From patchwork Tue Nov 30 11:04:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561597 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=Kq7qCMDO; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3KWq56ygz9t25 for ; Tue, 30 Nov 2021 22:20:22 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms1BC-0002D5-1u; Tue, 30 Nov 2021 11:20:10 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0w2-00077h-8r for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:30 +0000 Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 721C53F1B1 for ; Tue, 30 Nov 2021 11:04:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270266; bh=vd0EwEgQBnB9jhvs25iRzrjdIoAntq9CJDg8M2GU3xU=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=Kq7qCMDOx9ocxS7+hwiOo5L1NhiLHFg/D6t90rp7FOV5Ck1JdtxzbGVDljc6BbSCm s8+5d5C2gV7hT1C6FWSbLWfm4uHn3zNQK2itij5fMifUoXD3TOLQHNmpjYTvZ/u8YN mqDra7JWGdpR0vdu7K8vpYlzdACBSbHq3xeEtq6Kiwk5hKkhAMDUW5sQAOKsYTbRmM FYBsthMD9IIksc0OPofQSLDyT4rwgYyukKVOo+zNkGgp5vqI5Bjx7crwj3cpEFq5iO 7sQhyM8hglpE1vHEf+Mk1180aWjRlBz0ClF/MWCGaUQonGvy79TixXgknI59Lg6e1V HrxuiOmR13hfQ== Received: by mail-ed1-f69.google.com with SMTP id v10-20020aa7d9ca000000b003e7bed57968so16549919eds.23 for ; Tue, 30 Nov 2021 03:04:26 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vd0EwEgQBnB9jhvs25iRzrjdIoAntq9CJDg8M2GU3xU=; b=vmIiOT9pS2t7dXnHsuPAfFyUgoQwx6H5h+GDWK+oFTnel3Yr+A9GYFL5MLYKpuC5Ln CQteTQRF8MyiCgmgf0vFU7HqaN3dcEzQDoL0cJkSSOFmJeQZylc3qQLg59hgd48Fmdv6 DzfbNHAQvtBu49902QqcKaQ4rtOaI0mOGQDdOmcEp4CWJfH14ruMh6P/Hl14MNKH4SAK vRgD1Q6cqiHrQv5MPKMsOUkVPQ8cK//I12H4CN+/eo6DBt3x2IGle5xIzwR5jd/Jyafl qFi6WwFMMbIYx9prjFUiHR1g6oTvr0btWlltQ3TazfSDJdPjlO2CsGQy9wTwnQc0pREF 1Qtg== X-Gm-Message-State: AOAM530vf3GzeajBlA/7GWtBJm3QVYnOo+3B4lqrHJBmXLTNqbQcRGyT EiyRwRQRAuM2wzkUxBb+M4qa3CPgzes+IBUjCH5Msu0lzOtHSUXmJcQRXP/zxj4E8XknE2/zM1z PXMQiyBFAfWkNzBwDeRBEsXEcw+eCmLnY+zVKC61Vzw== X-Received: by 2002:a17:907:868f:: with SMTP id qa15mr67960155ejc.187.1638270265148; Tue, 30 Nov 2021 03:04:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJzvGJ7u1C3AzlZ/w+RgVKEPN1LzUG+AxcD0gJ4RrUr2dYZIiiDRc1LnF1dPke4yFcgrReAaug== X-Received: by 2002:a17:907:868f:: with SMTP id qa15mr67960082ejc.187.1638270264518; Tue, 30 Nov 2021 03:04:24 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id w24sm8889507ejk.0.2021.11.30.03.04.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:24 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 01/16] efi: Support for MOK variable config table Date: Tue, 30 Nov 2021 11:04:01 +0000 Message-Id: <20211130110416.171269-2-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lenny Szubowicz BugLink: https://bugs.launchpad.net/bugs/1928679 Because of system-specific EFI firmware limitations, EFI volatile variables may not be capable of holding the required contents of the Machine Owner Key (MOK) certificate store when the certificate list grows above some size. Therefore, an EFI boot loader may pass the MOK certs via a EFI configuration table created specifically for this purpose to avoid this firmware limitation. An EFI configuration table is a much more primitive mechanism compared to EFI variables and is well suited for one-way passage of static information from a pre-OS environment to the kernel. This patch adds initial kernel support to recognize, parse, and validate the EFI MOK configuration table, where named entries contain the same data that would otherwise be provided in similarly named EFI variables. Additionally, this patch creates a sysfs binary file for each EFI MOK configuration table entry found. These files are read-only to root and are provided for use by user space utilities such as mokutil. A subsequent patch will load MOK certs into the trusted platform key ring using this infrastructure. Signed-off-by: Lenny Szubowicz Link: https://lore.kernel.org/r/20200905013107.10457-2-lszubowi@redhat.com Signed-off-by: Ard Biesheuvel (cherry picked from commit 58c909022a5a56cd1d9e89c8c5461fd1f6a27bb5) Signed-off-by: Dimitri John Ledkov --- arch/x86/kernel/setup.c | 1 + drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/arm-init.c | 1 + drivers/firmware/efi/efi.c | 9 + drivers/firmware/efi/mokvar-table.c | 360 ++++++++++++++++++++++++++++ include/linux/efi.h | 34 +++ 6 files changed, 406 insertions(+) create mode 100644 drivers/firmware/efi/mokvar-table.c diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c index 02b5b81315..179c63d3f2 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -1108,6 +1108,7 @@ void __init setup_arch(char **cmdline_p) efi_fake_memmap(); efi_find_mirror(); efi_esrt_init(); + efi_mokvar_table_init(); /* * The EFI specification says that boot service code won't be diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile index f40f25cf8e..2e52a34b7c 100644 --- a/drivers/firmware/efi/Makefile +++ b/drivers/firmware/efi/Makefile @@ -26,6 +26,7 @@ obj-$(CONFIG_EFI_TEST) += test/ obj-$(CONFIG_EFI_DEV_PATH_PARSER) += dev-path-parser.o obj-$(CONFIG_EFI) += secureboot.o obj-$(CONFIG_APPLE_PROPERTIES) += apple-properties.o +obj-$(CONFIG_LOAD_UEFI_KEYS) += mokvar-table.o arm-obj-$(CONFIG_EFI) := arm-init.o arm-runtime.o obj-$(CONFIG_ARM) += $(arm-obj-y) diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c index 312f9f32e1..cd61e2530e 100644 --- a/drivers/firmware/efi/arm-init.c +++ b/drivers/firmware/efi/arm-init.c @@ -259,6 +259,7 @@ void __init efi_init(void) reserve_regions(); efi_esrt_init(); + efi_mokvar_table_init(); memblock_reserve(params.mmap & PAGE_MASK, PAGE_ALIGN(params.mmap_size + diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 9bf9e27c5f..50cc4a6f9d 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -52,6 +52,9 @@ struct efi __read_mostly efi = { .properties_table = EFI_INVALID_TABLE_ADDR, .mem_attr_table = EFI_INVALID_TABLE_ADDR, .rng_seed = EFI_INVALID_TABLE_ADDR, +#ifdef CONFIG_LOAD_UEFI_KEYS + .mokvar_table = EFI_INVALID_TABLE_ADDR, +#endif }; EXPORT_SYMBOL(efi); @@ -72,6 +75,9 @@ static unsigned long *efi_tables[] = { &efi.esrt, &efi.properties_table, &efi.mem_attr_table, +#ifdef CONFIG_LOAD_UEFI_KEYS + &efi.mokvar_table, +#endif }; static bool disable_runtime; @@ -472,6 +478,9 @@ static __initdata efi_config_table_type_t common_tables[] = { {EFI_PROPERTIES_TABLE_GUID, "PROP", &efi.properties_table}, {EFI_MEMORY_ATTRIBUTES_TABLE_GUID, "MEMATTR", &efi.mem_attr_table}, {LINUX_EFI_RANDOM_SEED_TABLE_GUID, "RNG", &efi.rng_seed}, +#ifdef CONFIG_LOAD_UEFI_KEYS + {LINUX_EFI_MOK_VARIABLE_TABLE_GUID, "MOKvar", &efi.mokvar_table}, +#endif {NULL_GUID, NULL, NULL}, }; diff --git a/drivers/firmware/efi/mokvar-table.c b/drivers/firmware/efi/mokvar-table.c new file mode 100644 index 0000000000..b1cd49893d --- /dev/null +++ b/drivers/firmware/efi/mokvar-table.c @@ -0,0 +1,360 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * mokvar-table.c + * + * Copyright (c) 2020 Red Hat + * Author: Lenny Szubowicz + * + * This module contains the kernel support for the Linux EFI Machine + * Owner Key (MOK) variable configuration table, which is identified by + * the LINUX_EFI_MOK_VARIABLE_TABLE_GUID. + * + * This EFI configuration table provides a more robust alternative to + * EFI volatile variables by which an EFI boot loader can pass the + * contents of the Machine Owner Key (MOK) certificate stores to the + * kernel during boot. If both the EFI MOK config table and corresponding + * EFI MOK variables are present, the table should be considered as + * more authoritative. + * + * This module includes code that validates and maps the EFI MOK table, + * if it's presence was detected very early in boot. + * + * Kernel interface routines are provided to walk through all the + * entries in the MOK config table or to search for a specific named + * entry. + * + * The contents of the individual named MOK config table entries are + * made available to user space via read-only sysfs binary files under: + * + * /sys/firmware/efi/mok-variables/ + * + */ +#define pr_fmt(fmt) "mokvar: " fmt + +#include +#include +#include +#include +#include +#include +#include +#include + +/* + * The LINUX_EFI_MOK_VARIABLE_TABLE_GUID config table is a packed + * sequence of struct efi_mokvar_table_entry, one for each named + * MOK variable. The sequence is terminated by an entry with a + * completely NULL name and 0 data size. + * + * efi_mokvar_table_size is set to the computed size of the + * MOK config table by efi_mokvar_table_init(). This will be + * non-zero if and only if the table if present and has been + * validated by efi_mokvar_table_init(). + */ +static size_t efi_mokvar_table_size; + +/* + * efi_mokvar_table_va is the kernel virtual address at which the + * EFI MOK config table has been mapped by efi_mokvar_sysfs_init(). + */ +static struct efi_mokvar_table_entry *efi_mokvar_table_va; + +/* + * Each /sys/firmware/efi/mok-variables/ sysfs file is represented by + * an instance of struct efi_mokvar_sysfs_attr on efi_mokvar_sysfs_list. + * bin_attr.private points to the associated EFI MOK config table entry. + * + * This list is created during boot and then remains unchanged. + * So no synchronization is currently required to walk the list. + */ +struct efi_mokvar_sysfs_attr { + struct bin_attribute bin_attr; + struct list_head node; +}; + +static LIST_HEAD(efi_mokvar_sysfs_list); +static struct kobject *mokvar_kobj; + +/* + * efi_mokvar_table_init() - Early boot validation of EFI MOK config table + * + * If present, validate and compute the size of the EFI MOK variable + * configuration table. This table may be provided by an EFI boot loader + * as an alternative to ordinary EFI variables, due to platform-dependent + * limitations. The memory occupied by this table is marked as reserved. + * + * This routine must be called before efi_free_boot_services() in order + * to guarantee that it can mark the table as reserved. + * + * Implicit inputs: + * efi.mokvar_table: Physical address of EFI MOK variable config table + * or special value that indicates no such table. + * + * Implicit outputs: + * efi_mokvar_table_size: Computed size of EFI MOK variable config table. + * The table is considered present and valid if this + * is non-zero. + */ +void __init efi_mokvar_table_init(void) +{ + efi_memory_desc_t md; + u64 end_pa; + void *va = NULL; + size_t cur_offset = 0; + size_t offset_limit; + size_t map_size = 0; + size_t map_size_needed = 0; + size_t size; + struct efi_mokvar_table_entry *mokvar_entry; + int err = -EINVAL; + + if (!efi_enabled(EFI_MEMMAP)) + return; + + if (efi.mokvar_table == EFI_INVALID_TABLE_ADDR) + return; + /* + * The EFI MOK config table must fit within a single EFI memory + * descriptor range. + */ + err = efi_mem_desc_lookup(efi.mokvar_table, &md); + if (err) { + pr_warn("EFI MOKvar config table is not within the EFI memory map\n"); + return; + } + end_pa = efi_mem_desc_end(&md); + if (efi.mokvar_table >= end_pa) { + pr_err("EFI memory descriptor containing MOKvar config table is invalid\n"); + return; + } + offset_limit = end_pa - efi.mokvar_table; + /* + * Validate the MOK config table. Since there is no table header + * from which we could get the total size of the MOK config table, + * we compute the total size as we validate each variably sized + * entry, remapping as necessary. + */ + while (cur_offset + sizeof(*mokvar_entry) <= offset_limit) { + mokvar_entry = va + cur_offset; + map_size_needed = cur_offset + sizeof(*mokvar_entry); + if (map_size_needed > map_size) { + if (va) + early_memunmap(va, map_size); + /* + * Map a little more than the fixed size entry + * header, anticipating some data. It's safe to + * do so as long as we stay within current memory + * descriptor. + */ + map_size = min(map_size_needed + 2*EFI_PAGE_SIZE, + offset_limit); + va = early_memremap(efi.mokvar_table, map_size); + if (!va) { + pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%zu.