Message ID | 20211130110416.171269-1-dimitri.ledkov@canonical.com |
---|---|
Headers | show |
Series | Support builtin revoked certificates and mokvar-table | expand |
Just missing your SOB on patches 5 and 6.
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com> What is the provenance of patches 5/6 ? They look like they came from a stable update in one of our repos. They are also missing your S-O-B. On 11/30/21 4:04 AM, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/1928679 > BugLink: https://bugs.launchpad.net/bugs/1932029 > > Same story as before, backport support for builtin revoked > certificates, add support loading revoked certificates from > mokvar-table. > > Some of the patches had to be adjusted during backport. For example, > instead of patching security/integrity/platform_certs/load_uefi.c > which does not exist in v4.15 kernel certs/load_uefi.c is. Some error > handling is done differently as well. For example, EFI status not > found is not handled when loading keys from variables. > > This series doesn't have any reverts, as the lockdown patchset is > mostly older without any major reorgs that didn't make upstream. It is > slightly larger than focal's one as support for EFI_CERT_X509_GUID did > not land via linux-stable updates. > > After this patch is applied, the RT boot testing & kernel built-in > final check will catch any kernels that do not have > CONFIG_SYSTEM_REVOCATION_KEYS set. In bionic, this may trip up raspi2, > snapdgaron, kvm flavours as they in theory can support UEFI, but are > not signed and may not enable all the lockdown and keyring > features. These flavours may need reverting 70de61082d ("UBUNTU: > [Packaging] Add system trusted and revocation keys final check") as > was done in Focal. Or enable all the keyrings and builtin revocation > keys. > > Focal patches already reviewed and applied: > > https://lists.ubuntu.com/archives/kernel-team/2021-October/124497.html > > The following changes since commit 8233475840ca94121170efeaa4f661c7029ac576: > > UBUNTU: Ubuntu-4.15.0-164.172 (2021-11-26 17:31:19 -0700) > > are available in the Git repository at: > > https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/bionic revocation-keys > > for you to fetch changes up to 750558eb34dd84c912dbe004aca41987665535d5: > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-11-30 10:44:16 +0000) > > This pull request can also be reviewed on launchpad at: > > https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/bionic/+merge/412577 > > Ard Biesheuvel (2): > efi: mokvar-table: fix some issues in new code > efi: mokvar: add missing include of asm/early_ioremap.h > > Borislav Petkov (1): > efi/mokvar: Reserve the table only if it is in boot services data > > Dimitri John Ledkov (5): > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > table > UBUNTU: SAUCE: integrity: add informational messages when revoking > certs > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > certs > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys > > Eric Snowberg (3): > certs: Add EFI_CERT_X509_GUID support for dbx entries > certs: Move load_system_certificate_list to a common function > certs: Add ability to preload revocation certs > > Lenny Szubowicz (3): > efi: Support for MOK variable config table > integrity: Move import of MokListRT certs to a separate routine > integrity: Load certs from the EFI MOK config table > > Linus Torvalds (1): > certs: add 'x509_revocation_list' to gitignore > > Tim Gardner (1): > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > arch/x86/kernel/setup.c | 1 + > certs/.gitignore | 1 + > certs/Kconfig | 17 + > certs/Makefile | 21 +- > certs/blacklist.c | 67 ++++ > certs/blacklist.h | 2 + > certs/common.c | 58 +++ > certs/common.h | 9 + > certs/load_uefi.c | 109 +++++- > certs/revocation_certificates.S | 21 + > certs/system_keyring.c | 57 +-- > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 2 + > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > debian/rules | 14 +- > drivers/firmware/efi/Makefile | 1 + > drivers/firmware/efi/arm-init.c | 1 + > drivers/firmware/efi/efi.c | 9 + > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > include/keys/system_keyring.h | 15 + > include/linux/efi.h | 34 ++ > scripts/Makefile | 1 + > 22 files changed, 824 insertions(+), 65 deletions(-) > create mode 100644 certs/common.c > create mode 100644 certs/common.h > create mode 100644 certs/revocation_certificates.S > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > create mode 100644 drivers/firmware/efi/mokvar-table.c >
