From patchwork Tue Nov 30 11:04:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dimitri John Ledkov X-Patchwork-Id: 1561557 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=WdLTQTOL; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3K9g3kydz9t25 for ; Tue, 30 Nov 2021 22:04:38 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1ms0vz-00077k-RQ; Tue, 30 Nov 2021 11:04:27 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1ms0vw-00077Z-Ea for kernel-team@lists.ubuntu.com; Tue, 30 Nov 2021 11:04:24 +0000 Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 4BCDB3F1D6 for ; Tue, 30 Nov 2021 11:04:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638270264; bh=wrZe9FUbphhmGC8Ao0kHFaNj6Z5w3p6yeSqf4MNze9g=; h=From:To:Subject:Date:Message-Id:MIME-Version:Content-Type; b=WdLTQTOLH/cHdaWKsLkmJkJvE0qbyh0qfdBa1dLgIcg9N7zfkD9vRkw3m7II5ofTT lFZl9CRpNbxxg+8PiTS4U/VSwpXyuyd6GSPO3Yl6RFdaHVy6s2TyMwUPOm8Pu1qouu DISe+1kHUC+eC/6JQeon5tCxZ01+quhQTl3zWtjrWrHV7cQWQAmJ58hSvNjlycp6sh 6bIrG3XERURBj6AF2p/41x1H/p/hzLLlW7iYbVOU7gV86Do9yXHr6+sXzZ0o5K9xRl Uo6sr6pElNrNwPoR634tlM72JHu0aXWRDn6YnNmtt5jSmDbt5BetSQPw1YfrsallfS oZrberI1/Oi9A== Received: by mail-ed1-f72.google.com with SMTP id d13-20020a056402516d00b003e7e67a8f93so16658523ede.0 for ; Tue, 30 Nov 2021 03:04:24 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=wrZe9FUbphhmGC8Ao0kHFaNj6Z5w3p6yeSqf4MNze9g=; b=PQ+4aRsnSljkPNnXn3tvkQ4XPjcFYKHa1oJSkBAcoRLCN7jO0AQJ0eU5+7CrQEsvrN VPeOXSqWCTp+b2BLfdM38q6ucIjg50q0UQHjq9ozx9fCeAqfa6ifHZ6X0GVfOcz9joYN LyFziPa2MpRkpqOHaNr+gG0BGdsjz4lexBuNzZDHj8/J9LsMIxLEkEA2AQRJ//qKBkzr TeIJ4Nnw1ILIt3/4kDw2zZQCfn/LjllsTR3AmbU4rt1mP+IucAH+luh1K7lZSlp2XDJ2 RukNqq9Mi4mz+PABqB+mB+UQz+VqhhdMU8RPOW3R4j3AJoY+cWzzzBCII4XovoZ36EXU 3qTQ== X-Gm-Message-State: AOAM5312K+bq1Ajyi9RP9AwGZ29Gt+OHlBgURd5w6s4dZyFB+QiyCbG9 5dd8g/FZMO2z9AcvRnIeFwKj3fMezHBqJ75ed+NaXJHfM77mcIq24qA63ghA1Mox7QZaI7fIbyz RszufBJTZGAd+gYO3Z0dz19hHM0fA3dv3W3t7cldDLA== X-Received: by 2002:a05:6402:5c2:: with SMTP id n2mr82139072edx.239.1638270263392; Tue, 30 Nov 2021 03:04:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJyv9QQRHuALz0+auXvp7x9kVuHDN2v/D6o6kQ+Ahjre2TK28FgbcfMs7DYLvOprnSwqZKfZlg== X-Received: by 2002:a05:6402:5c2:: with SMTP id n2mr82139034edx.239.1638270263068; Tue, 30 Nov 2021 03:04:23 -0800 (PST) Received: from localhost ([2001:67c:1560:8007::aac:c15c]) by smtp.gmail.com with ESMTPSA id y19sm12342113edc.17.2021.11.30.03.04.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 03:04:22 -0800 (PST) From: Dimitri John Ledkov To: kernel-team@lists.ubuntu.com Subject: [SRU][BIONIC][PATCH 00/16] Support builtin revoked certificates and mokvar-table Date: Tue, 30 Nov 2021 11:04:00 +0000 Message-Id: <20211130110416.171269-1-dimitri.ledkov@canonical.com> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" BugLink: https://bugs.launchpad.net/bugs/1928679 BugLink: https://bugs.launchpad.net/bugs/1932029 Same story as before, backport support for builtin revoked certificates, add support loading revoked certificates from mokvar-table. Some of the patches had to be adjusted during backport. For example, instead of patching security/integrity/platform_certs/load_uefi.c which does not exist in v4.15 kernel certs/load_uefi.c is. Some error handling is done differently as well. For example, EFI status not found is not handled when loading keys from variables. This series doesn't have any reverts, as the lockdown patchset is mostly