokListXRT. Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring") BugLink: https://bugs.launchpad.net/bugs/1928679 Signed-off-by: Dimitri John Ledkov --- security/integrity/platform_certs/load_uefi.c | 74 ++++++++++--------- 1 file changed, 40 insertions(+), 34 deletions(-) diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index d3e7ae04f5be..b010b4ab5d52 100644 --- a/security/integrity/platform_certs/load_uefi.c +++ b/security/integrity/platform_certs/load_uefi.c @@ -68,17 +68,18 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, } /* - * load_moklist_certs() - Load MokList certs + * load_moklist_certs() - Load Mok(X)List certs + * @load_db: Load MokListRT into db when true; MokListXRT into dbx when false * - * Load the certs contained in the UEFI MokListRT database into the - * platform trusted keyring. + * Load the certs contained in the UEFI MokList(X)RT database into the + * platform trusted/denied keyring. * * This routine checks the EFI MOK config table first. If and only if - * that fails, this routine uses the MokListRT ordinary UEFI variable. + * that fails, this routine uses the MokList(X)RT ordinary UEFI variable. * * Return: Status */ -static int __init load_moklist_certs(void) +static int __init load_moklist_certs(const bool load_db) { struct efi_mokvar_table_entry *mokvar_entry; efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; @@ -86,41 +87,55 @@ static int __init load_moklist_certs(void) unsigned long moksize; efi_status_t status; int rc; + const char *mokvar_name = "MokListRT"; + /* Should be const, but get_cert_list() doesn't have it as const yet */ + efi_char16_t *efivar_name = L"MokListRT"; + const char *parse_mokvar_name = "UEFI:MokListRT (MOKvar table)"; + const char *parse_efivar_name = "UEFI:MokListRT"; + efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *) = get_handler_for_db; + + if (!load_db) { + mokvar_name = "MokListXRT"; + efivar_name = L"MokListXRT"; + parse_mokvar_name = "UEFI:MokListXRT (MOKvar table)"; + parse_efivar_name = "UEFI:MokListXRT"; + get_handler_for_guid = get_handler_for_dbx; + } /* First try to load certs from the EFI MOKvar config table. * It's not an error if the MOKvar config table doesn't exist * or the MokListRT entry is not found in it. */ - mokvar_entry = efi_mokvar_entry_find("MokListRT"); + mokvar_entry = efi_mokvar_entry_find(mokvar_name); if (mokvar_entry) { - rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", + rc = parse_efi_signature_list(parse_mokvar_name, mokvar_entry->data, mokvar_entry->data_size, - get_handler_for_db); + get_handler_for_guid); /* All done if that worked. */ if (!rc) return rc; - pr_err("Couldn't parse MokListRT signatures from EFI MOKvar config table: %d\n", - rc); + pr_err("Couldn't parse %s signatures from EFI MOKvar config table: %d\n", + mokvar_name, rc); } /* Get MokListRT. It might not exist, so it isn't an error * if we can't get it. */ - mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); + mok = get_cert_list(efivar_name, &mok_var, &moksize, &status); if (mok) { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); + rc = parse_efi_signature_list(parse_efivar_name, + mok, moksize, get_handler_for_guid); kfree(mok); if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + pr_err("Couldn't parse %s signatures: %d\n", mokvar_name, rc); return rc; } if (status == EFI_NOT_FOUND) - pr_debug("MokListRT variable wasn't found\n"); + pr_debug("%s variable wasn't found\n", mokvar_name); else - pr_info("Couldn't get UEFI MokListRT\n"); + pr_info("Couldn't get UEFI %s\n", mokvar_name); return 0; } @@ -134,9 +149,8 @@ static int __init load_moklist_certs(void) static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; - void *db = NULL, *dbx = NULL, *mokx = NULL; - unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0; + void *db = NULL, *dbx = NULL; + unsigned long dbsize = 0, dbxsize = 0; efi_status_t status; int rc = 0; @@ -178,23 +192,15 @@ static int __init load_uefi_certs(void) kfree(dbx); } - mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); - if (!mokx) { - if (status == EFI_NOT_FOUND) - pr_debug("mokx variable wasn't found\n"); - else - pr_info("Couldn't get mokx list\n"); - } else { - rc = parse_efi_signature_list("UEFI:MokListXRT", - mokx, mokxsize, - get_handler_for_dbx); - if (rc) - pr_err("Couldn't