| Message ID | 20211001154432.20287-1-dimitri.ledkov@canonical.com |
|---|---|
| Headers | show |
| Series | Support builtin revoked certificates and mokvar-table | expand |
Acked-by: Tim Gardner <tim.gardner@canonical.com> This is a pretty well tested patch set by now. On 10/1/21 9:44 AM, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/1928679 > BugLink: https://bugs.launchpad.net/bugs/1932029 > > Same story as before, backport support for builtin revoked > certificates, add support loading revoked certificates from > mokvar-table. > > Note due to old lockdown patches, and cherry-pick of fixes, the first > commit partially reverts some changes of the internal function calls > to make them closer to what has ended up in vanilla upstream > kernels. Whilst the diff in > security/integrity/platform_certs/load_uefi.c is large against focal, > it is very small when compared with impish. > > This SRU includes mokvar table driver. > > Note to crankers - when rebasing derivative kernels one must also > adjust the config to enable CONFIG_SYSTEM_REVOCATION_KEYS. Without > adjusting the config boot testing will fail, as it will notice that > support is available but not turned on. > > Built with cbd for all arches and tested in VM. > > Most patches are cherry-picks from upstream, apart from UBUNTU: ones > which are packaging or SAUCE patch cherry-picks from impish:linux. > > Previous backports of this: > v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html > v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html > v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html > v5.8: https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html > > By popular demand this is also available as a git branch / pull > request and launchpad merge request: > > https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374 > > The following changes since commit a4a17166114e9aece92a2525226433d3c9c77f72: > > UBUNTU: upstream stable to v5.4.145 (2021-10-01 11:34:04 +0200) > > are available in the Git repository at: > > https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal 5.4-revocation-certs > > for you to fetch changes up to 1b21f2893dfddb55335bad4bc8d0eae3074a9753: > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-10-01 16:11:49 +0100) > > Ard Biesheuvel (2): > efi: mokvar-table: fix some issues in new code > efi: mokvar: add missing include of asm/early_ioremap.h > > Borislav Petkov (1): > efi/mokvar: Reserve the table only if it is in boot services data > > Dimitri John Ledkov (6): > Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain > about cert lists that aren't present." > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > table > UBUNTU: SAUCE: integrity: add informational messages when revoking > certs > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > certs > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys > > Eric Snowberg (2): > certs: Add ability to preload revocation certs > integrity: Load mokx variables into the blacklist keyring > > Lenny Szubowicz (3): > efi: Support for MOK variable config table > integrity: Move import of MokListRT certs to a separate routine > integrity: Load certs from the EFI MOK config table > > Linus Torvalds (1): > certs: add 'x509_revocation_list' to gitignore > > Tim Gardner (1): > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > arch/x86/kernel/setup.c | 1 + > arch/x86/platform/efi/efi.c | 3 + > certs/.gitignore | 1 + > certs/Kconfig | 8 + > certs/Makefile | 19 +- > certs/blacklist.c | 24 ++ > certs/common.c | 1 + > certs/revocation_certificates.S | 21 + > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 1 + > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > debian/rules | 14 +- > drivers/firmware/efi/Makefile | 1 + > drivers/firmware/efi/arm-init.c | 1 + > drivers/firmware/efi/efi.c | 6 + > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > include/linux/efi.h | 34 ++ > scripts/Makefile | 1 + > .../platform_certs/keyring_handler.c | 1 + > security/integrity/platform_certs/load_uefi.c | 138 +++++-- > 20 files changed, 684 insertions(+), 40 deletions(-) > create mode 100644 certs/revocation_certificates.S > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > create mode 100644 drivers/firmware/efi/mokvar-table.c >