\n", + efi.mokvar_table, map_size); + return; + } + mokvar_entry = va + cur_offset; + } + + /* Check for last sentinel entry */ + if (mokvar_entry->name[0] == '\0') { + if (mokvar_entry->data_size != 0) + break; + err = 0; + break; + } + + /* Sanity check that the name is null terminated */ + size = strnlen(mokvar_entry->name, + sizeof(mokvar_entry->name)); + if (size >= sizeof(mokvar_entry->name)) + break; + + /* Advance to the next entry */ + cur_offset = map_size_needed + mokvar_entry->data_size; + } + + if (va) + early_memunmap(va, map_size); + if (err) { + pr_err("EFI MOKvar config table is not valid\n"); + return; + } + efi_mem_reserve(efi.mokvar_table, map_size_needed); + efi_mokvar_table_size = map_size_needed; +} + +/* + * efi_mokvar_entry_next() - Get next entry in the EFI MOK config table + * + * mokvar_entry: Pointer to current EFI MOK config table entry + * or null. Null indicates get first entry. + * Passed by reference. This is updated to the + * same value as the return value. + * + * Returns: Pointer to next EFI MOK config table entry + * or null, if there are no more entries. + * Same value is returned in the mokvar_entry + * parameter. + * + * This routine depends on the EFI MOK config table being entirely + * mapped with it's starting virtual address in efi_mokvar_table_va. + */ +struct efi_mokvar_table_entry *efi_mokvar_entry_next( + struct efi_mokvar_table_entry **mokvar_entry) +{ + struct efi_mokvar_table_entry *mokvar_cur; + struct efi_mokvar_table_entry *mokvar_next; + size_t size_cur; + + mokvar_cur = *mokvar_entry; + *mokvar_entry = NULL; + + if (efi_mokvar_table_va == NULL) + return NULL; + + if (mokvar_cur == NULL) { + mokvar_next = efi_mokvar_table_va; + } else { + if (mokvar_cur->name[0] == '\0') + return NULL; + size_cur = sizeof(*mokvar_cur) + mokvar_cur->data_size; + mokvar_next = (void *)mokvar_cur + size_cur; + } + + if (mokvar_next->name[0] == '\0') + return NULL; + + *mokvar_entry = mokvar_next; + return mokvar_next; +} + +/* + * efi_mokvar_entry_find() - Find EFI MOK config entry by name + * + * name: Name of the entry to look for. + * + * Returns: Pointer to EFI MOK config table entry if found; + * null otherwise. + * + * This routine depends on the EFI MOK config table being entirely + * mapped with it's starting virtual address in efi_mokvar_table_va. + */ +struct efi_mokvar_table_entry *efi_mokvar_entry_find(const char *name) +{ + struct efi_mokvar_table_entry *mokvar_entry = NULL; + + while (efi_mokvar_entry_next(&mokvar_entry)) { + if (!strncmp(name, mokvar_entry->name, + sizeof(mokvar_entry->name))) + return mokvar_entry; + } + return NULL; +} + +/* + * efi_mokvar_sysfs_read() - sysfs binary file read routine + * + * Returns: Count of bytes read. + * + * Copy EFI MOK config table entry data for this mokvar sysfs binary file + * to the supplied buffer, starting at the specified offset into mokvar table + * entry data, for the specified count bytes. The copy is limited by the + * amount of data in this mokvar config table entry. + */ +static ssize_t efi_mokvar_sysfs_read(struct file *file, struct kobject *kobj, + struct bin_attribute *bin_attr, char *buf, + loff_t off, size_t count) +{ + struct efi_mokvar_table_entry *mokvar_entry = bin_attr->private; + + if (!capable(CAP_SYS_ADMIN)) + return 0; + + if (off >= mokvar_entry->data_size) + return 0; + if (count > mokvar_entry->data_size - off) + count = mokvar_entry->data_size - off; + + memcpy(buf, mokvar_entry->data + off, count); + return count; +} + +/* + * efi_mokvar_sysfs_init() - Map EFI MOK config table and create sysfs + * + * Map the EFI MOK variable config table for run-time use by the kernel + * and create the sysfs entries in /sys/firmware/efi/mok-variables/ + * + * This routine just returns if a valid EFI MOK variable config table + * was not found earlier during boot. + * + * This routine must be called during a "middle" initcall phase, i.e. + * after efi_mokvar_table_init() but before UEFI certs are loaded + * during late init. + * + * Implicit inputs: + * efi.mokvar_table: Physical address of EFI MOK variable config table + * or special value that indicates no such table. + * + * efi_mokvar_table_size: Computed size of EFI MOK variable config table. + * The table is considered present and valid if this + * is non-zero. + * + * Implicit outputs: + * efi_mokvar_table_va: Start virtual address of the EFI MOK config table. + */ +static int __init efi_mokvar_sysfs_init(void) +{ + void *config_va; + struct efi_mokvar_table_entry *mokvar_entry = NULL; + struct efi_mokvar_sysfs_attr *mokvar_sysfs = NULL; + int err = 0; + + if (efi_mokvar_table_size == 0) + return -ENOENT; + + config_va = memremap(efi.mokvar_table, efi_mokvar_table_size, + MEMREMAP_WB); + if (!config_va) { + pr_err("Failed to map EFI MOKvar config table\n"); + return -ENOMEM; + } + efi_mokvar_table_va = config_va; + + mokvar_kobj = kobject_create_and_add("mok-variables", efi_kobj); + if (!mokvar_kobj) { + pr_err("Failed to create EFI mok-variables sysfs entry\n"); + return -ENOMEM; + } + + while (efi_mokvar_entry_next(&mokvar_entry)) { + mokvar_sysfs = kzalloc(sizeof(*mokvar_sysfs), GFP_KERNEL); + if (!mokvar_sysfs) { + err = -ENOMEM; + break; + } + + sysfs_bin_attr_init(&mokvar_sysfs->bin_attr); + mokvar_sysfs->bin_attr.private = mokvar_entry; + mokvar_sysfs->bin_attr.attr.name = mokvar_entry->name; + mokvar_sysfs->bin_attr.attr.mode = 0400; + mokvar_sysfs->bin_attr.size = mokvar_entry->data_size; + mokvar_sysfs->bin_attr.read = efi_mokvar_sysfs_read; + + err = sysfs_create_bin_file(mokvar_kobj, + &mokvar_sysfs->bin_attr); + if (err) + break; + + list_add_tail(&mokvar_sysfs->node, &efi_mokvar_sysfs_list); + } + + if (err) { + pr_err("Failed to create some EFI mok-variables sysfs entries\n"); + kfree(mokvar_sysfs); + } + return err; +} +device_initcall(efi_mokvar_sysfs_init); diff --git a/include/linux/efi.h b/include/linux/efi.h index 14590ffadd..a7192cd325 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -641,6 +641,7 @@ void efi_native_runtime_setup(void); #define LINUX_EFI_ARM_SCREEN_INFO_TABLE_GUID EFI_GUID(0xe03fc20a, 0x85dc, 0x406e, 0xb9, 0x0e, 0x4a, 0xb5, 0x02, 0x37, 0x1d, 0x95) #define LINUX_EFI_LOADER_ENTRY_GUID EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf, 0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f) #define LINUX_EFI_RANDOM_SEED_TABLE_GUID EFI_GUID(0x1ce1e5bc, 0x7ceb, 0x42f2, 0x81, 0xe5, 0x8a, 0xad, 0xf1, 0x80, 0xf5, 0x7b) +#define LINUX_EFI_MOK_VARIABLE_TABLE_GUID EFI_GUID(0xc451ed2b, 0x9694, 0x45d3, 0xba, 0xba, 0xed, 0x9f, 0x89, 0x88, 0xa3, 0x89) typedef struct { efi_guid_t guid; @@ -936,6 +937,7 @@ extern struct efi { unsigned long properties_table; /* properties table */ unsigned long mem_attr_table; /* memory attributes table */ unsigned long rng_seed; /* UEFI firmware random seed */ + unsigned long mokvar_table; /* MOK variable config table */ efi_get_time_t *get_time; efi_set_time_t *set_time; efi_get_wakeup_time_t *get_wakeup_time; @@ -1650,4 +1652,36 @@ struct linux_efi_random_seed { u8 bits[]; }; +/* + * The LINUX_EFI_MOK_VARIABLE_TABLE_GUID config table can be provided + * to the kernel by an EFI boot loader. The table contains a packed + * sequence of these entries, one for each named MOK variable. + * The sequence is terminated by an entry with a completely NULL + * name and 0 data size. + */ +struct efi_mokvar_table_entry { + char name[256]; + u64 data_size; + u8 data[]; +} __attribute((packed)); + +#ifdef CONFIG_LOAD_UEFI_KEYS +extern void __init efi_mokvar_table_init(void); +extern struct efi_mokvar_table_entry *efi_mokvar_entry_next( + struct efi_mokvar_table_entry **mokvar_entry); +extern struct efi_mokvar_table_entry *efi_mokvar_entry_find(const char *name); +#else +static inline void efi_mokvar_table_init(void) { } +static inline struct efi_mokvar_table_entry *efi_mokvar_entry_next( + struct efi_mokvar_table_entry **mokvar_entry) +{ + return NULL; +} +static inline struct efi_mokvar_table_entry *efi_mokvar_entry_find( + const char *name) +{ + return NULL; +} +#endif + #endif /* _LINUX_EFI_H */ From patchwork Tue Nov 30 11:04:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561556 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=r59LeJ2W; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3K9g2pJWz9sRR for ; Tue, 30 Nov 2021 22:04:38 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0w2-00078R-4O; Tue, 30 Nov 2021 11:04:30 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0w0-00077i-6l for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:28 +0000 Received: from mail-ed1-f71.google.com (mail-ed1-f71.google.com [209.85.208.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 82B593F1D6 for ; Tue, 30 Nov 2021 11:04:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270267; bh=PUpZKANUkPnz/xIxlIhR6ApZNalqsvN+tUYqq0hN+pc=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=r59LeJ2Wi7PRc/vT/0T6vx20FBFMKVLxoovYNXQ3RRa1r29Exlmh5B04+ngP+GYlB K2Jtx3YKckHXs0eVeePLa3IemLLPrsGcnWSw3BJYp0n91ybV4Pp0eRBDOUx28JlF4+ bIN2BtA6cvQ02XxzuJAOAtHKIKP268mQMl0U6eQOo1FCBLCxEipX5PqeI5ywFwYTc+ 9VxH/jVy9N2DoDCjINnuwW9Xqv54BwnjmvnbYFymoLFDg6nIy87EzWFnWu9oHE/vvK zPkvx6CL0DUjcKx/lPoYkXNjGS3kaWAuG5m9OsWLVoMUgE8xxIkgLkbLlwEkhTRyBY R84ApjQEvr2gw== Received: by mail-ed1-f71.google.com with SMTP id n11-20020aa7c68b000000b003e7d68e9874so16609733edq.8 for ; Tue, 30 Nov 2021 03:04:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PUpZKANUkPnz/xIxlIhR6ApZNalqsvN+tUYqq0hN+pc=; b=qbiJX1hmNoMwcsG+uzy5Xf0UJrvkEFkC3XUcyRdW33KK1wYatfrExPV36s2shtUTYT fnxKSHsuZ0nE4+xiVVTC1Xzjx9REKxdueXS4KMI1H7oHSi4V1zuNtfBP1psmkMIweuQ8 5XBYZFGGrob8umJ/sw0oMir5BvIamxTIklQNqdYmWS89H4o/np6L9O56TIsBGoOOPAGE axryxkBFimYk2+dc/8iN3JprZxm8YZl+JJPONeH2aNa3iRqYg8wfQ48Waz34yoPc0aFH LIYBagEz//UwTueVWhqQzbcrxMFlskS5pN4IgY6qCi4TmhipKaYfRSHeZeCZXbQGpWDE rqWQ== X-Gm-Message-State: AOAM532Tu5Rf02/Qn6AZ8EZX/kkS5MsuiqMTanZTfFu4wDQicX+ccWc5 ZtlGdvK3pwzK1wXNbIMCQHanqgzezR19+3yJay60Cay6eluBe90vT3DSTXXy1pPvlj3DAjvI/bZ 3IgVrhrgrcI0waJzenwgIGGoKpQWyBIe9wBVPWAxcpQ== X-Received: by 2002:a17:907:d8e:: with SMTP id go14mr68274334ejc.366.1638270265931; Tue, 30 Nov 2021 03:04:25 -0800 (PST) X-Google-Smtp-Source: ABdhPJypUhUagPFrIB9Fh5NhydwF2DLJLpgiaSo5fzPkB5TnZDUSTxuk925jnsLj4PbRt068hxWT6g== X-Received: by 2002:a17:907:d8e:: with SMTP id go14mr68274297ejc.366.1638270265596; Tue, 30 Nov 2021 03:04:25 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id p13sm11246779eds.38.2021.11.30.03.04.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:25 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 02/16] efi: mokvar-table: fix some issues in new code Date: Tue, 30 Nov 2021 11:04:02 +0000 Message-Id: <20211130110416.171269-3-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Ard Biesheuvel BugLink: https://bugs.launchpad.net/bugs/1928679 Fix a couple of issues in the new mokvar-table handling code, as pointed out by Arvind and Boris: - don't bother checking the end of the physical region against the start address of the mokvar table, - ensure that we enter the loop with err = -EINVAL, - replace size_t with unsigned long to appease pedantic type equality checks. Reviewed-by: Arvind Sankar Reviewed-by: Lenny Szubowicz Tested-by: Borislav Petkov Signed-off-by: Ard Biesheuvel (cherry picked from commit b89114cd018cffa5deb7def1844ce1891efd4f96) Signed-off-by: Dimitri John Ledkov --- drivers/firmware/efi/mokvar-table.c | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/drivers/firmware/efi/mokvar-table.c b/drivers/firmware/efi/mokvar-table.c index b1cd49893d..72a9e1736f 100644 --- a/drivers/firmware/efi/mokvar-table.c +++ b/drivers/firmware/efi/mokvar-table.c @@ -98,15 +98,14 @@ static struct kobject *mokvar_kobj; void __init efi_mokvar_table_init(void) { efi_memory_desc_t md; - u64 end_pa; void *va = NULL; - size_t cur_offset = 0; - size_t offset_limit; - size_t map_size = 0; - size_t map_size_needed = 0; - size_t size; + unsigned long cur_offset = 0; + unsigned long offset_limit; + unsigned long map_size = 0; + unsigned long map_size_needed = 0; + unsigned long size; struct efi_mokvar_table_entry *mokvar_entry; - int err = -EINVAL; + int err; if (!efi_enabled(EFI_MEMMAP)) return; @@ -122,18 +121,16 @@ void __init efi_mokvar_table_init(void) pr_warn("EFI MOKvar config table is not within the EFI memory map\n"); return; } - end_pa = efi_mem_desc_end(&md); - if (efi.mokvar_table >= end_pa) { - pr_err("EFI memory descriptor containing MOKvar config table is invalid\n"); - return; - } - offset_limit = end_pa - efi.mokvar_table; + + offset_limit = efi_mem_desc_end(&md) - efi.mokvar_table; + /* * Validate the MOK config table. Since there is no table header * from which we could get the total size of the MOK config table, * we compute the total size as we validate each variably sized * entry, remapping as necessary. */ + err = -EINVAL; while (cur_offset + sizeof(*mokvar_entry) <= offset_limit) { mokvar_entry = va + cur_offset; map_size_needed = cur_offset + sizeof(*mokvar_entry); @@ -150,7 +147,7 @@ void __init efi_mokvar_table_init(void) offset_limit); va = early_memremap(efi.mokvar_table, map_size); if (!va) { - pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%zu.\n", + pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%lu.