older without any major reorgs that didn't make upstream. It is slightly larger than focal's one as support for EFI_CERT_X509_GUID did not land via linux-stable updates. After this patch is applied, the RT boot testing & kernel built-in final check will catch any kernels that do not have CONFIG_SYSTEM_REVOCATION_KEYS set. In bionic, this may trip up raspi2, snapdgaron, kvm flavours as they in theory can support UEFI, but are not signed and may not enable all the lockdown and keyring features. These flavours may need reverting 70de61082d ("UBUNTU: [Packaging] Add system trusted and revocation keys final check") as was done in Focal. Or enable all the keyrings and builtin revocation keys. Focal patches already reviewed and applied: https://lists.ubuntu.com/archives/kernel-team/2021-October/124497.html The following changes since commit 8233475840ca94121170efeaa4f661c7029ac576: UBUNTU: Ubuntu-4.15.0-164.172 (2021-11-26 17:31:19 -0700) are available in the Git repository at: https://git.launchpad.net/~xnox/ubuntu/+source/linux/+git/bionic revocation-keys for you to fetch changes up to 750558eb34dd84c912dbe004aca41987665535d5: UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys (2021-11-30 10:44:16 +0000) This pull request can also be reviewed on launchpad at: https://code.launchpad.net/~xnox/ubuntu/+source/linux/+git/bionic/+merge/412577 Ard Biesheuvel (2): efi: mokvar-table: fix some issues in new code efi: mokvar: add missing include of asm/early_ioremap.h Borislav Petkov (1): efi/mokvar: Reserve the table only if it is in boot services data Dimitri John Ledkov (5): UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table UBUNTU: SAUCE: integrity: add informational messages when revoking certs UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch certs UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys Eric Snowberg (3): certs: Add EFI_CERT_X509_GUID support for dbx entries certs: Move load_system_certificate_list to a common function certs: Add ability to preload revocation certs Lenny Szubowicz (3): efi: Support for MOK variable config table integrity: Move import of MokListRT certs to a separate routine integrity: Load certs from the EFI MOK config table Linus Torvalds (1): certs: add 'x509_revocation_list' to gitignore Tim Gardner (1): UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded arch/x86/kernel/setup.c | 1 + certs/.gitignore | 1 + certs/Kconfig | 17 + certs/Makefile | 21 +- certs/blacklist.c | 67 ++++ certs/blacklist.h | 2 + certs/common.c | 58 +++ certs/common.h | 9 + certs/load_uefi.c | 109 +++++- certs/revocation_certificates.S | 21 + certs/system_keyring.c | 57 +-- debian.master/config/annotations | 1 + debian.master/config/config.common.ubuntu | 2 + .../revoked-certs/canonical-uefi-2012-all.pem | 86 +++++ debian/rules | 14 +- drivers/firmware/efi/Makefile | 1 + drivers/firmware/efi/arm-init.c | 1 + drivers/firmware/efi/efi.c | 9 + drivers/firmware/efi/mokvar-table.c | 362 ++++++++++++++++++ include/keys/system_keyring.h | 15 + include/linux/efi.h | 34 ++ scripts/Makefile | 1 + 22 files changed, 824 insertions(+), 65 deletions(-) create mode 100644 certs/common.c create mode 100644 certs/common.h create mode 100644 certs/revocation_certificates.S create mode 100644 debian/revoked-certs/canonical-uefi-2012-all.pem create mode 100644 drivers/firmware/efi/mokvar-table.c Acked-by: Thadeu Lima de Souza Cascardo Acked-by: Tim Gardner