From patchwork Fri Oct 1 15:44:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1535382 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=RROsRJW1; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HLZDp01Kzz9sPf for ; Sat, 2 Oct 2021 01:44:56 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1mWKiM-0007uo-88; Fri, 01 Oct 2021 15:44:46 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1mWKiK-0007ui-3s for kernel-team@lists.ubuntu.com; Fri, 01 Oct 2021 15:44:44 +0000 Received: from mail-wm1-f72.google.com (mail-wm1-f72.google.com [209.85.128.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id F3743402C9 for ; Fri, 1 Oct 2021 15:44:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1633103084; bh=Bw6G35I+b/Ubhxl0wXHiRdSCRO0G5ZWLKTGBozRs4gY=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=RROsRJW1stfyIiMHMZMQXLbft3xBwJBVX6TSN9KAverNQ/Dwa4VVkNejSXahN9E5x D0MEoTK9DIKAKZRYj+h6LPnClroWF4lijJsUbo4re7+EXReNfxJLZF9z3sTaK+LQfe rabLd4t3jenLhRVpDsG5zH6b68dmMPndg8Fvdd/PqwkA7V5XfUs5zHzH9NuuCtoAwU EuXI53/7HH2nEqER5uxOueq2OoJS0WhdH0+wx0kRUHioKT+tm1n7SfLmrW6Gk+Zros +QVUjT6aiWHCdzXJWUAJ7MIpn4Fdb2P7NjRikAJCQc4E3gBvf12hk6UYTlgfAv8XQM xIxlYKiq3C2Ng== Received: by mail-wm1-f72.google.com with SMTP id x23-20020a05600c21d700b0030d23749278so3903688wmj.2 for ; Fri, 01 Oct 2021 08:44:43 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=Bw6G35I+b/Ubhxl0wXHiRdSCRO0G5ZWLKTGBozRs4gY=; b=wtVWcdS27AAzMxIsISUKHYulnpWWtW5U2HOr+AF1l4vRyYuEhpq/gHCFYP0bWkoGcv WF8kbt1o/R/j4Wa/iI862iHFfBMyi25qrqZB6zjp2eq4Vs7ku1LBt06ZYbU3X8IA9kmp 76FXOWsidPxtc3kRP2HP5ekfH7zHwcd8whQfTKeA2YFrYVN/HB4k4VnxKp3JnlMRyMOK QbC9sxutrGzoQ16oMxZY3wVXKDGDYXCf0OQDVpGjiFhfvCygrexc2mMz0Wd24qt2Kao5 Gmz13qjLJLSRNma6yOX8p9q+NeHIVzJbGeDZ9jeZMLeZJg1JWOeWYFpuT8D+ekpB9/gc aKvA== X-Gm-Message-State: AOAM533VxwXwGxsGuU+h79Oly32NLsVeFjlRRHgd+3s2aLxLe8mfjGIe bUBhJjrYIflMBkNzEQxPbseItfmBpbXuqBFJuaYd7KO23Qvc4sFRZyYMJC/rvbsipGM8fLQ3lVQ eLqyX3IzSYXO0K6VXSkHZNwrqJYboxATawg+tWk9Szg== X-Received: by 2002:adf:a549:: with SMTP id j9mr13149495wrb.353.1633103083382; Fri, 01 Oct 2021 08:44:43 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyFAlgZn/lf1/hAJZQC+4jhLJc5ZT6OR2iPUsF17RxlgVBLmf+UK1XMAhc7FY5mnc8iNPAkTg== X-Received: by 2002:adf:a549:: with SMTP id j9mr13149463wrb.353.1633103082991; Fri, 01 Oct 2021 08:44:42 -0700 (PDT) Received: from localhost ([2a01:4b00:85fd:d700:dd38:5596:506f:f213]) by smtp.gmail.com with ESMTPSA id d7sm6100665wrh.13.2021.10.01.08.44.42 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 01 Oct 2021 08:44:42 -0700 (PDT) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][FOCAL][PATCH 00/16] Support builtin revoked certificates and mokvar-table Date: Fri, 1 Oct 2021 16:44:16 +0100 Message-Id: <20211001154432.20287-1-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1928679 BugLink: https://bugs.launchpad.net/bugs/1932029 Same story as before, backport support for builtin revoked certificates, add support loading revoked certificates from mokvar-table. Note due to old lockdown patches, and cherry-pick of fixes, the first commit partially reverts some changes of the internal function calls to make them closer to what has ended up in vanilla upstream kernels. Whilst the diff in security/integrity/platform_certs/load_uefi.c is large against focal, it is very small when compared with impish. This SRU includes mokvar table driver. Note to crankers - when rebasing derivative kernels one must also adjust the config to enable CONFIG_SYSTEM_REVOCATION_KEYS. Without adjusting the config boot testing will fail, as it will notice that support is available but not turned on. Built with cbd for all arches and tested in VM. Most patches are cherry-picks from upstream, apart from UBUNTU: ones which are packaging or SAUCE patch cherry-picks from impish:linux. Previous backports of this: v5.13: https://lists.ubuntu.com/archives/kernel-team/2021-June/121362.html v5.11: https://lists.ubuntu.com/archives/kernel-team/2021-August/122996.html v5.10: https://lists.ubuntu.com/archives/kernel-team/2021-August/123470.html v5.8: https://lists.ubuntu.com/archives/kernel-team/2021-September/124336.html By popular demand this is also available as a git branch / pull request and launchpad merge request: https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal/+merge/409374 The following changes since commit a4a17166114e9aece92a2525226433d3c9c77f72: UBUNTU: upstream stable to v5.4.145 (2021-10-01 11:34:04 +0200) are available in the Git repository at: https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/focal 5.4-revocation-certs for you to fetch changes up to 1b21f2893dfddb55335bad4bc8d0eae3074a9753: UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-10-01 16:11:49 +0100) Ard Biesheuvel (2): efi: mokvar-table: fix some issues in new code efi: mokvar: add missing include of asm/early_ioremap.h Borislav Petkov (1): efi/mokvar: Reserve the table only if it is in boot services data Dimitri John Ledkov (6): Revert "UBUNTU: SAUCE: (lockdown) Make get_cert_list() not complain about cert lists that aren't present." UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table UBUNTU: SAUCE: integrity: add informational messages when revoking certs UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch certs UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys Eric Snowberg (2): certs: Add ability to preload revocation certs integrity: Load mokx variables into the blacklist keyring Lenny Szubowicz (3): efi: Support for MOK variable config table integrity: Move import of MokListRT certs to a separate routine integrity: Load certs from the EFI MOK config table Linus Torvalds (1): certs: add 'x509_revocation_list' to gitignore Tim Gardner (1): UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded arch/x86/kernel/setup.c | 1 + arch/x86/platform/efi/efi.c | 3 + certs/.gitignore | 1 + certs/Kconfig | 8 + certs/Makefile | 19 +- certs/blacklist.c | 24 ++ certs/common.c | 1 + certs/revocation_certificates.S | 21 + debian.master/config/annotations | 1 + debian.master/config/config.common.ubuntu | 1 + .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ debian/rules | 14 +- drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/arm-init.c | 1 + drivers/firmware/efi/efi.c | 6 + drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ include/linux/efi.h | 34 ++ scripts/Makefile | 1 + .../platform_certs/keyring_handler.c | 1 + security/integrity/platform_certs/load_uefi.c | 138 +++++-- 20 files changed, 684 insertions(+), 40 deletions(-) create mode 100644 certs/revocation_certificates.S create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem create mode 100644 drivers/firmware/efi/mokvar-table.c Acked-by: Tim Gardner Acked-by: Stefan Bader