\n", efi.mokvar_table, map_size); return; } From patchwork Tue Nov 30 11:04:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561559 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=VZxv8ICP; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3K9j5PHTz9sRR for ; Tue, 30 Nov 2021 22:04:41 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0w4-0007AI-RS; Tue, 30 Nov 2021 11:04:32 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0w0-00077j-6F for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:28 +0000 Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 8D4513FFE1 for ; Tue, 30 Nov 2021 11:04:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270267; bh=i1EMN39cOLh4FN+rWMqbK5INigclarghY2RHg3QMxyM=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=VZxv8ICPH+3RbbSwCrjwY98lkzUwXyVyy08MUViWXd/yXonSzVv3tUQiyHI7gSuZa sArPOSu+6QG6zZRqzb3mu9Ee5I3RQDuT4dI+yPB/p3B6w46kbo14WK+IbG60KJFzLM wLQCWuIXm6KxTBVNbsVYaXwFvXLRCJLz+oigj1c00aabXiyazwF9wofe3COQPRPNFo EsUN61RbHw3V4HrUA+0igf0EhcJGkQpn51JxtPWumVIHMyYAAMl8XV3Pf/AyorGXdb CKHUON/AtbS6w3Y/wg5rNWN34KZ17UflhnSv8HTJBGZe2FltR/adCsWO3PDd+FmVln 88xkNO0QcrKmg== Received: by mail-ed1-f70.google.com with SMTP id v10-20020aa7d9ca000000b003e7bed57968so16549957eds.23 for ; Tue, 30 Nov 2021 03:04:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=i1EMN39cOLh4FN+rWMqbK5INigclarghY2RHg3QMxyM=; b=lKhV2TID6gwplz6IEB5g90Z2lx+beUT3t3RmC8ZG/1XB3lyKxymNPon/UE6qPhbxi4 BdQM9ABqjrnS7o0M04h1YYNuvTDFyERd8PrEP8k/iKeVWX47XD8Phqz1wblx5Jpo9M0n CXMyrBvFzg4mdcpokJSOv5hcfFhwC6gOxu1Cq6xi2XNEkE3cH6CG7I9CeZpfOwEwGq7J Ri57JkVUWyGeQdsVWcsjcV8r0FfXDHYt2lVvF/0QczhRXYWHPxVpswjQC0zDtQcFL7yf Sa6FH++jxoYMrT5g/UJnp/BCJ714axtQ46cYbmNajHfG9+TSbH13SW9tcfeeIr/D8dR0 ve3g== X-Gm-Message-State: AOAM531wpofn2sa5vnR4l+BKu60eWCQr1fmNn64ucdtR3YdHiQ144sIc 0Js5wSN0Gj4X9lwqIpaLeudiSdoCR6TfJJ15qQiJFifKyZSarAKqGjSE1eJVUUV6J8lniKWSjGb +yuzfnWOJWS7eMqrGP4elopUr0ekRFZIevD7O1b14DA== X-Received: by 2002:a05:6402:2547:: with SMTP id l7mr80819633edb.301.1638270266828; Tue, 30 Nov 2021 03:04:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJylOq310cScfi+hhbTod1Icyi2bBEqIJlwM2br09qs9vTFK9MI9k6PMrJIZxvMgaZ0ckYwJ/g== X-Received: by 2002:a05:6402:2547:: with SMTP id l7mr80819609edb.301.1638270266652; Tue, 30 Nov 2021 03:04:26 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id z6sm12163961edc.76.2021.11.30.03.04.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:26 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 03/16] efi: mokvar: add missing include of asm/early_ioremap.h Date: Tue, 30 Nov 2021 11:04:03 +0000 Message-Id: <20211130110416.171269-4-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Ard Biesheuvel BugLink: https://bugs.launchpad.net/bugs/1928679 Nathan reports that building the new mokvar table code for 32-bit ARM fails with errors such as error: implicit declaration of function 'early_memunmap' error: implicit declaration of function 'early_memremap' This is caused by the lack of an explicit #include of the appropriate header, and ARM apparently does not inherit that inclusion via another header file. So add the #include. Tested-by: Nathan Chancellor Signed-off-by: Ard Biesheuvel (cherry picked from commit cc383a9e245c527d3175e2cf4cced9dbbedbbac6) Signed-off-by: Dimitri John Ledkov --- drivers/firmware/efi/mokvar-table.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/firmware/efi/mokvar-table.c b/drivers/firmware/efi/mokvar-table.c index 72a9e1736f..d8bc013406 100644 --- a/drivers/firmware/efi/mokvar-table.c +++ b/drivers/firmware/efi/mokvar-table.c @@ -40,6 +40,8 @@ #include #include +#include + /* * The LINUX_EFI_MOK_VARIABLE_TABLE_GUID config table is a packed * sequence of struct efi_mokvar_table_entry, one for each named From patchwork Tue Nov 30 11:04:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561558 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=c7ydOTIA; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3K9h4Tjcz9t2p for ; Tue, 30 Nov 2021 22:04:40 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0w3-000799-Gx; Tue, 30 Nov 2021 11:04:31 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0w0-000787-M3 for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:28 +0000 Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 825D43F1D6 for ; Tue, 30 Nov 2021 11:04:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270268; bh=A/oFkNMOSyoMxD7bg+Yb03Z7jZkEaQ7ViigAvzmd2A8=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=c7ydOTIAhdTdbSM5//s0E6tLv0RdMU4drasx1HFD4oBvPf+eDGkwLBIinMZ7NVISz h8mDSO9+zTCDgQElJs5k1EahCYr4KZRxYeXMJAAFCsFBltSb+aCIHr1qe0CiwIhdMO AzZWmQYp75ZOz/WBLZgthpwJG1gFf8RiPw0smEUOY3ZVPNimh6lHdACsKi3+xrtYFU 74EOw1iErIO9BQPanEGdJmPHDFK3hvIki9urn48zx/wa+UdxpZz9rxZ70eLSnYoIZ7 e70rYr3issJkaAeWRWDT1odmrSFZDoA5QfSvsUi2Egfqf/+8H7U9YUr248q8MAEtt3 L9cSv2WfelqIA== Received: by mail-ed1-f69.google.com with SMTP id eg20-20020a056402289400b003eb56fcf6easo16522684edb.20 for ; Tue, 30 Nov 2021 03:04:28 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=A/oFkNMOSyoMxD7bg+Yb03Z7jZkEaQ7ViigAvzmd2A8=; b=oEkXbiqVZrTMhD2qWipzrDjtnpb8Ylq1Etx/A0y+OI9GOjWg5GttknrSO5z/eYRprI vEtEvqT4AP+HrgPoRV6N20DbcxAdl0ANMWeqT+MLp/jvnTrCJo2rg5u5swFMjsK+maWE /JtkbPHbDcIPv41wheJYW1hOl9msgr8MnD9XSw0jVSVG9+8R8rQtslWhnzauf0+5wwI+ HXYMdNKmBNFzOrkNChxpFGl5R1/C/MdTxniMOS2ecN1YLJHCX5aY9XEHGvfbOc3NdtJs xCbZYlzzkPoeMDepWFdlfOzIME58+rgQIxPjm8JmyAFLSe5SXLz6LkYtB86xGBcezXAH rYdA== X-Gm-Message-State: AOAM5310GlfptXnLe30jHs/MhaRCfh8buE3epKe05+poBs/R70g0/zOr sOePUXRsKKfk1RTj445xOVlLvq1piuFpr8RsHrZOx752mTUVKh8RT206n2DlIhEgyTtV1NFRIxx n/GvpMeKnHHXaDVXPk/IJM0pKndvp6Kpp/+r4WM+oUw== X-Received: by 2002:a17:907:6e0b:: with SMTP id sd11mr64771603ejc.134.1638270267995; Tue, 30 Nov 2021 03:04:27 -0800 (PST) X-Google-Smtp-Source: ABdhPJw5g8K6kii7g2h2ctL2rAaOo9wBk6mZ8VYdVo//dzi4BIF0zLyJUECHmeAvXe2++P4Af8LqrA== X-Received: by 2002:a17:907:6e0b:: with SMTP id sd11mr64771586ejc.134.1638270267763; Tue, 30 Nov 2021 03:04:27 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id b7sm12487032edd.26.2021.11.30.03.04.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:27 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 04/16] efi/mokvar: Reserve the table only if it is in boot services data Date: Tue, 30 Nov 2021 11:04:04 +0000 Message-Id: <20211130110416.171269-5-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Borislav Petkov BugLink: https://bugs.launchpad.net/bugs/1928679 One of the SUSE QA tests triggered: localhost kernel: efi: Failed to lookup EFI memory descriptor for 0x000000003dcf8000 which comes from x86's version of efi_arch_mem_reserve() trying to reserve a memory region. Usually, that function expects EFI_BOOT_SERVICES_DATA memory descriptors but the above case is for the MOKvar table which is allocated in the EFI shim as runtime services. That lead to a fix changing the allocation of that table to boot services. However, that fix broke booting SEV guests with that shim leading to this kernel fix 8d651ee9c71b ("x86/ioremap: Map EFI-reserved memory as encrypted for SEV") which extended the ioremap hint to map reserved EFI boot services as decrypted too. However, all that wasn't needed, IMO, because that error message in efi_arch_mem_reserve() was innocuous in this case - if the MOKvar table is not in boot services, then it doesn't need to be reserved in the first place because it is, well, in runtime services which *should* be reserved anyway. So do that reservation for the MOKvar table only if it is allocated in boot services data. I couldn't find any requirement about where that table should be allocated in, unlike the ESRT which allocation is mandated to be done in boot services data by the UEFI spec. Signed-off-by: Borislav Petkov Signed-off-by: Ard Biesheuvel (cherry picked from commit 47e1e233e9d822dfda068383fb9a616451bda703) Signed-off-by: Dimitri John Ledkov --- drivers/firmware/efi/mokvar-table.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/firmware/efi/mokvar-table.c b/drivers/firmware/efi/mokvar-table.c index d8bc013406..38722d2009 100644 --- a/drivers/firmware/efi/mokvar-table.c +++ b/drivers/firmware/efi/mokvar-table.c @@ -180,7 +180,10 @@ void __init efi_mokvar_table_init(void) pr_err("EFI MOKvar config table is not valid\n"); return; } - efi_mem_reserve(efi.mokvar_table, map_size_needed); + + if (md.type == EFI_BOOT_SERVICES_DATA) + efi_mem_reserve(efi.mokvar_table, map_size_needed); + efi_mokvar_table_size = map_size_needed; } From patchwork Tue Nov 30 11:04:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561598 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=oJ4mGgNq; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3KWq4Rz3z9sRR for ; Tue, 30 Nov 2021 22:20:22 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms1BB-0002Cj-M5; Tue, 30 Nov 2021 11:20:09 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0w1-00078J-V0 for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:29 +0000 Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 877AA3F1D6 for ; Tue, 30 Nov 2021 11:04:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270269; bh=D3oYZ+TJcOceOdeuNnBXlAfVCeMwty0WI+15xCxemOk=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version:Content-Type; b=oJ4mGgNqc3S9ZLne8MBoRUNVtL6TeFcjiLP/HM+Qgghej6a4ZyhxJnQBQ/ZlQB01E dz/XS9fi2DTyu23cwKBZN+8RiwYB1+2OyhSYMNa1ExmRiaS4yyfHN7cP2E16bNUQnM JSYjuWuM1x3KuTJHHsxHjpXexbeuA+Ike/ktWeKYlnLykDIAMaTq+EmZJic50REmZA 0dkde+eqgWRLKb7m0zI8tC7mxZ6+dvr6id7Pm6vWQiUTCukxO1xYxDYly4x3TAAMwf rDgx5EL4U1af9+d6pL1ZQCjroNWA6F/rTbBW1krknldnHkKOs3NmhV1uyknhsk8TBM 9qCh+d+1knkPQ== Received: by mail-ed1-f72.google.com with SMTP id n11-20020aa7c68b000000b003e7d68e9874so16609878edq.8 for ; Tue, 30 Nov 2021 03:04:29 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=D3oYZ+TJcOceOdeuNnBXlAfVCeMwty0WI+15xCxemOk=; b=b+toqYU+KUOE0GSKot+wfw2n1/JPKngKGYwGZpOZDm6mrigvb9Ph0KfXo/ZymnbkQ7 gIue9E23fhO0DhJ2OE7/OhI3OuOiKmdhlsBbFMX1NqBfJXcNYYUg6sxrYw4ksFZyNSF+ gCsAEALILXVY9svPYCbCqzIeAZXROy1b7AL0BRtA6ogLCfMIVdZBRsDt+LTmBEi3dRXw Zp4YKSMjLznUNZWEr/utv7gEvaDt6d/b0Qw5VEYMxNbw98h4PFnMYbVoWuNk6B3kbJ9t 4t29iS0pwTbAV1dUTboBdF752h+vIIplgwNJTVDLHGCP2jgCqvFkZV6ufyc6RGypOmsD ayLw== X-Gm-Message-State: AOAM533DfGdTHyTbKAuvGvoTLu4I0yOQ19l7Kig4q2opzZt6EsM36xDG ZNgAT3wm+SegHGGwg8/1U7/9PlGn861yyKPrLZaOrC1r7VDBB5FVslUIB2Nawv/CNRUjmd9iuLB 9ALUWekajYtDBcAvyMb9JHid3wTKUoUYH9lL7N+zBwQ== X-Received: by 2002:a05:6402:2059:: with SMTP id bc25mr82497209edb.58.1638270268924; Tue, 30 Nov 2021 03:04:28 -0800 (PST) X-Google-Smtp-Source: ABdhPJzO7Uitgw1KS7Jet05pwgK4J3HHQbj7rQUnkZYCZZZGlIx84fS8Oc+ckJgLITCOcJeMpzBTzQ== X-Received: by 2002:a05:6402:2059:: with SMTP id bc25mr82497186edb.58.1638270268708; Tue, 30 Nov 2021 03:04:28 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id oz31sm8869825ejc.35.2021.11.30.03.04.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:28 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 05/16] certs: Add EFI_CERT_X509_GUID support for dbx entries Date: Tue, 30 Nov 2021 11:04:05 +0000 Message-Id: <20211130110416.171269-6-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Snowberg BugLink: https://bugs.launchpad.net/bugs/1936242 [ Upstream commit 56c5812623f95313f6a46fbf0beee7fa17c68bbf ] This fixes CVE-2020-26541. The Secure Boot Forbidden Signature Database, dbx, contains a list of now revoked signatures and keys previously approved to boot with UEFI Secure Boot enabled. The dbx is capable of containing any number of EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID entries. Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are skipped. Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID is found, it is added as an asymmetrical key to the .blacklist keyring. Anytime the .platform keyring is used, the keys in the .blacklist keyring are referenced, if a matching key is found, the key will be rejected. [DH: Made the following changes: - Added to have a config option to enable the facility. This allows a Kconfig solution to make sure that pkcs7_validate_trust() is enabled.[1][2] - Moved the functions out from the middle of the blacklist functions. - Added kerneldoc comments.] Signed-off-by: Eric Snowberg Signed-off-by: David Howells Reviewed-by: Jarkko Sakkinen cc: Randy Dunlap cc: Mickaël Salaün cc: Arnd Bergmann cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/20200901165143.10295-1-eric.snowberg@oracle.com/ # rfc Link: https://lore.kernel.org/r/20200909172736.73003-1-eric.snowberg@oracle.com/ # v2 Link: https://lore.kernel.org/r/20200911182230.62266-1-eric.snowberg@oracle.com/ # v3 Link: https://lore.kernel.org/r/20200916004927.64276-1-eric.snowberg@oracle.com/ # v4 Link: https://lore.kernel.org/r/20210122181054.32635-2-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428672051.677100.11064981943343605138.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433310942.902181.4901864302675874242.