parse mokx signatures %d\n", rc); - kfree(mokx); - } + /* Load the MokListXRT certs */ + rc = load_moklist_certs(false); + if (rc) + pr_err("Couldn't parse mokx signatures: %d\n", rc); /* Load the MokListRT certs */ - rc = load_moklist_certs(); + rc = load_moklist_certs(true); + if (rc) + pr_err("Couldn't parse mok signatures: %d\n", rc); return rc; } From patchwork Mon May 17 13:18:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1479504 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4FkKTq0Y7Bz9sWp; Mon, 17 May 2021 23:19:10 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1lid9G-0005I0-6w; Mon, 17 May 2021 13:19:06 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lid9B-0005Gb-Ak for kernel-team@lists.ubuntu.com; Mon, 17 May 2021 13:19:01 +0000 Received: from mail-wm1-f70.google.com ([209.85.128.70]) by youngberry.canonical.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1lid9B-00012a-2k for kernel-team@lists.ubuntu.com; Mon, 17 May 2021 13:19:01 +0000 Received: by mail-wm1-f70.google.com with SMTP id g17-20020a05600c0011b029014399f816a3so1394869wmc.7 for ; Mon, 17 May 2021 06:19:01 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=z4436JOYcJ1RLDd9kF/nyvHBhIkU3YCkxCBarZtZkec=; b=L62XvIHprlWv+/mKd9o12IDHZnipJC6zFzvKWlZQuFC3IAnwu7W6Rvbcx39+/Y/7ry Kc+5qkYXz9STEDqFqqV3P/deDo5wj+Uvwclth2Ij0OeDuwTiMraCYqxJx8+3pHmywYlj nI7UM94EiJbzweFyo62hf1xb2Yw2IceKYkv7WV7PZX2DVyibijCk7XFOAP4aehJWNTjl L8WmrrHihbF+32AlG5osMnHfMaxSIhFmh3nmQ4pz9CE/QYYDBI0f5LYNehHNKWX9uadf 79V9X+monoeNPmzv9MJ1W40TXCHMJHmvyqJY8OUvW3nIm7obaXJCMrcNzgWOwotDQyYF 6zAw== X-Gm-Message-State: AOAM530Lie/QtnjhVKYlx7FdDUvJsUg6Ea+O0POu4rjIKgCbZWcWfbiS O3ZssioTo0DN4IMBCog7vsSc0+ZBDMGRp3dwRQP3fsq1mN65ILEZoVlUp0ewavaAhnA4BlCXHwS hW3olowI3WTzRpUXT8PmpsmeTpF6trcytYx2M+gLQTA== X-Received: by 2002:a5d:5989:: with SMTP id n9mr73487903wri.60.1621257540551; Mon, 17 May 2021 06:19:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzCKES7ttRiZJtoqSYFq0wVitXwfeK0RcYlZWIgQkj/gjAPkOKBUebl2ILx9wBSRsZruGKeJg== X-Received: by 2002:a5d:5989:: with SMTP id n9mr73487882wri.60.1621257540286; Mon, 17 May 2021 06:19:00 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:65e7:8a9b:295:b9e6]) by smtp.gmail.com with ESMTPSA id p2sm12105300wrj.10.2021.05.17.06.18.59 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 May 2021 06:18:59 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [UNSTABLE][PATCH 2/2] UBUNTU: SAUCE: integrity: add informational messages when revoking certs Date: Mon, 17 May 2021 14:18:48 +0100 Message-Id: <20210517131848.61153-3-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20210517131848.61153-1-dimitri.ledkov@canonical.com> References: <20210517131848.61153-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" integrity_load_cert() prints messages of the source and cert details when adding certs as trusted. Mirror those messages in uefi_revocation_list_x509() when adding certs as revoked. Sample dmesg with this change: integrity: Platform Keyring initialized integrity: Loading X.509 certificate: UEFI:db integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' integrity: Revoking X.509 certificate: UEFI:MokListXRT (MOKvar table) blacklist: Revoked X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0' integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63' BugLink: https://bugs.launchpad.net/bugs/1928679 Signed-off-by: Dimitri John Ledkov --- certs/blacklist.c | 4 +++- security/integrity/platform_certs/keyring_handler.c | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index c9a435b15af4..6a2afa84a5db 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -172,7 +172,9 @@ int add_key_to_revocation_list(const char *data, size_t size) if (IS_ERR(key)) { pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); return PTR_ERR(key); - } + } else + pr_notice("Revoked X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); return 0; } diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 5604bd57c990..9f85626702b2 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -61,6 +61,7 @@ static __init void uefi_blacklist_binary(const char *source, static __init void uefi_revocation_list_x509(const char *source, const void *data, size_t len) { + pr_info("Revoking X.509 certificate: %s\n", source); add_key_to_revocation_list(data, len); }