On 01.10.21 17:44, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/1928679 > BugLink: https://bugs.launchpad.net/bugs/1932029 > > Same story as before, backport support for builtin revoked > certificates, add support loading revoked certificates from > mokvar-table. > > Note due to old lockdown patches, and cherry-pick of fixes, the first > commit partially reverts some changes of the internal function calls > to make them closer to what has ended up in vanilla upstream > kernels. Whilst the diff in > security/integrity/platform_certs/load_uefi.c is large against focal, > it is very small when compared with impish. > > This SRU includes mokvar table driver. > > Note to crankers - when rebasing derivative kernels one must also > adjust the config to enable CONFIG_SYSTEM_REVOCATION_KEYS. Without > adjusting the config boot testing will fail, as it will notice that > support is available but not turned on. > > Built with cbd for all arches and tested in VM. > > Most patches are cherry-picks from upstream, apart from UBUNTU: ones > which are packaging or SAUCE patch cherry-picks from impish:linux. > > Previous backports of this: > v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html > v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html > v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html > v5.8: https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html > > By popular demand this is also available as a git branch / pull > request and launchpad merge request: > > https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374 > > The following changes since commit a4a17166114e9aece92a2525226433d3c9c77f72: > > UBUNTU: upstream stable to v5.4.145 (2021-10-01 11:34:04 +0200) > > are available in the Git repository at: > > https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal 5.4-revocation-certs > > for you to fetch changes up to 1b21f2893dfddb55335bad4bc8d0eae3074a9753: > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-10-01 16:11:49 +0100) > > Ard Biesheuvel (2): > efi: mokvar-table: fix some issues in new code > efi: mokvar: add missing include of asm/early_ioremap.h > > Borislav Petkov (1): > efi/mokvar: Reserve the table only if it is in boot services data > > Dimitri John Ledkov (6): > Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain > about cert lists that aren't present." > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > table > UBUNTU: SAUCE: integrity: add informational messages when revoking > certs > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > certs > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys > > Eric Snowberg (2): > certs: Add ability to preload revocation certs > integrity: Load mokx variables into the blacklist keyring > > Lenny Szubowicz (3): > efi: Support for MOK variable config table > integrity: Move import of MokListRT certs to a separate routine > integrity: Load certs from the EFI MOK config table > > Linus Torvalds (1): > certs: add 'x509_revocation_list' to gitignore > > Tim Gardner (1): > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > arch/x86/kernel/setup.c | 1 + > arch/x86/platform/efi/efi.c | 3 + > certs/.gitignore | 1 + > certs/Kconfig | 8 + > certs/Makefile | 19 +- > certs/blacklist.c | 24 ++ > certs/common.c | 1 + > certs/revocation_certificates.S | 21 + > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 1 + > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > debian/rules | 14 +- > drivers/firmware/efi/Makefile | 1 + > drivers/firmware/efi/arm-init.c | 1 + > drivers/firmware/efi/efi.c | 6 + > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > include/linux/efi.h | 34 ++ > scripts/Makefile | 1 + > .../platform_certs/keyring_handler.c | 1 + > security/integrity/platform_certs/load_uefi.c | 138 +++++-- > 20 files changed, 684 insertions(+), 40 deletions(-) > create mode 100644 certs/revocation_certificates.S > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > create mode 100644 drivers/firmware/efi/mokvar-table.c > Just out of curiosity... why is the Focal set only 16 patches while the 5.8 backport was 18.. The latter had a revert and re-apply while the new Focal set has one Revert only. I am sure I miss something... I think the note to crankers would be best placed into a card (think there is one already which could get extended) which we can link into the individual cranks. -Stefan