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529605075.163428.14625520893961300757.stgit@warthog.procyon.org.uk/ # v3 Link: https://lore.kernel.org/r/bc2c24e3-ed68-2521-0bf4-a1f6be4a895d@infradead.org/ [1] Link: https://lore.kernel.org/r/20210225125638.1841436-1-arnd@kernel.org/ [2] Signed-off-by: Sasha Levin Signed-off-by: Kamal Mostafa Signed-off-by: Stefan Bader --- certs/Kconfig | 9 ++++++++ certs/blacklist.c | 43 +++++++++++++++++++++++++++++++++++ certs/blacklist.h | 2 ++ certs/load_uefi.c | 11 +++++++++ certs/system_keyring.c | 7 ++++++ include/keys/system_keyring.h | 15 ++++++++++++ 6 files changed, 87 insertions(+) diff --git a/certs/Kconfig b/certs/Kconfig index 9e3ca57a1a..eada70c3ec 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -107,4 +107,13 @@ config LOAD_UEFI_KEYS mode, modules signed with UEFI-stored keys will be permitted to be loaded and keys that match the blacklist will be rejected. +config SYSTEM_REVOCATION_LIST + bool "Provide system-wide ring of revocation certificates" + depends on SYSTEM_BLACKLIST_KEYRING + depends on PKCS7_MESSAGE_PARSER=y + help + If set, this allows revocation certificates to be stored in the + blacklist keyring and implements a hook whereby a PKCS#7 message can + be checked to see if it matches such a certificate. + endmenu diff --git a/certs/blacklist.c b/certs/blacklist.c index e9f3f81c51..09668724cb 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -139,6 +139,49 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) } EXPORT_SYMBOL_GPL(is_hash_blacklisted); +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +/** + * add_key_to_revocation_list - Add a revocation certificate to the blacklist + * @data: The data blob containing the certificate + * @size: The size of data blob + */ +int add_key_to_revocation_list(const char *data, size_t size) +{ + key_ref_t key; + + key = key_create_or_update(make_key_ref(blacklist_keyring, true), + "asymmetric", + NULL, + data, + size, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW), + KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); + + if (IS_ERR(key)) { + pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); + return PTR_ERR(key); + } + + return 0; +} + +/** + * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked + * @pkcs7: The PKCS#7 message to check + */ +int is_key_on_revocation_list(struct pkcs7_message *pkcs7) +{ + int ret; + + ret = pkcs7_validate_trust(pkcs7, blacklist_keyring); + + if (ret == 0) + return -EKEYREJECTED; + + return -ENOKEY; +} +#endif + /* * Initialise the blacklist */ diff --git a/certs/blacklist.h b/certs/blacklist.h index 150d82da8e..d4f9fac9fe 100644 --- a/certs/blacklist.h +++ b/certs/blacklist.h @@ -1,3 +1,5 @@ #include +#include +#include extern const char __initdata *const blacklist_hashes[]; diff --git a/certs/load_uefi.c b/certs/load_uefi.c index 3d88459860..47bbada91f 100644 --- a/certs/load_uefi.c +++ b/certs/load_uefi.c @@ -108,6 +108,15 @@ static __init void uefi_blacklist_binary(const char *source, kfree(hash); } +/* + * Add an X509 cert to the revocation list. + */ +static __init void uefi_revocation_list_x509(const char *source, + const void *data, size_t len) +{ + add_key_to_revocation_list(data, len); +} + /* * Return the appropriate handler for particular signature list types found in * the UEFI db and MokListRT tables. @@ -129,6 +138,8 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty return uefi_blacklist_x509_tbs; if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0) return uefi_blacklist_binary; + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) + return uefi_revocation_list_x509; return 0; } diff --git a/certs/system_keyring.c b/certs/system_keyring.c index 3821699692..da3a0c8193 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -240,6 +240,13 @@ int verify_pkcs7_signature(const void *data, size_t len, trusted_keys = builtin_trusted_keys; #endif } + + ret = is_key_on_revocation_list(pkcs7); + if (ret != -ENOKEY) { + pr_devel("PKCS#7 key is on revocation list\n"); + goto error; + } + ret = pkcs7_validate_trust(pkcs7, trusted_keys); if (ret < 0) { if (ret == -ENOKEY) diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index 359c2f9360..f961e88244 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -35,6 +35,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted #endif +extern struct pkcs7_message *pkcs7; #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING extern int mark_hash_blacklisted(const char *hash); extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, @@ -47,6 +48,20 @@ static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, } #endif +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +extern int add_key_to_revocation_list(const char *data, size_t size); +extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); +#else +static inline int add_key_to_revocation_list(const char *data, size_t size) +{ + return 0; +} +static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) +{ + return -ENOKEY; +} +#endif + #ifdef CONFIG_IMA_BLACKLIST_KEYRING extern struct key *ima_blacklist_keyring; From patchwork Tue Nov 30 11:04:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561596 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=QIttBK8I; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3KWq58p3z9t2p for ; Tue, 30 Nov 2021 22:20:22 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms1BC-0002DS-9X; Tue, 30 Nov 2021 11:20:10 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0w3-00078y-6C for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:31 +0000 Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E76973FFF2 for ; Tue, 30 Nov 2021 11:04:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270270; bh=OSNaJ1QdxOhEhGoYfvRWfgr6PXUGrZBoUEMzjGNZMrE=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=QIttBK8Ivyh5HmER29VZTrzIkCAJRqO3uxyc41KsySyGUwWLGfRbmt8UpEjMa5zrH WrELHCmglrijG7b5xnfQOeHCfy4RvcGvy7+Ee9cNqzPqUNskWHAefjUtXMmjxW+seh IWnOf3fAKROaOSl6+nt+pu/Pu52lvMYlCUzH0uJttxzNDqgWmfi0dgpiVkAHI8QUTk ATxK/2rqpucXxXFBxmv9ehPqy332wJ/pkyKIDIOMGU/jZznlqgbAB0yH3lMIQDn399 NRTQtjyIwRdRpJ9yHsu6ir30evd+P7zkrW2sWC/sSo55JSAqJ+q73o8e4CPSVlW1Zh lmr0ZqZB1mGMw== Received: by mail-ed1-f70.google.com with SMTP id q17-20020aa7da91000000b003e7c0641b9cso16604041eds.12 for ; Tue, 30 Nov 2021 03:04:30 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=OSNaJ1QdxOhEhGoYfvRWfgr6PXUGrZBoUEMzjGNZMrE=; b=gMXj/JVTSk+r6lzkHmHjnH29NK+4vOrfX4o68rxT1g9uqhklwS3W6ZtOP7vwlJbpjx Sn5D7vWJb8xR/xZA3J+9vvFji1KOHcmfRgdal5JAVcEJa0eM0a5wfSyrttMWXBQHD2Pa GDzddXLdRjJkskaJIMDqFiLMCyZPXmOcMSR1dCBT1QxMQT07X/9GEPM4hof5/WU1O5ye gMpVTVzKNLayYCe1Gk9AoSNjjEQEOXY9snvmtch8HDxJPtAg00B+5FQCPK7AjKr1HSeV aZ5hZaXj82bGKZ3TxJwz2bUqtSMmoRoBG0rmpoILaaxV/vE/NRAgCRqje9YC/lOWAP4O LlcA== X-Gm-Message-State: AOAM5320M8gBrZFOhzReVgwQEPmi/ICqpHStr4I1eE+Owzi8qGxCr4uL C1WAtda5R03AotkqETi3WDxsHKPJ8HMPyc1yYh0GdX5NnBFSBATha0Z6Tozx4k/Y7kMJxXszUZA esAIQVk07qwXpJhPScVeurB0foGVBSCpez5G9i8Jy4w== X-Received: by 2002:aa7:c78f:: with SMTP id n15mr83058209eds.344.1638270270282; Tue, 30 Nov 2021 03:04:30 -0800 (PST) X-Google-Smtp-Source: ABdhPJwT++V3Sgoct3TH2xVLAZB/Sv+tldVF+mf9xuzw1KwtGWzClZKf10ed4wZ63JorNrff8chD4A== X-Received: by 2002:aa7:c78f:: with SMTP id n15mr83058159eds.344.1638270269842; Tue, 30 Nov 2021 03:04:29 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id qk9sm6369360ejc.68.2021.11.30.03.04.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:29 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 06/16] certs: Move load_system_certificate_list to a common function Date: Tue, 30 Nov 2021 11:04:06 +0000 Message-Id: <20211130110416.171269-7-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Snowberg BugLink: https://bugs.launchpad.net/bugs/1936242 [ Upstream commit 2565ca7f5ec1a98d51eea8860c4ab923f1ca2c85 ] Move functionality within load_system_certificate_list to a common function, so it can be reused in the future. DH Changes: - Added inclusion of common.h to common.c (Eric [1]). Signed-off-by: Eric Snowberg Acked-by: Jarkko Sakkinen Signed-off-by: David Howells cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/ [1] Link: https://lore.kernel.org/r/20200930201508.35113-2-eric.snowberg@oracle.com/ Link: https://lore.kernel.org/r/20210122181054.32635-3-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428672825.677100.7545516389752262918.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433311696.902181.3599366124784670368.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529605850.163428.7786675680201528556.stgit@warthog.procyon.org.uk/ # v3 Signed-off-by: Sasha Levin Signed-off-by: Kamal Mostafa Signed-off-by: Stefan Bader --- certs/Makefile | 2 +- certs/common.c | 57 ++++++++++++++++++++++++++++++++++++++++++ certs/common.h | 9 +++++++ certs/system_keyring.c | 50 +++--------------------------------- 4 files changed, 70 insertions(+), 48 deletions(-) create mode 100644 certs/common.c create mode 100644 certs/common.h diff --git a/certs/Makefile b/certs/Makefile index ba3b209678..5a3956b637 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -3,7 +3,7 @@ # Makefile for the linux kernel signature checking certificates. # -obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o +obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o diff --git a/certs/common.c b/certs/common.c new file mode 100644 index 0000000000..16a220887a --- /dev/null +++ b/certs/common.c @@ -0,0 +1,57 @@ +// SPDX-License-Identifier: GPL-2.0-or-later + +#include +#include +#include "common.h" + +int load_certificate_list(const u8 cert_list[], + const unsigned long list_size, + const struct key *keyring) +{ + key_ref_t key; + const u8 *p, *end; + size_t plen; + + p = cert_list; + end = p + list_size; + while (p < end) { + /* Each cert begins with an ASN.1 SEQUENCE tag and must be more + * than 256 bytes in size. + */ + if (end - p < 4) + goto dodgy_cert; + if (p[0] != 0x30 && + p[1] != 0x82) + goto dodgy_cert; + plen = (p[2] << 8) | p[3]; + plen += 4; + if (plen > end - p) + goto dodgy_cert; + + key = key_create_or_update(make_key_ref(keyring, 1), + "asymmetric", + NULL, + p, + plen, + ((KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ), + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN | + KEY_ALLOC_BYPASS_RESTRICTION); + if (IS_ERR(key)) { + pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", + PTR_ERR(key)); + } else { + pr_notice("Loaded X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); + key_ref_put(key); + } + p += plen; + } + + return 0; + +dodgy_cert: + pr_err("Problem parsing in-kernel X.509 certificate list\n"); + return 0; +} diff --git a/certs/common.h b/certs/common.h new file mode 100644 index 0000000000..abdb579593 --- /dev/null +++ b/certs/common.h @@ -0,0 +1,9 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ + +#ifndef _CERT_COMMON_H +#define _CERT_COMMON_H + +int load_certificate_list(const u8 cert_list[], const unsigned long list_size, + const struct key *keyring); + +#endif diff --git a/certs/system_keyring.c b/certs/system_keyring.c index da3a0c8193..83f6472aaf 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -19,6 +19,7 @@ #include #include #include +#include "common.h" #include "internal.h" static struct key *builtin_trusted_keys; @@ -138,55 +139,10 @@ device_initcall(system_trusted_keyring_init); */ static __init int load_system_certificate_list(void) { - key_ref_t key; - const u8 *p, *end; - size_t plen; - pr_notice("Loading compiled-in X.509 certificates\n"); - p = system_certificate_list; - end = p + system_certificate_list_size; - while (p < end) { - /* Each cert begins with an ASN.1 SEQUENCE tag and must be more - * than 256 bytes in size. - */ - if (end - p < 4) - goto dodgy_cert; - if (p[0] != 0x30 && - p[1] != 0x82) - goto dodgy_cert; - plen = (p[2] << 8) | p[3]; - plen += 4; - if (plen > end - p) - goto dodgy_cert; - - key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), - "asymmetric", - NULL, - p, - plen, - ((KEY_POS_ALL & ~KEY_POS_SETATTR) | - KEY_USR_VIEW | KEY_USR_READ), - KEY_ALLOC_NOT_IN_QUOTA | - KEY_ALLOC_BUILT_IN | - KEY_ALLOC_BYPASS_RESTRICTION); - if (IS_ERR(key)) { - pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", - PTR_ERR(key)); - WARN_ON_ONCE(1); - } else { - pr_notice("Loaded X.509 cert '%s'\n", - key_ref_to_ptr(key)->description); - key_ref_put(key); - } - p += plen; - } - - return 0; - -dodgy_cert: - pr_err("Problem parsing in-kernel X.509 certificate list\n"); - return 0; + return load_certificate_list(system_certificate_list, system_certificate_list_size, + builtin_trusted_keys); } late_initcall(load_system_certificate_list); From patchwork Tue Nov 30 11:04:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561564 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=lpAOjSFe; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3KBB2bQ8z9sRR for ; Tue, 30 Nov 2021 22:05:06 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0wP-0007T8-Iy; Tue, 30 Nov 2021 11:04:53 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0w7-0007BO-Q4 for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:35 +0000 Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id B19053F1B2 for ; Tue, 30 Nov 2021 11:04:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270273; bh=i9I/WtQ+s0sAinjG9gzu2WSccr0vhCd/yHv6KkoMtyU=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=lpAOjSFeqdM+DeQDtiuYJx9RqtCdEw5TTRTmOH8YwVMzgPxKGD4uOKJa1S0+3R4Fj vXNowdpmeLtob0FEjqw9g/cCUXIPRBPkhM/xUNaow5hEWdDpn5zQiCD8NpSWU+MN5e oXm099rpegvfhc84BRP4Iwa9hjgnvnprxO8F1fWUvHSwn2aYiNWzLwT9D6fLfTtBTd xdfFPpKjJHcJ91DEP8zI+84fZyY+XdLqqSsk+uX+8JqEt6pwz6Bwn1Abj3qipYR6IR aeB+W59wmM2PA15wFHOlcwrITEPxGPkn8A/rgwFn65dLvDIirw8KsiP5Qgs8VajxZX CyhuPXmxTth6g== Received: by mail-ed1-f70.google.com with SMTP id v1-20020aa7cd41000000b003e80973378aso16558766edw.14 for ; Tue, 30 Nov 2021 03:04:33 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=i9I/WtQ+s0sAinjG9gzu2WSccr0vhCd/yHv6KkoMtyU=; b=srbrQsflh+ctySDTvoIMH+mqo0KoJCiC9jp1NbdfU4buj3FDM17dxFA6tXozNCLgmc vrT7ZsX86Dtic71PpJb7nCSbNc/mWJaasSu3xbsIu6RlCeApbX0svzzcUWnHo2cvkSAN 6GfPX21jvQhoBn2L0E76kTNu0Wt5Yz9oHqZA4Har0ZjJeBcnfdPQsMMwHJQLH3ujn3EM +SgJnCoBfjiZJIshqso24ymrqqLdWMyI6zJ25QF5mgvAzqiesgb3WnXykXb982V1wSAQ Y1w3TZDCP7MTo3c37YI2IvnEMINkQhN7Xu4PLwqF/T8nGyIGOiifjiIaOQcdgoRkMET4 prsw== X-Gm-Message-State: AOAM530ut0Y+sq4umMLpX3+8OP6qUtmf/zN/2OBzOCRkF66exeJN9F9q qPBImc8WdkZOqtXUxJ3SF8F9BPRexu5e9BmVQ4Co8hEXzBcj6EMyW99HhTu6MnKlMtZ64IhJK69 XjyyfjITROqItz7PLvlW7XNx9LKA9RJ4CHsT9aFNj7w== X-Received: by 2002:a17:907:7242:: with SMTP id ds2mr66636961ejc.269.1638270271289; Tue, 30 Nov 2021 03:04:31 -0800 (PST) X-Google-Smtp-Source: ABdhPJyFY7s+VHUPil7TAu0EH4FJQv6QHSbk4ukCQId3kCKEgjt/WjCNlemQA2bVqNdJvsIPZeH3OQ== X-Received: by 2002:a17:907:7242:: with SMTP id ds2mr66636937ejc.269.1638270271053; Tue, 30 Nov 2021 03:04:31 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id nb17sm9319026ejc.7.2021.11.30.03.04.