On Tue, 30 Nov 2021, 13:17 Tim Gardner, <tim.gardner@canonical.com> wrote: > Acked-by: Tim Gardner <tim.gardner@canonical.com> > > What is the provenance of patches 5/6 ? They look like they came from a > stable update in one of our repos. They are also missing your S-O-B. > Yes, sorry about my missing S-O-B. The provenance of those patches is that without them kernel does not load asymmetric keys from dbx or moklistx. In 2019/2020 an attempt was made to revoke all grubs and kernels signed by the 2012 key by publishing said key in uefi.org dbx and in Ubuntu shim. This preventing booting vulnerable grubs and kernels, but did not prevent kexec from fixed kernels to 2012 signed ones. In order for us to be able to revoke signing keys out of band in the future kernels must learn to load assymetric keys from dbx and moklistx into blacklist keyring. These patches are present in focal+ kernels. On 11/30/21 4:04 AM, Dimitri John Ledkov wrote: > > BugLink: https://bugs.launchpad.net/bugs/1928679 > > BugLink: https://bugs.launchpad.net/bugs/1932029 > > > > Same story as before, backport support for builtin revoked > > certificates, add support loading revoked certificates from > > mokvar-table. > > > > Some of the patches had to be adjusted during backport. For example, > > instead of patching security/integrity/platform_certs/load_uefi.c > > which does not exist in v4.15 kernel certs/load_uefi.c is. Some error > > handling is done differently as well. For example, EFI status not > > found is not handled when loading keys from variables. > > > > This series doesn't have any reverts, as the lockdown patchset is > > mostly older without any major reorgs that didn't make upstream. It is > > slightly larger than focal's one as support for EFI_CERT_X509_GUID did > > not land via linux-stable updates. > > > > After this patch is applied, the RT boot testing & kernel built-in > > final check will catch any kernels that do not have > > CONFIG_SYSTEM_REVOCATION_KEYS set. In bionic, this may trip up raspi2, > > snapdgaron, kvm flavours as they in theory can support UEFI, but are > > not signed and may not enable all the lockdown and keyring > > features. These flavours may need reverting 70de61082d ("UBUNTU: > > [Packaging] Add system trusted and revocation keys final check") as > > was done in Focal. Or enable all the keyrings and builtin revocation > > keys. > > > > Focal patches already reviewed and applied: > > > > > https://lists.ubuntu.com/archives/kernel-team/2021-October/124497.html > > > > The following changes since commit > 8233475840ca94121170efeaa4f661c7029ac576: > > > > UBUNTU: Ubuntu-4.15.0-164.172 (2021-11-26 17:31:19 -0700) > > > > are available in the Git repository at: > > > > https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/bionic > revocation-keys > > > > for you to fetch changes up to 750558eb34dd84c912dbe004aca41987665535d5: > > > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys (2021-11-30 10:44:16 +0000) > > > > This pull request can also be reviewed on launchpad at: > > > > > https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/bionic/+merge/412577 > > > > Ard Biesheuvel (2): > > efi: mokvar-table: fix some issues in new code > > efi: mokvar: add missing include of asm/early_ioremap.h > > > > Borislav Petkov (1): > > efi/mokvar: Reserve the table only if it is in boot services data > > > > Dimitri John Ledkov (5): > > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > > table > > UBUNTU: SAUCE: integrity: add informational messages when revoking > > certs > > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > > certs > > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > > keys > > > > Eric Snowberg (3): > > certs: Add EFI_CERT_X509_GUID support for dbx entries > > certs: Move load_system_certificate_list to a common function > > certs: Add ability to preload revocation certs > > > > Lenny Szubowicz (3): > > efi: Support for MOK variable config table > > integrity: Move import of MokListRT certs to a separate routine > > integrity: Load certs from the EFI MOK config table > > > > Linus Torvalds (1): > > certs: add 'x509_revocation_list' to gitignore > > > > Tim Gardner (1): > > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > > > arch/x86/kernel/setup.c | 1 + > > certs/.gitignore | 1 + > > certs/Kconfig | 17 + > > certs/Makefile | 21 +- > > certs/blacklist.c | 67 ++++ > > certs/blacklist.h | 2 + > > certs/common.c | 58 +++ > > certs/common.h | 9 + > > certs/load_uefi.c | 109 +++++- > > certs/revocation_certificates.S | 21 + > > certs/system_keyring.c | 57 +-- > > debian.master/config/annotations | 1 + > > debian.master/config/config.common.ubuntu | 2 + > > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > > debian/rules | 14 +- > > drivers/firmware/efi/Makefile | 1 + > > drivers/firmware/efi/arm-init.c | 1 + > > drivers/firmware/efi/efi.c | 9 + > > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > > include/keys/system_keyring.h | 15 + > > include/linux/efi.h | 34 ++ > > scripts/Makefile | 1 + > > 22 files changed, 824 insertions(+), 65 deletions(-) > > create mode 100644 certs/common.c > > create mode 100644 certs/common.h > > create mode 100644 certs/revocation_certificates.S > > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > > create mode 100644 drivers/firmware/efi/mokvar-table.c > > > > -- > ----------- > Tim Gardner > Canonical, Inc >