On Mon, Oct 4, 2021 at 2:36 PM Stefan Bader <stefan.bader@canonical.com> wrote: > > On 01.10.21 17:44, Dimitri John Ledkov wrote: > > BugLink: https://bugs.launchpad.net/bugs/1928679 > > BugLink: https://bugs.launchpad.net/bugs/1932029 > > > > Same story as before, backport support for builtin revoked > > certificates, add support loading revoked certificates from > > mokvar-table. > > > > Note due to old lockdown patches, and cherry-pick of fixes, the first > > commit partially reverts some changes of the internal function calls > > to make them closer to what has ended up in vanilla upstream > > kernels. Whilst the diff in > > security/integrity/platform_certs/load_uefi.c is large against focal, > > it is very small when compared with impish. > > > > This SRU includes mokvar table driver. > > > > Note to crankers - when rebasing derivative kernels one must also > > adjust the config to enable CONFIG_SYSTEM_REVOCATION_KEYS. Without > > adjusting the config boot testing will fail, as it will notice that > > support is available but not turned on. > > > > Built with cbd for all arches and tested in VM. > > > > Most patches are cherry-picks from upstream, apart from UBUNTU: ones > > which are packaging or SAUCE patch cherry-picks from impish:linux. > > > > Previous backports of this: > > v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html > > v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html > > v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html > > v5.8: https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html > > > > By popular demand this is also available as a git branch / pull > > request and launchpad merge request: > > > > https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374 > > > > The following changes since commit a4a17166114e9aece92a2525226433d3c9c77f72: > > > > UBUNTU: upstream stable to v5.4.145 (2021-10-01 11:34:04 +0200) > > > > are available in the Git repository at: > > > > https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal 5.4-revocation-certs > > > > for you to fetch changes up to 1b21f2893dfddb55335bad4bc8d0eae3074a9753: > > > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-10-01 16:11:49 +0100) > > > > Ard Biesheuvel (2): > > efi: mokvar-table: fix some issues in new code > > efi: mokvar: add missing include of asm/early_ioremap.h > > > > Borislav Petkov (1): > > efi/mokvar: Reserve the table only if it is in boot services data > > > > Dimitri John Ledkov (6): > > Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain > > about cert lists that aren't present." > > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > > table > > UBUNTU: SAUCE: integrity: add informational messages when revoking > > certs > > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > > certs > > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > > keys > > > > Eric Snowberg (2): > > certs: Add ability to preload revocation certs > > integrity: Load mokx variables into the blacklist keyring > > > > Lenny Szubowicz (3): > > efi: Support for MOK variable config table > > integrity: Move import of MokListRT certs to a separate routine > > integrity: Load certs from the EFI MOK config table > > > > Linus Torvalds (1): > > certs: add 'x509_revocation_list' to gitignore > > > > Tim Gardner (1): > > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > > > arch/x86/kernel/setup.c | 1 + > > arch/x86/platform/efi/efi.c | 3 + > > certs/.gitignore | 1 + > > certs/Kconfig | 8 + > > certs/Makefile | 19 +- > > certs/blacklist.c | 24 ++ > > certs/common.c | 1 + > > certs/revocation_certificates.S | 21 + > > debian.master/config/annotations | 1 + > > debian.master/config/config.common.ubuntu | 1 + > > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > > debian/rules | 14 +- > > drivers/firmware/efi/Makefile | 1 + > > drivers/firmware/efi/arm-init.c | 1 + > > drivers/firmware/efi/efi.c | 6 + > > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > > include/linux/efi.h | 34 ++ > > scripts/Makefile | 1 + > > .../platform_certs/keyring_handler.c | 1 + > > security/integrity/platform_certs/load_uefi.c | 138 +++++-- > > 20 files changed, 684 insertions(+), 40 deletions(-) > > create mode 100644 certs/revocation_certificates.S > > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > > create mode 100644 drivers/firmware/efi/mokvar-table.c > > > > Just out of curiosity... why is the Focal set only 16 patches while the 5.8 > backport was 18.. The latter had a revert and re-apply while the new Focal set > has one Revert only. I am sure I miss something... > Each kernel series has a different number of patches, based on whether or not stable series were alive when they got backported upstream. And if the upstream backports included all the things or not. And also, how the conflicts were resolved when applying stable update cherrypicks. Hence so far every series backport was of a different length. The mainline patches: 81f2023158 certs: add 