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:30 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 07/16] integrity: Move import of MokListRT certs to a separate routine Date: Tue, 30 Nov 2021 11:04:07 +0000 Message-Id: <20211130110416.171269-8-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lenny Szubowicz BugLink: https://bugs.launchpad.net/bugs/1932029 Move the loading of certs from the UEFI MokListRT into a separate routine to facilitate additional MokList functionality. There is no visible functional change as a result of this patch. Although the UEFI dbx certs are now loaded before the MokList certs, they are loaded onto different key rings. So the order of the keys on their respective key rings is the same. Signed-off-by: Lenny Szubowicz Reviewed-by: Mimi Zohar Link: https://lore.kernel.org/r/20200905013107.10457-3-lszubowi@redhat.com Signed-off-by: Ard Biesheuvel (cherry picked from commit 38a1f03aa24094b4a8de846700cb6cb21cc06468) Signed-off-by: Dimitri John Ledkov --- certs/load_uefi.c | 53 ++++++++++++++++++++++++++++++++++------------- 1 file changed, 39 insertions(+), 14 deletions(-) diff --git a/certs/load_uefi.c b/certs/load_uefi.c index 47bbada91f..895c085155 100644 --- a/certs/load_uefi.c +++ b/certs/load_uefi.c @@ -144,6 +144,40 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty } /* + * load_moklist_certs() - Load MokList certs + * + * Load the certs contained in the UEFI MokListRT database into the + * platform trusted keyring. + * + * Return: Status + */ +static int __init load_moklist_certs(void) +{ + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *mok; + unsigned long moksize; + int rc; + + /* Get MokListRT. It might not exist, so it isn't an error + * if we can't get it. + */ + mok = get_cert_list(L"MokListRT", &mok_var, &moksize); + if (mok) { + rc = parse_efi_signature_list("UEFI:MokListRT", + mok, moksize, get_handler_for_db); + kfree(mok); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + return rc; + } else + pr_info("Couldn't get UEFI MokListRT\n"); + return 0; +} + +/* + * load_uefi_certs() - Load certs from UEFI sources + * + * * Load the certs contained in the UEFI databases into the secondary trusted * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist * keyring. @@ -151,9 +185,8 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty static int __init load_uefi_certs(void) { efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; - efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; - void *db = NULL, *dbx = NULL, *mok = NULL; - unsigned long dbsize = 0, dbxsize = 0, moksize = 0; + void *db = NULL, *dbx = NULL; + unsigned long dbsize = 0, dbxsize = 0; int rc = 0; if (!efi.get_variable) @@ -175,17 +208,6 @@ static int __init load_uefi_certs(void) } } - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); - if (!mok) { - pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); - } else { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); - if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); - kfree(mok); - } - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); if (!dbx) { pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); @@ -198,6 +220,9 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* Load the MokListRT certs */ + rc = load_moklist_certs(); + return rc; } late_initcall(load_uefi_certs); From patchwork Tue Nov 30 11:04:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561560 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=nEeh5tM1; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3K9t4dVBz9sRR for ; Tue, 30 Nov 2021 22:04:50 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0wD-0007GS-4S; Tue, 30 Nov 2021 11:04:41 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0w6-0007B2-Oa for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:34 +0000 Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 48FE63F1D6 for ; Tue, 30 Nov 2021 11:04:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270273; bh=RJxGCPt1xvjEcvfpfLcBkEGUNGLtYvsPInxmjXhjkmg=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=nEeh5tM1CzPlwGpKGq6+N/DtYhEPrE0J2qG3o5KZ025jQtdcEhnlN6gA0o0TMsTAL T9XT77vJ1FDyexKMoQFhyUrAD+RETCfDitrjDQljs7wnHCaXGlGttbiCgFUHVWDcTe MRDFtkbuMP+5t35lq7YoNV0mn8HIGvXryc9hQHT9xF50beWaB0VUO1lPN3d05Ep+ka VMsRyoFFXKXvmKXB9Ecdt2HKgP/KcTSmJa6fFmEI2iM3wk7tncME2s9bWRYmlT4h6b FJrAySCVFmB1H0ma5Yft11M3lRSxccK7vq6x8JSbP08FvZUv3lOePlpjhuuRObsd3u f7UY+OD0VHUfQ== Received: by mail-ed1-f72.google.com with SMTP id m17-20020aa7d351000000b003e7c0bc8523so16589207edr.1 for ; Tue, 30 Nov 2021 03:04:33 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=RJxGCPt1xvjEcvfpfLcBkEGUNGLtYvsPInxmjXhjkmg=; b=M6EOSIqbWI4MNxuT4iRXfpIQ9j93JmBQzdN8BwdQsVmW6dQCNMRS2vk+/IcEsjLKAe k+XorsmISYuxHjENA53/rmnqGMzE6C4fHNmTNlzleZ1jQ6qiM+lhD/eyelQQhdA6y18r P/zfNz/p+ny2GY71qHLcjpFPcB6sAkcSxFsc+L5hcduLYPXTaH0cgUqVxi6fuPtxal3g pxNHLLYT38z2AY7wel64Zmf2ZAvIw2q1IcPtaKdskye0eLTFaZDLbbO10ted/QiDQX/t prQ7zcC80O65a9bpkGMS/PSigY1DH/Hdg21EDXbXiKNnzH29xmQ/GGNstiArZTs4oVwu 7EVA== X-Gm-Message-State: AOAM531ceS5cFki425cZ86sgWC9Ow9Xsl/3dYmN9Vi0RwBGTGADM/wBk rZ0OjTkH7A5ipSA3nJsTuOAS3pmrZhr7vc6B44q670D6xpRNDkmeVc155BGOSOpvJxe9P4V3TkX T5kinE4V5GtxLk79bPec3OtdSpMnCb0WxGsdjhUcT3Q== X-Received: by 2002:a17:907:6291:: with SMTP id nd17mr67512087ejc.194.1638270272332; Tue, 30 Nov 2021 03:04:32 -0800 (PST) X-Google-Smtp-Source: ABdhPJzkXvf2+w6Now5cYcaKLxqs1P2eZQmUvZFG62TN1PyYi7jDygEeNEJbCdtiapiiw2aUChD/QA== X-Received: by 2002:a17:907:6291:: with SMTP id nd17mr67512062ejc.194.1638270272075; Tue, 30 Nov 2021 03:04:32 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id j15sm11017896edl.34.2021.11.30.03.04.31 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:31 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 08/16] integrity: Load certs from the EFI MOK config table Date: Tue, 30 Nov 2021 11:04:08 +0000 Message-Id: <20211130110416.171269-9-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Lenny Szubowicz BugLink: https://bugs.launchpad.net/bugs/1932029 Because of system-specific EFI firmware limitations, EFI volatile variables may not be capable of holding the required contents of the Machine Owner Key (MOK) certificate store when the certificate list grows above some size. Therefore, an EFI boot loader may pass the MOK certs via a EFI configuration table created specifically for this purpose to avoid this firmware limitation. An EFI configuration table is a much more primitive mechanism compared to EFI variables and is well suited for one-way passage of static information from a pre-OS environment to the kernel. This patch adds the support to load certs from the MokListRT entry in the MOK variable configuration table, if it's present. The pre-existing support to load certs from the MokListRT EFI variable remains and is used if the EFI MOK configuration table isn't present or can't be successfully used. Signed-off-by: Lenny Szubowicz Link: https://lore.kernel.org/r/20200905013107.10457-4-lszubowi@redhat.com Signed-off-by: Ard Biesheuvel (cherry picked from commit 726bd8965a5f112d9601f7ce68effa1e46e02bf2) Signed-off-by: Dimitri John Ledkov --- certs/load_uefi.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/certs/load_uefi.c b/certs/load_uefi.c index 895c085155..6f51c48be9 100644 --- a/certs/load_uefi.c +++ b/certs/load_uefi.c @@ -149,15 +149,37 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty * Load the certs contained in the UEFI MokListRT database into the * platform trusted keyring. * + * This routine checks the EFI MOK config table first. If and only if + * that fails, this routine uses the MokListRT ordinary UEFI variable. + * * Return: Status */ static int __init load_moklist_certs(void) { + struct efi_mokvar_table_entry *mokvar_entry; efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; void *mok; unsigned long moksize; int rc; + /* First try to load certs from the EFI MOKvar config table. + * It's not an error if the MOKvar config table doesn't exist + * or the MokListRT entry is not found in it. + */ + mokvar_entry = efi_mokvar_entry_find("MokListRT"); + if (mokvar_entry) { + rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", + mokvar_entry->data, + mokvar_entry->data_size, + get_handler_for_db); + /* All done if that worked. */ + if (!rc) + return rc; + + pr_err("Couldn't parse MokListRT signatures from EFI MOKvar config table: %d\n", + rc); + } + /* Get MokListRT. It might not exist, so it isn't an error * if we can't get it. */ From patchwork Tue Nov 30 11:04:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561561 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=I2otHsMT; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3K9z5GXlz9sRR for ; Tue, 30 Nov 2021 22:04:55 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0wG-0007KV-AE; Tue, 30 Nov 2021 11:04:44 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0w7-0007BG-Ms for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:35 +0000 Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 239CA3FFE1 for ; Tue, 30 Nov 2021 11:04:34 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270274; bh=XwCM84Mf3GymxRgLDSJkQsWfhYLiry0v7Uny2N60c/k=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=I2otHsMTaZlCLSOWdZPVfsHg2p4OJ2DKY77B937oY4v2D9jSogeLF7F0xbHcXzvq7 3tL4a5eJH3kFZ6teyuxBhY83x6TF6LIQjFphrll3wA5Z0ITn83pi2AEiKDV/YRwmyd /sAyqeUWG4XGS4bOCdLSZQsteDkoNEOwiO76mATEFBVg4YqmzSL8Us/kHCcIq8LZo3 hBPtxQoh/l0fFtAE0mXp3PftXfuAnba2EnY5WB3lpcnKFE9ZdG9e2/hkQPhhRsM8AO CyFhlHrESqNhqsKuYXrzFpnYXMvL8dO24z7f8D6zXfn7mEXpMsWbmjbBqOD40vHX+T 2bp6gKCSXA44Q== Received: by mail-ed1-f72.google.com with SMTP id p4-20020aa7d304000000b003e7ef120a37so16542976edq.16 for ; Tue, 30 Nov 2021 03:04:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=XwCM84Mf3GymxRgLDSJkQsWfhYLiry0v7Uny2N60c/k=; b=TLr/EKZL4U8eFvqTmC6LN8UygkMi8XrjojHzupDBJHLoUpAZfiE7cddsZexdOk/WMX 34bsbplNJVGVbMJAdsO//04tGGBTliwNvRmmJ4bGQXCh1XIeqzcL/+1bvv/bWOGguHml zYxiiIe88WzQZ0xh92hoEsNv30Rs+PhEM+GeHgLIT2rbzf/CTr0/fqaAhg6f6ump6EC4 6+MX4/URantRLx0BMcXiIZ4b4NCxfOfvS+zMfEyqeyc6L463/kVU5wa4jVtxV+UeNLot RxIlBv1UwKYhPUEct+LvF0foSMYBkn0tf0dw/YM1bf1SMyJSxSjLK2iDDMXTnJOptzH8 kPUw== X-Gm-Message-State: AOAM530PYs4VFueu1bye/ocWlQeeWerwMYmYf/cJbvmccVa0D8r4H1lj LHgrwxNmBX46fBIrGpiALWZ0daw7Tw64WDhK00zWGiJL37yv3KDo7MpWuDQvLmoSCFDVgdDXLIe 2leP9LXDFNj8RgpHfsr4JIIg4n+dyvkSjPun3+uCHLg== X-Received: by 2002:a05:6402:4249:: with SMTP id g9mr82143967edb.316.1638270273454; Tue, 30 Nov 2021 03:04:33 -0800 (PST) X-Google-Smtp-Source: ABdhPJyK3qWWeHttu0CZbdNkPr2lyBD76QngYo9dlZA4hgPN3nBTPE3F2/GUUZUfZ1n4rtiAlie7MQ== X-Received: by 2002:a05:6402:4249:: with SMTP id g9mr82143935edb.316.1638270273193; Tue, 30 Nov 2021 03:04:33 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id d14sm10668570edu.57.2021.11.30.03.04.32 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:32 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 09/16] certs: Add ability to preload revocation certs Date: Tue, 30 Nov 2021 11:04:09 +0000 Message-Id: <20211130110416.171269-10-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Eric Snowberg BugLink: https://bugs.launchpad.net/bugs/1932029 Add a new Kconfig option called SYSTEM_REVOCATION_KEYS. If set, this option should be the filename of a PEM-formated file containing X.509 certificates to be included in the default blacklist keyring. DH Changes: - Make the new Kconfig option depend on SYSTEM_REVOCATION_LIST. - Fix SYSTEM_REVOCATION_KEYS=n, but CONFIG_SYSTEM_REVOCATION_LIST=y[1][2]. - Use CONFIG_SYSTEM_REVOCATION_LIST for extract-cert[3]. - Use CONFIG_SYSTEM_REVOCATION_LIST for revocation_certificates.o[3]. Signed-off-by: Eric Snowberg Acked-by: Jarkko Sakkinen Signed-off-by: David Howells cc: Randy Dunlap cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/e1c15c74-82ce-3a69-44de-a33af9b320ea@infradead.org/ [1] Link: https://lore.kernel.org/r/20210303034418.106762-1-eric.snowberg@oracle.com/ [2] Link: https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg@oracle.com/ [3] Link: https://lore.kernel.org/r/20200930201508.35113-3-eric.snowberg@oracle.com/ Link: https://lore.kernel.org/r/20210122181054.32635-4-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428673564.677100.4112098280028451629.