On 30.11.21 12:04, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/1928679 > BugLink: https://bugs.launchpad.net/bugs/1932029 > > Same story as before, backport support for builtin revoked > certificates, add support loading revoked certificates from > mokvar-table. > > Some of the patches had to be adjusted during backport. For example, > instead of patching security/integrity/platform_certs/load_uefi.c > which does not exist in v4.15 kernel certs/load_uefi.c is. Some error > handling is done differently as well. For example, EFI status not > found is not handled when loading keys from variables. > > This series doesn't have any reverts, as the lockdown patchset is > mostly older without any major reorgs that didn't make upstream. It is > slightly larger than focal's one as support for EFI_CERT_X509_GUID did > not land via linux-stable updates. > > After this patch is applied, the RT boot testing & kernel built-in > final check will catch any kernels that do not have > CONFIG_SYSTEM_REVOCATION_KEYS set. In bionic, this may trip up raspi2, > snapdgaron, kvm flavours as they in theory can support UEFI, but are > not signed and may not enable all the lockdown and keyring > features. These flavours may need reverting 70de61082d ("UBUNTU: > [Packaging] Add system trusted and revocation keys final check") as > was done in Focal. Or enable all the keyrings and builtin revocation > keys. > > Focal patches already reviewed and applied: > > https://lists.ubuntu.com/archives/kernel-team/2021-October/124497.html > > The following changes since commit 8233475840ca94121170efeaa4f661c7029ac576: > > UBUNTU: Ubuntu-4.15.0-164.172 (2021-11-26 17:31:19 -0700) > > are available in the Git repository at: > > https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/bionic revocation-keys > > for you to fetch changes up to 750558eb34dd84c912dbe004aca41987665535d5: > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-11-30 10:44:16 +0000) > > This pull request can also be reviewed on launchpad at: > > https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/bionic/+merge/412577 > > Ard Biesheuvel (2): > efi: mokvar-table: fix some issues in new code > efi: mokvar: add missing include of asm/early_ioremap.h > > Borislav Petkov (1): > efi/mokvar: Reserve the table only if it is in boot services data > > Dimitri John Ledkov (5): > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > table > UBUNTU: SAUCE: integrity: add informational messages when revoking > certs > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > certs > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys > > Eric Snowberg (3): > certs: Add EFI_CERT_X509_GUID support for dbx entries > certs: Move load_system_certificate_list to a common function > certs: Add ability to preload revocation certs > > Lenny Szubowicz (3): > efi: Support for MOK variable config table > integrity: Move import of MokListRT certs to a separate routine > integrity: Load certs from the EFI MOK config table > > Linus Torvalds (1): > certs: add 'x509_revocation_list' to gitignore > > Tim Gardner (1): > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > arch/x86/kernel/setup.c | 1 + > certs/.gitignore | 1 + > certs/Kconfig | 17 + > certs/Makefile | 21 +- > certs/blacklist.c | 67 ++++ > certs/blacklist.h | 2 + > certs/common.c | 58 +++ > certs/common.h | 9 + > certs/load_uefi.c | 109 +++++- > certs/revocation_certificates.S | 21 + > certs/system_keyring.c | 57 +-- > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 2 + > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > debian/rules | 14 +- > drivers/firmware/efi/Makefile | 1 + > drivers/firmware/efi/arm-init.c | 1 + > drivers/firmware/efi/efi.c | 9 + > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > include/keys/system_keyring.h | 15 + > include/linux/efi.h | 34 ++ > scripts/Makefile | 1 + > 22 files changed, 824 insertions(+), 65 deletions(-) > create mode 100644 certs/common.c > create mode 100644 certs/common.h > create mode 100644 certs/revocation_certificates.S > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > create mode 100644 drivers/firmware/efi/mokvar-table.c > Patches 5 and 6 come from focal:linux, so I have added the "cherry picked from ..." line and Dimitri's SOB. I have also replaced the BugLink by LP#1932029. Applied to bionic:linux. Thanks, Kleber