'x509_revocation_list' to gitignore ebd9c2ae36 integrity: Load mokx variables into the blacklist keyring d1f044103d certs: Add ability to preload revocation certs 2565ca7f5e certs: Move load_system_certificate_list to a common function 56c5812623 certs: Add EFI_CERT_X509_GUID support for dbx entries Are needed to implement builtin & mokvartable based revocations, and yet only some of the above got backported via -stable trees to a subset of series. When any of the above are missing via stable series, I had to cherrypick them. Plus mokvar-table driver never made it back via stable trees which Ubuntu's shim requires (as otherwise buggy EFI firmwares fail to mirror variables and let kernel access things), hence also had to backport mokvar table driver when not present: af963802dd efi/mokvar: Reserve the table only if it is in boot services data cc383a9e24 efi: mokvar: add missing include of asm/early_ioremap.h b89114cd01 efi: mokvar-table: fix some issues in new code 58c909022a efi: Support for MOK variable config table I think we are the only ones that care as much about all of these backports, because out of all other distros we are the ones who have been signing things the longest, and have the most number of keys to revoke. Meaning others are not affected by low efi variable runtime space / mirroring firmware bugs hence all of these fixes are in the mainline for their future revocations. > I think the note to crankers would be best placed into a card (think there is > one already which could get extended) which we can link into the individual cranks. Ack.
On 01.10.21 17:44, Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/1928679 > BugLink: https://bugs.launchpad.net/bugs/1932029 > > Same story as before, backport support for builtin revoked > certificates, add support loading revoked certificates from > mokvar-table. > > Note due to old lockdown patches, and cherry-pick of fixes, the first > commit partially reverts some changes of the internal function calls > to make them closer to what has ended up in vanilla upstream > kernels. Whilst the diff in > security/integrity/platform_certs/load_uefi.c is large against focal, > it is very small when compared with impish. > > This SRU includes mokvar table driver. > > Note to crankers - when rebasing derivative kernels one must also > adjust the config to enable CONFIG_SYSTEM_REVOCATION_KEYS. Without > adjusting the config boot testing will fail, as it will notice that > support is available but not turned on. > > Built with cbd for all arches and tested in VM. > > Most patches are cherry-picks from upstream, apart from UBUNTU: ones > which are packaging or SAUCE patch cherry-picks from impish:linux. > > Previous backports of this: > v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html > v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html > v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html > v5.8: https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html > > By popular demand this is also available as a git branch / pull > request and launchpad merge request: > > https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374 > > The following changes since commit a4a17166114e9aece92a2525226433d3c9c77f72: > > UBUNTU: upstream stable to v5.4.145 (2021-10-01 11:34:04 +0200) > > are available in the Git repository at: > > https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal 5.4-revocation-certs > > for you to fetch changes up to 1b21f2893dfddb55335bad4bc8d0eae3074a9753: > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-10-01 16:11:49 +0100) > > Ard Biesheuvel (2): > efi: mokvar-table: fix some issues in new code > efi: mokvar: add missing include of asm/early_ioremap.h > > Borislav Petkov (1): > efi/mokvar: Reserve the table only if it is in boot services data > > Dimitri John Ledkov (6): > Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain > about cert lists that aren't present." > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > table > UBUNTU: SAUCE: integrity: add informational messages when revoking > certs > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > certs > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys > > Eric Snowberg (2): > certs: Add ability to preload revocation certs > integrity: Load mokx variables into the blacklist keyring > > Lenny Szubowicz (3): > efi: Support for MOK variable config table > integrity: Move import of MokListRT certs to a separate routine > integrity: Load certs from the EFI MOK config table > > Linus Torvalds (1): > certs: add 'x509_revocation_list' to gitignore > > Tim Gardner (1): > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > arch/x86/kernel/setup.c | 1 + > arch/x86/platform/efi/efi.c | 3 + > certs/.gitignore | 1 + > certs/Kconfig | 8 + > certs/Makefile | 19 +- > certs/blacklist.c | 24 ++ > certs/common.c | 1 + > certs/revocation_certificates.S | 21 + > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 1 + > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > debian/rules | 14 +- > drivers/firmware/efi/Makefile | 1 + > drivers/firmware/efi/arm-init.c | 1 + > drivers/firmware/efi/efi.c | 6 + > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > include/linux/efi.h | 34 ++ > scripts/Makefile | 1 + > .../platform_certs/keyring_handler.c | 1 + > security/integrity/platform_certs/load_uefi.c | 138 +++++-- > 20 files changed, 684 insertions(+), 40 deletions(-) > create mode 100644 certs/revocation_certificates.S > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > create mode 100644 drivers/firmware/efi/mokvar-table.c > Acked-by: Stefan Bader <stefan.bader@canonical.com>
Applied to Focal master-next. Thank you! -Kelsey On 2021-10-01 16:44:16 , Dimitri John Ledkov wrote: > BugLink: https://bugs.launchpad.net/bugs/1928679 > BugLink: https://bugs.launchpad.net/bugs/1932029 > > Same story as before, backport support for builtin revoked > certificates, add support loading revoked certificates from > mokvar-table. > > Note due to old lockdown patches, and cherry-pick of fixes, the first > commit partially reverts some changes of the internal function calls > to make them closer to what has ended up in vanilla upstream > kernels. Whilst the diff in > security/integrity/platform_certs/load_uefi.c is large against focal, > it is very small when compared with impish. > > This SRU includes mokvar table driver. > > Note to crankers - when rebasing derivative kernels one must also > adjust the config to enable CONFIG_SYSTEM_REVOCATION_KEYS. Without > adjusting the config boot testing will fail, as it will notice that > support is available but not turned on. > > Built with cbd for all arches and tested in VM. > > Most patches are cherry-picks from upstream, apart from UBUNTU: ones > which are packaging or SAUCE patch cherry-picks from impish:linux. > > Previous backports of this: > v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html > v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html > v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html > v5.8: https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html > > By popular demand this is also available as a git branch / pull > request and launchpad merge request: > > https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374 > > The following changes since commit a4a17166114e9aece92a2525226433d3c9c77f72: > > UBUNTU: upstream stable to v5.4.145 (2021-10-01 11:34:04 +0200) > > are available in the Git repository at: > > https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal 5.4-revocation-certs > > for you to fetch changes up to 1b21f2893dfddb55335bad4bc8d0eae3074a9753: > > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-10-01 16:11:49 +0100) > > Ard Biesheuvel (2): > efi: mokvar-table: fix some issues in new code > efi: mokvar: add missing include of asm/early_ioremap.h > > Borislav Petkov (1): > efi/mokvar: Reserve the table only if it is in boot services data > > Dimitri John Ledkov (6): > Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain > about cert lists that aren't present." > UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config > table > UBUNTU: SAUCE: integrity: add informational messages when revoking > certs > UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch > certs > UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in > UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked > keys > > Eric Snowberg (2): > certs: Add ability to preload revocation certs > integrity: Load mokx variables into the blacklist keyring > > Lenny Szubowicz (3): > efi: Support for MOK variable config table > integrity: Move import of MokListRT certs to a separate routine > integrity: Load certs from the EFI MOK config table > > Linus Torvalds (1): > certs: add 'x509_revocation_list' to gitignore > > Tim Gardner (1): > UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded > > arch/x86/kernel/setup.c | 1 + > arch/x86/platform/efi/efi.c | 3 + > certs/.gitignore | 1 + > certs/Kconfig | 8 + > certs/Makefile | 19 +- > certs/blacklist.c | 24 ++ > certs/common.c | 1 + > certs/revocation_certificates.S | 21 + > debian.master/config/annotations | 1 + > debian.master/config/config.common.ubuntu | 1 + > .