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433312452.902181.4146169951896577982.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529606657.163428.3340689182456495390.stgit@warthog.procyon.org.uk/ # v3 (cherry picked from commit d1f044103dad70c1cec0a8f3abdf00834fec8b98) Signed-off-by: Dimitri John Ledkov --- certs/Kconfig | 8 ++++++++ certs/Makefile | 19 +++++++++++++++++-- certs/blacklist.c | 21 +++++++++++++++++++++ certs/revocation_certificates.S | 21 +++++++++++++++++++++ scripts/Makefile | 1 + 5 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 certs/revocation_certificates.S diff --git a/certs/Kconfig b/certs/Kconfig index eada70c3ec..3575c4fca3 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -116,4 +116,12 @@ config SYSTEM_REVOCATION_LIST blacklist keyring and implements a hook whereby a PKCS#7 message can be checked to see if it matches such a certificate. +config SYSTEM_REVOCATION_KEYS + string "X.509 certificates to be preloaded into the system blacklist keyring" + depends on SYSTEM_REVOCATION_LIST + help + If set, this option should be the filename of a PEM-formatted file + containing X.509 certificates to be included in the default blacklist + keyring. + endmenu diff --git a/certs/Makefile b/certs/Makefile index 5a3956b637..0e43070e50 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -4,7 +4,8 @@ # obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o -obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o +obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o else @@ -34,7 +35,7 @@ $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREF $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) endif # CONFIG_SYSTEM_TRUSTED_KEYRING -clean-files := x509_certificate_list .x509.list +clean-files := x509_certificate_list .x509.list x509_revocation_list ifeq ($(CONFIG_MODULE_SIG),y) ############################################################################### @@ -117,3 +118,17 @@ targets += signing_key.x509 $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) endif # CONFIG_MODULE_SIG + +ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) + +$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) + +$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list + +quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) + cmd_extract_certs = scripts/extract-cert $(2) $@ + +targets += x509_revocation_list +$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE + $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) +endif diff --git a/certs/blacklist.c b/certs/blacklist.c index 09668724cb..8f34077714 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -20,9 +20,15 @@ #include #include #include "blacklist.h" +#include "common.h" static struct key *blacklist_keyring; +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +extern __initconst const u8 revocation_certificate_list[]; +extern __initconst const unsigned long revocation_certificate_list_size; +#endif + /* * The description must be a type prefix, a colon and then an even number of * hex digits. The hash is kept in the description. @@ -215,3 +221,18 @@ static int __init blacklist_init(void) * Must be initialised before we try and load the keys into the keyring. */ device_initcall(blacklist_init); + +#ifdef CONFIG_SYSTEM_REVOCATION_LIST +/* + * Load the compiled-in list of revocation X.509 certificates. + */ +static __init int load_revocation_certificate_list(void) +{ + if (revocation_certificate_list_size) + pr_notice("Loading compiled-in revocation X.509 certificates\n"); + + return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size, + blacklist_keyring); +} +late_initcall(load_revocation_certificate_list); +#endif diff --git a/certs/revocation_certificates.S b/certs/revocation_certificates.S new file mode 100644 index 0000000000..f21aae8a8f --- /dev/null +++ b/certs/revocation_certificates.S @@ -0,0 +1,21 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#include +#include + + __INITRODATA + + .align 8 + .globl revocation_certificate_list +revocation_certificate_list: +__revocation_list_start: + .incbin "certs/x509_revocation_list" +__revocation_list_end: + + .align 8 + .globl revocation_certificate_list_size +revocation_certificate_list_size: +#ifdef CONFIG_64BIT + .quad __revocation_list_end - __revocation_list_start +#else + .long __revocation_list_end - __revocation_list_start +#endif diff --git a/scripts/Makefile b/scripts/Makefile index fb82adadb6..47d0a97dc1 100644 --- a/scripts/Makefile +++ b/scripts/Makefile @@ -22,6 +22,7 @@ hostprogs-$(CONFIG_ASN1) += asn1_compiler hostprogs-$(CONFIG_MODULE_SIG) += sign-file hostprogs-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert hostprogs-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert +hostprogs-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert HOSTCFLAGS_sortextable.o = -I$(srctree)/tools/include HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include From patchwork Tue Nov 30 11:04:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561565 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=ifwJgcQB; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3KBF5wVLz9sRR for ; Tue, 30 Nov 2021 22:05:09 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0wS-0007Vs-BO; Tue, 30 Nov 2021 11:04:56 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0w8-0007CJ-GC for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:36 +0000 Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 472853F1D6 for ; Tue, 30 Nov 2021 11:04:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270275; bh=j2VuXavd4MSzwAsLd4grSXf08m254HXZUTnQPeBSGRQ=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ifwJgcQBSvBMMcCpKxihZOdwpOgI00gnf6wO1uJevPjB9tvnqBzR/CrXKppRjghJ3 1gjMF8J0AihWlj4sEW9h/jerEUGpShjt+j0qX9ZOzMOYFxt4Uxb3KB+PIkAuRQEEpG PDuT2kQ849X11L1Ip/OAj0rKP5E5JMl4RwSKninN+8kxXly10ee+hiOPRjCLVECr9k vaTBY5b1vTLTGdHBm5Xssupkjtae0i3ObePSQQh07f1jkxxHvF4tQckjBJwQQD4dyU VJz4ixDgJP8hBmZ1U+/a6Ql31PCy1sHOxtu49oKGcKLBGlkcOA4y4vazL79jxs/aAI JJIqFaTImKFIA== Received: by mail-ed1-f70.google.com with SMTP id eg20-20020a056402289400b003eb56fcf6easo16522958edb.20 for ; Tue, 30 Nov 2021 03:04:35 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=j2VuXavd4MSzwAsLd4grSXf08m254HXZUTnQPeBSGRQ=; b=nN3JPPXySx4OvT9IlSPU+iXx/xxFg3i7E8jYnlid1iMeZb9MZ/PNrKAbchcfCA6De0 xrxgO6v8hDepg8Jh3MFKr1SmgRA9uf4AgJWfHLKb4NgdEKG3yAMTww+v+BRA5Vz9IcIC 9wojyO92KA2k9vPINV/8R39brHkq71Q+RJYDa7pssA0nbQbzGDyt8lhjd8ZgbTRYVtIk ryDGOElWb83RM7RDNwJaI7XcwZgMowLXnKUMhoKa7e9uzn0KzZT0R9MT79kdn3veaAJu Ujn0QNmfll/4lGtZxOEDxTx1sSVP7c8qMNuM6NfklnYlZOD8lbQeTMORT9T1bg9oJTcR dEBg== X-Gm-Message-State: AOAM533NHlKFNLD9VA3CY7P1wOKaOVjivsiJTAT8zboONNrRO2uwBsrr 5R40j354940h88eeZhdJTguY4AoHzuuhku/KlYXbzltAM9Xc78Qp04XLLhYugkgG6zkV24m9Plo Frthj/o0PUe1Q979xtTGMxycdtG6aETyv6n6iGLwIjQ== X-Received: by 2002:a05:6402:148:: with SMTP id s8mr82578084edu.221.1638270274702; Tue, 30 Nov 2021 03:04:34 -0800 (PST) X-Google-Smtp-Source: ABdhPJx60c7dQ9e5am2U4MgVu+COIAk6M2Fm4nHIfoEexii0vVfriDK1asq/KX+mrQEc51RDF5oVKQ== X-Received: by 2002:a05:6402:148:: with SMTP id s8mr82578058edu.221.1638270274474; Tue, 30 Nov 2021 03:04:34 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id x15sm11031096edq.65.2021.11.30.03.04.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:33 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 10/16] certs: add 'x509_revocation_list' to gitignore Date: Tue, 30 Nov 2021 11:04:10 +0000 Message-Id: <20211130110416.171269-11-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Linus Torvalds BugLink: https://bugs.launchpad.net/bugs/1932029 Commit d1f044103dad ("certs: Add ability to preload revocation certs") created a new generated file for revocation certs, but didn't tell git to ignore it. Thus causing unnecessary "git status" noise after a kernel build with CONFIG_SYSTEM_REVOCATION_LIST enabled. Add the proper gitignore magic. Signed-off-by: Linus Torvalds (cherry picked from commit 81f202315856edb75a371f3376aa3a47543c16f0) Signed-off-by: Dimitri John Ledkov --- certs/.gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/.gitignore b/certs/.gitignore index f51aea4a71..6ce8116114 100644 --- a/certs/.gitignore +++ b/certs/.gitignore @@ -2,3 +2,4 @@ # Generated files # x509_certificate_list +x509_revocation_list From patchwork Tue Nov 30 11:04:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561566 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=wOcft1iV; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3KBP0sHmz9sRR for ; Tue, 30 Nov 2021 22:05:17 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0wX-0007b3-Ty; Tue, 30 Nov 2021 11:05:02 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0wA-0007Dn-V8 for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:38 +0000 Received: from mail-ed1-f70.google.com (mail-ed1-f70.google.com [209.85.208.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id A4AD13FFE1 for ; Tue, 30 Nov 2021 11:04:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270276; bh=aUo8ZDk9EE8FXCREUn0r8HwSNcnHWpwkb0N4w61p4tg=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=wOcft1iVdPWKFDBZfqEoetG4Ic5CsPfhGZI9WhQQ8OJVTuKWD8DQ1fgOctFoYfM+w EN0nzWfHLqbc/m7bKqQFQun4RY/fAL6/iZHw1wz+ra7z6EhD/0CrJSTjiRaXXDCLnk MNlKJgRkaNfpSIr8LHsU9XEh3Ss8XgbRFxHbpo/tdn8WrXDqS45YvVuhBR/qiNi1Y5 clS6JEjPw/eMBsPYOIZI50FXFYpvQtMc/eErWAD58X19zb471AWtOfpZ+X1y9OZHOZ N3vEQcTcFXXVoPFgzQFXrhATMhSg3ZY7cVWaY8H4wk7FBf3bHao0OfVC6oMm9EDQgs 51GXY1M6lSd8A== Received: by mail-ed1-f70.google.com with SMTP id m17-20020aa7d351000000b003e7c0bc8523so16589377edr.1 for ; Tue, 30 Nov 2021 03:04:36 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=aUo8ZDk9EE8FXCREUn0r8HwSNcnHWpwkb0N4w61p4tg=; b=uaKNeuXRNCXAIRN2pkoS9qfPS97Ol3096SQJWwdxIIOoFtpR7y3QeY8LYEgKLo0r6w iYQr+UGWaBikByEKcin+jABrkiaFqiQ774EIvCSjhV3U375nHRRy2MB8KyfxwvJEBFsV l71D10fCjmXbHIYaMcyflaVHgCgQ6492rmxt+urZg7PDqG8VLEGKPnV2l6ZLMj2VmIPL 7tLrksr+cvAwveF+iQpmU4naJPRM4eBZk3V8YvG9WKgdrQgF/tmV7+M4hVDoN1s2W5wl zqcbIchpYE87kepHHGqSXLko6cZh3P/1XthKB4DfCRhiZB3c5WP036OAqpCDkEqNcUnc 22UQ== X-Gm-Message-State: AOAM531p/1SKsvDBkSeL2VavSnpB5QDdCWOmmXukimc1T9o9b2l0jS/T 0BTI46e6Yh9TugEllV0aJYVxiefa5PzLJXkUa3fYtamweGiP1VW1DFtRHOTjnlCggC2iOAZlE2h FVWUdSoHAlZhLJ4Td1AuW0d+K5wA5Ac6bKDpFxqXvrA== X-Received: by 2002:a17:907:6da9:: with SMTP id sb41mr69323328ejc.88.1638270276097; Tue, 30 Nov 2021 03:04:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJxpOrB6aUcJfeedDFlMLsPhjA4ioRXCp5X8EHyTIxNC5ibrtj00x10YQgKg6Kwz2UCG1Yxz5Q== X-Received: by 2002:a17:907:6da9:: with SMTP id sb41mr69323284ejc.88.1638270275743; Tue, 30 Nov 2021 03:04:35 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id dy4sm10887588edb.92.2021.11.30.03.04.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:35 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 11/16] UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table Date: Tue, 30 Nov 2021 11:04:11 +0000 Message-Id: <20211130110416.171269-12-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" Refactor load_moklist_certs() to load either MokListRT into db, or MokListXRT into dbx. Call load_moklist_certs() twice - first to load mokx certs into dbx, then mok certs into db. This thus now attempts to load mokx certs via the EFI MOKvar config table first, and if that fails, via the EFI variable. Previously mokx certs were only loaded via the EFI variable. Which fails when MokListXRT is large. Instead of large MokListXRT variable, only MokListXRT{1,2,3} are available which are not loaded. This is the case with Ubuntu's 15.4 based shim. This patch is required to address CVE-2020-26541 when certificates are revoked via MokListXRT. Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring") BugLink: https://bugs.launchpad.net/bugs/1928679 Signed-off-by: Dimitri John Ledkov Acked-by: Krzysztof Kozlowski Signed-off-by: Seth Forshee (cherry picked from commit a9e3aae16235d6af12509a64f1337da4485ccbae) (xnox: cherry-pick is from impish:linux SAUCE) Signed-off-by: Dimitri John Ledkov --- certs/load_uefi.c | 54 +++++++++++++++++++++++++++++++++-------------- 1 file changed, 38 insertions(+), 16 deletions(-) diff --git a/certs/load_uefi.c b/certs/load_uefi.c index 6f51c48be9..a99e7563d0 100644 --- a/certs/load_uefi.c +++ b/certs/load_uefi.c @@ -144,55 +144,70 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty } /* - * load_moklist_certs() - Load MokList certs + * load_moklist_certs() - Load Mok(X)List certs + * @load_db: Load MokListRT into db when true; MokListXRT into dbx when false * - * Load the certs contained in the UEFI MokListRT database into the - * platform trusted keyring. + * Load the certs contained in the UEFI MokList(X)RT database into the + * platform trusted/denied keyring. * * This routine checks the EFI MOK config table first. If and only if - * that fails, this routine uses the MokListRT ordinary UEFI variable. + * that fails, this routine uses the MokList(X)RT ordinary UEFI variable. * * Return: Status */ -static int __init load_moklist_certs(void) +static int __init load_moklist_certs(const bool load_db) { struct efi_mokvar_table_entry *mokvar_entry; efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; void *mok; unsigned long moksize; int rc; + const char *mokvar_name = "MokListRT"; + /* Should be const, but get_cert_list() doesn't have it as const yet */ + efi_char16_t *efivar_name = L"MokListRT"; + const char *parse_mokvar_name = "UEFI:MokListRT (MOKvar table)"; + const char *parse_efivar_name = "UEFI:MokListRT"; + efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *) = get_handler_for_db; + + if (!load_db) { + mokvar_name = "MokListXRT"; + efivar_name = L"MokListXRT"; + parse_mokvar_name = "UEFI:MokListXRT (MOKvar table)"; + parse_efivar_name = "UEFI:MokListXRT"; + get_handler_for_guid = get_handler_for_dbx; + } /* First try to load certs from the EFI MOKvar config table. * It's not an error if the MOKvar config table doesn't exist * or the MokListRT entry is not found in it. */ - mokvar_entry = efi_mokvar_entry_find("MokListRT"); + mokvar_entry = efi_mokvar_entry_find(mokvar_name); if (mokvar_entry) { - rc = parse_efi_signature_list("UEFI:MokListRT (MOKvar table)", + rc = parse_efi_signature_list(parse_mokvar_name, mokvar_entry->data, mokvar_entry->data_size, - get_handler_for_db); + get_handler_for_guid); /* All done if that worked. */ if (!rc) return rc; - pr_err("Couldn't parse MokListRT signatures from EFI MOKvar config table: %d\n", - rc); + pr_err("Couldn't parse %s signatures from EFI MOKvar config table: %d\n", + mokvar_name, rc); } /* Get MokListRT. It might not exist, so it isn't an error * if we can't get it. */ - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); + mok = get_cert_list(efivar_name, &mok_var, &moksize); if (mok) { - rc = parse_efi_signature_list("UEFI:MokListRT", - mok, moksize, get_handler_for_db); + rc = parse_efi_signature_list(parse_efivar_name, + mok, moksize, get_handler_for_guid); kfree(mok); if (rc) - pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + pr_err("Couldn't parse %s signatures: %d\n", mokvar_name, rc); return rc; } else - pr_info("Couldn't get UEFI MokListRT\n"); + pr_info("Couldn't get UEFI %s\n", mokvar_name); return 0; } @@ -242,8 +257,15 @@ static int __init load_uefi_certs(void) kfree(dbx); } + /* Load the MokListXRT certs */ + rc = load_moklist_certs(false); + if (rc) + pr_err("Couldn't parse mokx signatures: %d\n", rc); + /* Load the MokListRT certs */ - rc = load_moklist_certs(); + rc = load_moklist_certs(true); + if (rc) + pr_err("Couldn't parse mok signatures: %d\n", rc); return rc; } From patchwork Tue Nov 30 11:04:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561562 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=lBZrtrBj; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3KB14WmGz9sRR for ; Tue, 30 Nov 2021 22:04:57 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0wK-0007O0-3b; Tue, 30 Nov 2021 11:04:48 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0wA-0007Dp-Vo for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:38 +0000 Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id AE8313F1D6 for ; Tue, 30 Nov 2021 11:04:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270277; bh=AfLtNN0lYDa/HXdyRPOcLfo0WLppEkUd9lrzoEYDhsE=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=lBZrtrBjN7Q82SSlm4agpHRDOGFIZF+IuDXFpyi0QughUyAtUC5SxDu697tbi5kYT JTalrCEbzIPHoXwcFT7LC46LjLelleuTCEB25PgRsdsBd7pLYt1G3JeGqcN8MWDEZw 4XQGgSjGBSZ3j9G8HN0yvBqrlBiGMvhTMyAxjy7S1N4eyAb80x/b9L6U4NYERQm2NB 03OTs+D2Q25u9C9DAK7SpU/xCSB0vYWJN7s0gQ1WZtQHHTyiEqNETYfPCMA9mdFQ3p uyVBoUEix6hlwVLtJibZrMGx4fAhTJmmj5n0lc3npa93TNIK1jwmXnef5bWi3rmon+ Tr1KSSWUv1mjg== Received: by mail-ed1-f69.google.com with SMTP id v1-20020aa7cd41000000b003e80973378aso16558981edw.14 for ; Tue, 30 Nov 2021 03:04:37 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=AfLtNN0lYDa/HXdyRPOcLfo0WLppEkUd9lrzoEYDhsE=; b=M2OYDX62VWcZRFq55XMkdim89yx7/VzGtq8rX9hfYFeExWRk5+HglY5bvIRT8mVE8q vzGfwU92G0Pqnsk0FIRI20t2eZp3TeCW4zXxiexax7zpqEcGf9jNvP3yVDiGmX+bf7M+ 4fHqcWT83KoNrqCaCXy8swvmR+vH4A/7/Wtd58DBh5DWTjgJgJ0KEsRXvK7SLEFoc10i bXbvMm2UoPxMMYPvvZczwQulw+tJjIV6H1E1lRj+ptKLFeiklnRvpWBsYQJ4t2fqLF0U Azo4OdC0sojlKt3qjS54M4AhN70A99d9XLcB7EcXlp5JbpBHBoeEn8K+MPPgkfkfw8gy U0DA== X-Gm-Message-State: AOAM533rAvd+LZQyLat2xVnd8TkQLIKol74jy64vW98kbNxfqPGTE62Q 6hpLa28eIW9LE7R+PZM/fb8wr5bB1vM3TP1zrm4uR3gmgt/0g5mg81js6obVNTuz2L37bPINWrP fWydz/kz33rPQo2GwsFQHkvMk5sAdJjY26JWjHvx19Q== X-Received: by 2002:a05:6402:4301:: with SMTP id m1mr81475273edc.54.1638270277014; Tue, 30 Nov 2021 03:04:37 -0800 (PST) X-Google-Smtp-Source: ABdhPJx/bdza8rPGaneFl/Hs8LZfcXlgvzAvPv+tfHKDdNx2xLsHs+icYGeoXhHgU1FXt4ZwL5jzBg== X-Received: by 2002:a05:6402:4301:: with SMTP id m1mr81475247edc.54.1638270276758; Tue, 30 Nov 2021 03:04:36 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id f22sm12105647edf.93.2021.11.30.03.04.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:36 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 12/16] UBUNTU: SAUCE: integrity: add informational messages when revoking certs Date: Tue, 30 Nov 2021 11:04:12 +0000 Message-Id: <20211130110416.171269-13-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" integrity_load_cert() prints messages of the source and cert details when adding certs as trusted. Mirror those messages in uefi_revocation_list_x509() when adding certs as revoked. Sample dmesg with this change: integrity: Platform Keyring initialized integrity: Loading X.509 certificate: UEFI:db integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' integrity: Revoking X.509 certificate: UEFI:MokListXRT (MOKvar table) blacklist: Revoked X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0' integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63' BugLink: https://bugs.launchpad.net/bugs/1928679 Signed-off-by: Dimitri John Ledkov Acked-by: Krzysztof Kozlowski Signed-off-by: Seth Forshee (cherry picked from commit ba9fb788f89cb81c5ed836db2355a7a3b0f8c248) (xnox: cherry-pick is from impish:linux SAUCE) Signed-off-by: Dimitri John Ledkov --- certs/blacklist.c | 3 +++ certs/load_uefi.c | 1 + 2 files changed, 4 insertions(+) diff --git a/certs/blacklist.c b/certs/blacklist.c index 8f34077714..a97d50b9f0 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -166,6 +166,9 @@ int add_key_to_revocation_list(const char *data, size_t size) if (IS_ERR(key)) { pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); return PTR_ERR(key); + } else { + pr_notice("Revoked X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); } return 0; diff --git a/certs/load_uefi.c b/certs/load_uefi.c index a99e7563d0..9783e5978f 100644 --- a/certs/load_uefi.c +++ b/certs/load_uefi.c @@ -114,6 +114,7 @@ static __init void uefi_blacklist_binary(const char *source, static __init void uefi_revocation_list_x509(const char *source, const void *data, size_t len) { + pr_info("Revoking X.509 certificate: %s\n", source); add_key_to_revocation_list(data, len); } From patchwork Tue Nov 30 11:04:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561567 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=v3HwW8L3; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3KBV38S9z9sRR for ; Tue, 30 Nov 2021 22:05:22 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0wg-0007jj-E7; Tue, 30 Nov 2021 11:05:10 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0wF-0007GE-J4 for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:43 +0000 Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id B79A63F1B1 for ; Tue, 30 Nov 2021 11:04:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270278; bh=aXRiVO/WSOMZOdYVRL64jA6JxVrSxIvtwUs2FoN4JHM=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=v3HwW8L3tSTn9pHVfRpU2YPiCSspEv6tIHk12uyBYzj9Fc+8p3+TEcrUQzKta0kTw lZuSXfVHXYt2QGejS8EMGWbhMFVkXZ/0v8j41qYQZxRgxcXlYxLvq1YhK79uUXY2/N 5Yzpo+pCO3ZWzqcLrH11dZYyWZoeHHxfLTfVT7yh/bkngX8wkvfeJarex/dF4YfIDp +7w2RBy1O3o8lcapKQwRdKHQhxPWnJM+WFU4p02O+HPipqPsxmMJPMxWZvACpu9kDl Ih71UzU3yavw3viVgonNRuImoOiBchIvNf/apOtlCxR8o5+HbmIlthRmg4afUWPZme r8DGvO8ekZ0Iw== Received: by mail-ed1-f72.google.com with SMTP id p4-20020aa7d304000000b003e7ef120a37so16543147edq.16 for ; Tue, 30 Nov 2021 03:04:38 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=aXRiVO/WSOMZOdYVRL64jA6JxVrSxIvtwUs2FoN4JHM=; b=yb6a5WCVdgJN1Cucpbm2sKTq+SrRpr8BDsCttJMhvjzmAkv6IW//kAn8cl5IA/JpGJ MunhdqiEwBm/vfsohkZuCx/lv9+y7WM8DtLFJLFuKIzTjuVaEXQaLnnVLyRGFzmQGV3w kLuXnG6faasaji1RUjfdHFkbqxeRrgSwt3BM3sfsm29GHZvw10s/8Bp9pG9CjHnf4NNE qJbpA+RUPXLNpUxoxvEOl9k0Y1t2R+Pw8X6OmJSKQFdiPyaa+El0lSasaFywES+Xsw1J FSJr96fGo2eiGKFfowQ1FepyXJOSgUOEIDJ8aFUwllSzZZlgvOuZWwSOw8WvgpKQgnVa NXJg== X-Gm-Message-State: AOAM530g3qolZjoYMfhEvypUTj+BKRlxN6SOTNuzbbq22o1b4TYvP7e8 5GRFpdvz+7Cfe5F+6o2SDZrwqTxhKAKXyApitpZCUnQSIyIpQLwUVicPR0P4NCactoB3yRB/FRs GBcx5g121tBfm1PrPfKPM+JuPjnfNHaGGBw2Son6jww== X-Received: by 2002:a05:6402:5206:: with SMTP id s6mr82941466edd.2.1638270278223; Tue, 30 Nov 2021 03:04:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJyePblFI2/3cr7n9+3hWfOcp2q0ALuBosK5iM7Sa7Ru8W8h7qqvE4L5sOruUuMOm1awhZGBWA== X-Received: by 2002:a05:6402:5206:: with SMTP id s6mr82941442edd.2.1638270277964; Tue, 30 Nov 2021 03:04:37 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id cs12sm8927724ejc.15.2021.11.30.03.04.37 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:37 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 13/16] UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded Date: Tue, 30 Nov 2021 11:04:13 +0000 Message-Id: <20211130110416.171269-14-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Tim Gardner BugLink: https://bugs.launchpad.net/bugs/1932029 Signed-off-by: Tim Gardner (cherry picked from commit b5b4085dc5547a01593cd79dbf51bd9108f84e9f) (xnox: cherry-pick is from impish:linux SAUCE) Signed-off-by: Dimitri John Ledkov --- certs/common.c | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/common.c b/certs/common.c index 16a220887a..23af4fc392 100644 --- a/certs/common.c +++ b/certs/common.c @@ -41,6 +41,7 @@ int load_certificate_list(const u8 cert_list[], if (IS_ERR(key)) { pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", PTR_ERR(key)); + WARN_ON_ONCE(1); } else { pr_notice("Loaded X.509 cert '%s'\n", key_ref_to_ptr(key)->description); From patchwork Tue Nov 30 11:04:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561563 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=s6LTJSeg; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3KB415nSz9sRR for ; Tue, 30 Nov 2021 22:05:00 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0wN-0007QR-66; Tue, 30 Nov 2021 11:04:51 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0wD-0007GF-Mn for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:41 +0000 Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id E156C3F1D6 for ; Tue, 30 Nov 2021 11:04:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270279; bh=wOlac7amg36qNI5MzhRFh3f4uzYjuZ8+7pTXCC6pa+4=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=s6LTJSegD7ZKC9WNzNMjFrk3igIxGXbQDUylH3gaeMvMGozaV3VaBZX7ws4+obsEa fS2XH5RTmy/Jhxi3Sfnpvql+Rs35F3PeHurKaN7wAu2KtTvAK3zZ0GYxcsBTlmRABO vu1o8KVvqNE39vVpI69w+SnDQ/Gjx+UbmvSIy9SsT0wfsVVaWjeq1Q0yp8/DzA6C3w EsLWPsLfzHZvlrNrOhpBStqdvbjoQpjtaS902FPRDRnt1WdVnEoCuc+P03v9XND1GY +ERFaI40gxJeD3mNLODV8YOUgk20v/joRJdNmu6hgfv25yAz0NIYc9WneT9QrVpytF 6QOqromC5gheA== Received: by mail-ed1-f72.google.com with SMTP id v22-20020a50a456000000b003e7cbfe3dfeso16578940edb.11 for ; Tue, 30 Nov 2021 03:04:39 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=wOlac7amg36qNI5MzhRFh3f4uzYjuZ8+7pTXCC6pa+4=; b=PQOFfftNbn0L1XO0Iu5OUPGmVNNj4Ce4zoEaa+0t2y4pqcooGV5m0DTXX1Qsvf0KcR 52lHLPohPskQmUA0oinFD2EROf5RcJusmkifT6v8CwhovUGeb9tA4lQ+Fnvyzs5GD0vH ciKq6kNHrG5do3jUyrtsRC+PuCy6xFjazoCoyi67GEnVuVZcE4uV2b+wTDDs8uXwLQdF iCEcZ2O/HaATO9ywKsXinRSjzdZuKLW0ggaC+ZN7H2ZOc91a7G/LKC4nlPLOwPX7QWzh WeEnmSuswcLplLqq+g+UQjstTm5pfGiBmo8rM2vXVNy4iATBOwo7En3UleF5WHNulD8Q YuDQ== X-Gm-Message-State: AOAM530ewQg+N6CGGds4lzF3wsHSwQBzhur2Q1Nyt+akctW7jmYLD/u2 qzqbUzTc/QGLig1IKDFi3tNAnVvgrr/gQf2ZJj2voE6rVBB9zax7C/xPR+g9cywhahKxWp70b8e Ysd5lTNDBOAh6BEUdP/vYcGli6FMYJKSoik6TUH0n4Q== X-Received: by 2002:a17:906:3085:: with SMTP id 5mr18336202ejv.365.1638270279308; Tue, 30 Nov 2021 03:04:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJy445tmDGLdfO7ibFx8VcHn0mq/tmIT6M2L939ucAHki6F3367K7r4MywmyMk4DW4Db8gmKBA== X-Received: by 2002:a17:906:3085:: with SMTP id 5mr18336170ejv.365.1638270279097; Tue, 30 Nov 2021 03:04:39 