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ > debian/rules | 14 +- > drivers/firmware/efi/Makefile | 1 + > drivers/firmware/efi/arm-init.c | 1 + > drivers/firmware/efi/efi.c | 6 + > drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ > include/linux/efi.h | 34 ++ > scripts/Makefile | 1 + > .../platform_certs/keyring_handler.c | 1 + > security/integrity/platform_certs/load_uefi.c | 138 +++++-- > 20 files changed, 684 insertions(+), 40 deletions(-) > create mode 100644 certs/revocation_certificates.S > create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem > create mode 100644 drivers/firmware/efi/mokvar-table.c > > -- > 2.30.2 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
BugLink: https://bugs.launchpad.net/bugs/1928679 BugLink: https://bugs.launchpad.net/bugs/1932029 Same story as before, backport support for builtin revoked certificates, add support loading revoked certificates from mokvar-table. Note due to old lockdown patches, and cherry-pick of fixes, the first commit partially reverts some changes of the internal function calls to make them closer to what has ended up in vanilla upstream kernels. Whilst the diff in security/integrity/platform_certs/load_uefi.c is large against focal, it is very small when compared with impish. This SRU includes mokvar table driver. Note to crankers - when rebasing derivative kernels one must also adjust the config to enable CONFIG_SYSTEM_REVOCATION_KEYS. Without adjusting the config boot testing will fail, as it will notice that support is available but not turned on. Built with cbd for all arches and tested in VM. Most patches are cherry-picks from upstream, apart from UBUNTU: ones which are packaging or SAUCE patch cherry-picks from impish:linux. Previous backports of this: v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html v5.8: https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html By popular demand this is also available as a git branch / pull request and launchpad merge request: https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374 The following changes since commit a4a17166114e9aece92a2525226433d3c9c77f72: UBUNTU: upstream stable to v5.4.145 (2021-10-01 11:34:04 +0200) are available in the Git repository at: https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal 5.4-revocation-certs for you to fetch changes up to 1b21f2893dfddb55335bad4bc8d0eae3074a9753: UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-10-01 16:11:49 +0100) Ard Biesheuvel (2): efi: mokvar-table: fix some issues in new code efi: mokvar: add missing include of asm/early_ioremap.h Borislav Petkov (1): efi/mokvar: Reserve the table only if it is in boot services data Dimitri John Ledkov (6): Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain about cert lists that aren't present." UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table UBUNTU: SAUCE: integrity: add informational messages when revoking certs UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch certs UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys Eric Snowberg (2): certs: Add ability to preload revocation certs integrity: Load mokx variables into the blacklist keyring Lenny Szubowicz (3): efi: Support for MOK variable config table integrity: Move import of MokListRT certs to a separate routine integrity: Load certs from the EFI MOK config table Linus Torvalds (1): certs: add 'x509_revocation_list' to gitignore Tim Gardner (1): UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded arch/x86/kernel/setup.c | 1 + arch/x86/platform/efi/efi.c | 3 + certs/.gitignore | 1 + certs/Kconfig | 8 + certs/Makefile | 19 +- certs/blacklist.c | 24 ++ certs/common.c | 1 + certs/revocation_certificates.S | 21 + debian.master/config/annotations | 1 + debian.master/config/config.common.ubuntu | 1 + .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ debian/rules | 14 +- drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/arm-init.c | 1 + drivers/firmware/efi/efi.c | 6 + drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ include/linux/efi.h | 34 ++ scripts/Makefile | 1 + .../platform_certs/keyring_handler.c | 1 + security/integrity/platform_certs/load_uefi.c | 138 +++++-- 20 files changed, 684 insertions(+), 40 deletions(-) create mode 100644 certs/revocation_certificates.S create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem create mode 100644 drivers/firmware/efi/mokvar-table.c