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id ig1sm8752806ejc.77.2021.11.30.03.04.38 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:38 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 14/16] UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch certs Date: Tue, 30 Nov 2021 11:04:14 +0000 Message-Id: <20211130110416.171269-15-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1932029 Signed-off-by: Dimitri John Ledkov Signed-off-by: Andrea Righi (cherry picked from commit 3e44f229eef829ee3044651975512569824c4e5f) (xnox: cherry-pick is from impish:linux) Signed-off-by: Dimitri John Ledkov --- debian/rules | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/debian/rules b/debian/rules index 73c0ee19a1..ca87ccf8f9 100755 --- a/debian/rules +++ b/debian/rules @@ -126,7 +126,7 @@ binary: binary-indep binary-arch build: build-arch build-indep -clean: debian/control debian/canonical-certs.pem +clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs.pem dh_testdir dh_testroot dh_clean @@ -222,3 +222,15 @@ debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DR fi; \ done; \ done >"$@" + +debian/canonical-revoked-certs.pem: $(wildcard $(DROOT)/revoked-certs/*-all.pem) $(wildcard $(DROOT)/revoked-certs/*-$(arch).pem) $(wildcard $(DEBIAN)/revoked-certs/*-all.pem) $(wildcard $(DEBIAN)/revoked-certs/*-$(arch).pem) + for cert in $(sort $(notdir $^)); \ + do \ + for dir in $(DEBIAN) $(DROOT); \ + do \ + if [ -f "$$dir/revoked-certs/$$cert" ]; then \ + cat "$$dir/revoked-certs/$$cert"; \ + break; \ + fi; \ + done; \ + done >"$@" From patchwork Tue Nov 30 11:04:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561569 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=lUmO3aWU; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3KBh4f0Fz9sRR for ; Tue, 30 Nov 2021 22:05:32 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0wr-00080p-AT; Tue, 30 Nov 2021 11:05:21 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0wG-0007Jx-G6 for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:44 +0000 Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id AB7983F1B2 for ; Tue, 30 Nov 2021 11:04:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270282; bh=hPqCXEoOgPqpEyUOt3kijSWPEZj169ej5t5YY0tpZUU=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=lUmO3aWUcOhi/50WWKGz4rIAq/jjePk98kqkPrmjiAJIHhuOhEGizdunamHKekBGx T5JXlzWLkw+R8MQTC1rw4dj1Stzy7JPoQVcI42vcSpT4EvOag/T6LR2zlWEkK7P06p u4sSlsOORF+Ze8T/t52dVRcKboDrGLI7/+Lno/1w87Np9cYoaAunwECwHKYRuPmCFU CQB8Uht3OA5KjQwBF6iX3M2P4E8pUr+QfxlJfv1W55B/l6D0++Ro1lSlClg9TSwY/u /mIM0L19NntXFPhKMNMJmX4jRHkRBRUK2CpFNAMaFrj0r8U1z8MFkWH9qKaijxM80Q dW54ZUzk2zCbA== Received: by mail-ed1-f69.google.com with SMTP id t9-20020aa7d709000000b003e83403a5cbso16625145edq.19 for ; Tue, 30 Nov 2021 03:04:42 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=hPqCXEoOgPqpEyUOt3kijSWPEZj169ej5t5YY0tpZUU=; b=RrJAEpT7En1V2+kdegOX+qZHDoz1M5eKCMqnxntvncRMSBV4d0L9y202V/MRwzNH15 +Seu5bpB0bdB+o9CnzcIBTkRE2aHs5hgCxSRRovjVFwb8xM2XMYJRrk8Aa7/ANKvRPPw KbLWOF+0wpTkCj8bJh2CH72PdCXYh5ZVGMkf19w65n9y+ZYl64BfqzWJuO8BjzUb17IO 0JDbqQgybJFb815Xhmp96wVZKrU2KsV/G7kYDE84LQu2LFMdHyAWHTT2f8/rOjOyTnlt 64rB5zsiNDZx2ZPiClZwes4UeKCUEHX7gmT0azSaOkqTt7G62Q/yVIFjiSIXgwmxWRQY 3Rag== X-Gm-Message-State: AOAM5310d5f51tTLjD6uiwyUnIOlOkK/YYbEDlg8HRdfFUY9XZO6y/n0 T9aibwVt1izhugC6U6mcc41QuKAvmH6jrFM6pLp/M78N/JTxnRbyk9rGPkLU5yIcCtCj49poEys pxFV7RMu3K2cwvBd18SXfguLcqvOvHZ9QPXtF8qZS/w== X-Received: by 2002:a05:6402:438a:: with SMTP id o10mr82323785edc.353.1638270280422; Tue, 30 Nov 2021 03:04:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJx/M1gVI4sZbiA9xk36CQ7ekbjXO0HGJhAM4kbyv6CKiwgsVbbIrVNY4xVvrLAGZ0ziRHOrNw== X-Received: by 2002:a05:6402:438a:: with SMTP id o10mr82323734edc.353.1638270280060; Tue, 30 Nov 2021 03:04:40 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id p13sm11247244eds.38.2021.11.30.03.04.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:39 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 15/16] UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in Date: Tue, 30 Nov 2021 11:04:15 +0000 Message-Id: <20211130110416.171269-16-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1932029 Signed-off-by: Dimitri John Ledkov Signed-off-by: Andrea Righi (cherry picked from commit 3f72ce72f0b51b6da2638cdded93bb32b9dad2ec) (xnox: cherry-pick is from impish:linux) Signed-off-by: Dimitri John Ledkov --- .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem diff --git a/debian/revoked-certs/canonical-uefi-2012-all.pem b/debian/revoked-certs/canonical-uefi-2012-all.pem new file mode 100644 index 0000000000..06c116eec5 --- /dev/null +++ b/debian/revoked-certs/canonical-uefi-2012-all.pem @@ -0,0 +1,86 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority + Validity + Not Before: Apr 12 11:39:08 2012 GMT + Not After : Apr 11 11:39:08 2042 GMT + Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public-Key: (2048 bit) + Modulus: + 00:c9:5f:9b:62:8f:0b:b0:64:82:ac:be:c9:e2:62: + e3:4b:d2:9f:1e:8a:d5:61:1a:2b:5d:38:f4:b7:ce: + b9:9a:b8:43:b8:43:97:77:ab:4f:7f:0c:70:46:0b: + fc:7f:6d:c6:6d:ea:80:5e:01:d2:b7:66:1e:87:de: + 0d:6d:d0:41:97:a8:a5:af:0c:63:4f:f7:7c:c2:52: + cc:a0:31:a9:bb:89:5d:99:1e:46:6f:55:73:b9:76: + 69:ec:d7:c1:fc:21:d6:c6:07:e7:4f:bd:22:de:e4: + a8:5b:2d:db:95:34:19:97:d6:28:4b:21:4c:ca:bb: + 1d:79:a6:17:7f:5a:f9:67:e6:5c:78:45:3d:10:6d: + b0:17:59:26:11:c5:57:e3:7f:4e:82:ba:f6:2c:4e: + c8:37:4d:ff:85:15:84:47:e0:ed:3b:7c:7f:bc:af: + e9:01:05:a7:0c:6f:c3:e9:8d:a3:ce:be:a6:e3:cd: + 3c:b5:58:2c:9e:c2:03:1c:60:22:37:39:ff:41:02: + c1:29:a4:65:51:ff:33:34:aa:42:15:f9:95:78:fc: + 2d:f5:da:8a:85:7c:82:9d:fb:37:2c:6b:a5:a8:df: + 7c:55:0b:80:2e:3c:b0:63:e1:cd:38:48:89:e8:14: + 06:0b:82:bc:fd:d4:07:68:1b:0f:3e:d9:15:dd:94: + 11:1b + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:FALSE + X509v3 Extended Key Usage: + Code Signing, 1.3.6.1.4.1.311.10.3.6 + Netscape Comment: + OpenSSL Generated Certificate + X509v3 Subject Key Identifier: + 61:48:2A:A2:83:0D:0A:B2:AD:5A:F1:0B:72:50:DA:90:33:DD:CE:F0 + X509v3 Authority Key Identifier: + keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63 + + Signature Algorithm: sha256WithRSAEncryption + 8f:8a:a1:06:1f:29:b7:0a:4a:d5:c5:fd:81:ab:25:ea:c0:7d: + e2:fc:6a:96:a0:79:93:67:ee:05:0e:25:12:25:e4:5a:f6:aa: + 1a:f1:12:f3:05:8d:87:5e:f1:5a:5c:cb:8d:23:73:65:1d:15: + b9:de:22:6b:d6:49:67:c9:a3:c6:d7:62:4e:5c:b5:f9:03:83: + 40:81:dc:87:9c:3c:3f:1c:0d:51:9f:94:65:0a:84:48:67:e4: + a2:f8:a6:4a:f0:e7:cd:cd:bd:94:e3:09:d2:5d:2d:16:1b:05: + 15:0b:cb:44:b4:3e:61:42:22:c4:2a:5c:4e:c5:1d:a3:e2:e0: + 52:b2:eb:f4:8b:2b:dc:38:39:5d:fb:88:a1:56:65:5f:2b:4f: + 26:ff:06:78:10:12:eb:8c:5d:32:e3:c6:45:af:25:9b:a0:ff: + 8e:ef:47:09:a3:e9:8b:37:92:92:69:76:7e:34:3b:92:05:67: + 4e:b0:25:ed:bc:5e:5f:8f:b4:d6:ca:40:ff:e4:e2:31:23:0c: + 85:25:ae:0c:55:01:ec:e5:47:5e:df:5b:bc:14:33:e3:c6:f5: + 18:b6:d9:f7:dd:b3:b4:a1:31:d3:5a:5c:5d:7d:3e:bf:0a:e4: + e4:e8:b4:59:7d:3b:b4:8c:a3:1b:b5:20:a3:b9:3e:84:6f:8c: + 21:00:c3:39 +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix +FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK +DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy +IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjA0MTIxMTM5MDhaFw00MjA0MTEx +MTM5MDhaMH8xCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9mIE1hbjEXMBUG +A1UECgwOQ2Fub25pY2FsIEx0ZC4xFDASBgNVBAsMC1NlY3VyZSBCb290MSswKQYD +VQQDDCJDYW5vbmljYWwgTHRkLiBTZWN1cmUgQm9vdCBTaWduaW5nMIIBIjANBgkq +hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyV+bYo8LsGSCrL7J4mLjS9KfHorVYRor +XTj0t865mrhDuEOXd6tPfwxwRgv8f23GbeqAXgHSt2Yeh94NbdBBl6ilrwxjT/d8 +wlLMoDGpu4ldmR5Gb1VzuXZp7NfB/CHWxgfnT70i3uSoWy3blTQZl9YoSyFMyrsd +eaYXf1r5Z+ZceEU9EG2wF1kmEcVX439Ogrr2LE7IN03/hRWER+DtO3x/vK/pAQWn +DG/D6Y2jzr6m4808tVgsnsIDHGAiNzn/QQLBKaRlUf8zNKpCFfmVePwt9dqKhXyC +nfs3LGulqN98VQuALjywY+HNOEiJ6BQGC4K8/dQHaBsPPtkV3ZQRGwIDAQABo4Gg +MIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQBgjcK +AwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl +MB0GA1UdDgQWBBRhSCqigw0Ksq1a8QtyUNqQM93O8DAfBgNVHSMEGDAWgBStkZkL +wiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEAj4qhBh8ptwpK1cX9 +gasl6sB94vxqlqB5k2fuBQ4lEiXkWvaqGvES8wWNh17xWlzLjSNzZR0Vud4ia9ZJ +Z8mjxtdiTly1+QODQIHch5w8PxwNUZ+UZQqESGfkovimSvDnzc29lOMJ0l0tFhsF +FQvLRLQ+YUIixCpcTsUdo+LgUrLr9Isr3Dg5XfuIoVZlXytPJv8GeBAS64xdMuPG +Ra8lm6D/ju9HCaPpizeSkml2fjQ7kgVnTrAl7bxeX4+01spA/+TiMSMMhSWuDFUB +7OVHXt9bvBQz48b1GLbZ992ztKEx01pcXX0+vwrk5Oi0WX07tIyjG7Ugo7k+hG+M +IQDDOQ== +-----END CERTIFICATE----- From patchwork Tue Nov 30 11:04:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561568 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=JLQCdluX; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3KBc6ykLz9sRR for ; Tue, 30 Nov 2021 22:05:28 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0wm-0007s1-Fu; Tue, 30 Nov 2021 11:05:16 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0wF-0007I3-Ks for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:43 +0000 Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 228AA3F1D6 for ; Tue, 30 Nov 2021 11:04:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270282; bh=EbPwbh24yVGZWLj9W2340VsHDd5uuzQth5KSI37k6+I=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=JLQCdluXzPhDqfsiMMGEBcFRwIrJAtbGfFHvEai6M6gGRzlA4vdWZofJxkN6fPOdl l8OP2iepQ9HbMhBXpkJvVtSeAG7JFFH3nGPTMZeOaRuXMdtvKvLAV3URZy6rQ/aiOf SuO2KnGGA8+aIOxN/aVxyyHDyKL+8vb02NbttCxWYKsozu9HHWznaZd0aiU1dtCRnH NwSlKtS4fwIOlsgRUJQeHhoR1yvkl7yTwze2kK1SR9pUm3tcmjCHvMhK/7jn7hCIrL 26Sgwwt36JMlKJjDS/4TJY3JIcnCpuLdnA/Aqw3iYwwMBvGwnps8Safz6E/5LOn8tT byXJKsyHWUI9g== Received: by mail-ed1-f69.google.com with SMTP id w18-20020a056402071200b003e61cbafdb4so16621995edx.4 for ; Tue, 30 Nov 2021 03:04:42 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=EbPwbh24yVGZWLj9W2340VsHDd5uuzQth5KSI37k6+I=; b=E5ZOnm+ZT1CtvAAHC6hBqCRi8M76485H0vft/he+IWtxuLcXcVljbVoSpWmIHJos6C ajBsbIVvf5+MXoSBScCQsC1d88wbqfUPhQQof0plv7NH2pkliZoCmoEQTT8KULRDEInY P2FHngp62MC2FM345fEpUpaodrAZ510FQAe5K9xnuOpAKe0p3JTGkgBki5IrmeD3QTzk 4tzl1/CHPcpmm1ZJdVCwUovJr6oum5eTHPEewGWRxt/ksbXrL5EpWVlLLevPInVRl6Ui OXm2etyPAtdOm8DGXwKe9y5xNeHqf544nogMyLAQtpLAS0X4qNYKNy01yBGUw6uCXWrF 9MNw== X-Gm-Message-State: AOAM5305EJBeLgMFM/tf/1bp0k/zcQPvZjXuj9mi/4vPH9rWT2rmV2tU 5a9pWAnuFovliSOezpUT1tOzZEgbL1gbgyx4oTJQgp7HZujLVepz6gucObOU+7zZcaaTu8a+F/d JPAHPBQKwwjkQp7WJdQpGNhXG9+qPKK9EAOsQaM8F3A== X-Received: by 2002:a17:907:7e8e:: with SMTP id qb14mr65072681ejc.562.1638270281566; Tue, 30 Nov 2021 03:04:41 -0800 (PST) X-Google-Smtp-Source: ABdhPJziMLcxosWX5ygVmgTtpruhSRITKReQfVBH8hQigA6cZbMgOowE1VBxax3qJLHHy487SEtb7A== X-Received: by 2002:a17:907:7e8e:: with SMTP id qb14mr65072642ejc.562.1638270281250; Tue, 30 Nov 2021 03:04:41 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id g1sm8712405eje.105.2021.11.30.03.04.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:40 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 16/16] UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys Date: Tue, 30 Nov 2021 11:04:16 +0000 Message-Id: <20211130110416.171269-17-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211130110416.171269-1-dimitri.ledkov@canonical.com> References: <20211130110416.171269-1-dimitri.ledkov@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1932029 Signed-off-by: Dimitri John Ledkov Signed-off-by: Andrea Righi (cherry picked from commit 741f622c4dbc162b82f8c9045f9c6c6446f57eb5) (xnox: cherry-pick is from impish:linux) Signed-off-by: Dimitri John Ledkov --- debian.master/config/annotations | 1 + debian.master/config/config.common.ubuntu | 2 ++ 2 files changed, 3 insertions(+) diff --git a/debian.master/config/annotations b/debian.master/config/annotations index 82756679de..ea240449df 100644 --- a/debian.master/config/annotations +++ b/debian.master/config/annotations @@ -502,6 +502,7 @@ CONFIG_SYSTEM_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': ' CONFIG_SYSTEM_TRUSTED_KEYS policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'i386': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'i386': '4096', 'ppc64el': '4096', 's390x': '4096'}> +CONFIG_SYSTEM_REVOCATION_KEYS policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}> CONFIG_SECONDARY_TRUSTED_KEYRING policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}> # Menu: Cryptographic API >> Hardware crypto devices diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu index fba5bed968..57190d6316 100644 --- a/debian.master/config/config.common.ubuntu +++ b/debian.master/config/config.common.ubuntu @@ -9018,6 +9018,8 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_SYSTEM_DATA_VERIFICATION=y CONFIG_SYSTEM_EXTRA_CERTIFICATE=y CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096 +CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem" +CONFIG_SYSTEM_REVOCATION_LIST=y CONFIG_SYSTEM_TRUSTED_KEYRING=y CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem" CONFIG_SYSVIPC=y