Fix up headers for db/MOK patches
* Set a correct, specific Origin header for each patch, instead of a repo URL and "cherry picked" message * Add back Date header and Cc pseudo-headers for the second series * Note which patches have been modified by Luca
This commit is contained in:
parent
06cccfd2c3
commit
d220ad4bb0
|
@ -1,9 +1,8 @@
|
|||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
||||
From fd416971ea1b441df3e1922c441d1ed66a4ca1d2 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Fri, 5 May 2017 08:21:56 +0100
|
||||
Subject: [PATCH 1/7] KEYS: Allow unrestricted boot-time addition of keys to
|
||||
secondary keyring
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=40db8fc497d010ae6cee6297c3882d3dc3d76d48
|
||||
|
||||
Allow keys to be added to the system secondary certificates keyring during
|
||||
kernel initialisation in an unrestricted fashion. Such keys are implicitly
|
||||
|
@ -13,8 +12,6 @@ This allows keys in the UEFI database to be added in secure boot mode for
|
|||
the purposes of module signing.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
(cherry picked from commit 40db8fc497d010ae6cee6297c3882d3dc3d76d48
|
||||
git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git)
|
||||
---
|
||||
certs/internal.h | 18 ++++++++++++++++++
|
||||
certs/system_keyring.c | 33 +++++++++++++++++++++++++++++++++
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
Origin: https://lore.kernel.org/patchwork/cover/933178/
|
||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||
Date: Tue, 13 Mar 2018 18:37:59 +0800
|
||||
Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled
|
||||
Origin: https://lore.kernel.org/patchwork/patch/933173/
|
||||
|
||||
The mok can not be trusted when the secure boot is disabled. Which
|
||||
means that the kernel embedded certificate is the only trusted key.
|
||||
|
@ -8,7 +9,11 @@ means that the kernel embedded certificate is the only trusted key.
|
|||
Due to db/dbx are authenticated variables, they needs manufacturer's
|
||||
KEK for update. So db/dbx are secure when secureboot disabled.
|
||||
|
||||
Cc: David Howells <dhowells@redhat.com>
|
||||
Cc: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
|
||||
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
||||
[Rebased by Luca Boccassi]
|
||||
---
|
||||
certs/load_uefi.c | 26 +++++++++++++++-----------
|
||||
1 file changed, 15 insertions(+), 11 deletions(-)
|
||||
|
|
|
@ -1,11 +1,16 @@
|
|||
Origin: https://lore.kernel.org/patchwork/cover/933178/
|
||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||
Date: Tue, 13 Mar 2018 18:38:01 +0800
|
||||
Subject: [PATCH 2/4] MODSIGN: load blacklist from MOKx
|
||||
Origin: https://lore.kernel.org/patchwork/patch/933177/
|
||||
|
||||
This patch adds the logic to load the blacklisted hash and
|
||||
certificates from MOKx which is maintained by shim bootloader.
|
||||
|
||||
Cc: David Howells <dhowells@redhat.com>
|
||||
Cc: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
|
||||
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
||||
[Rebased by Luca Boccassi]
|
||||
---
|
||||
certs/load_uefi.c | 16 +++++++++++++---
|
||||
1 file changed, 13 insertions(+), 3 deletions(-)
|
||||
|
|
|
@ -1,16 +1,13 @@
|
|||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
||||
From 31c5efef25006ae5fc1542e4705e863a98b624b6 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Fri, 5 May 2017 08:21:58 +0100
|
||||
Subject: [PATCH 2/7] efi: Add EFI signature data types
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=446e0e29d7d53fe7786d33603df5a6682dd00c12
|
||||
|
||||
Add the data types that are used for containing hashes, keys and
|
||||
certificates for cryptographic verification along with their corresponding
|
||||
type GUIDs.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
(cherry picked from commit 446e0e29d7d53fe7786d33603df5a6682dd00c12
|
||||
git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git)
|
||||
---
|
||||
include/linux/efi.h | 25 +++++++++++++++++++++++++
|
||||
1 file changed, 25 insertions(+)
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
Origin: https://lore.kernel.org/patchwork/cover/933178/
|
||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||
Date: Tue, 13 Mar 2018 18:38:02 +0800
|
||||
Subject: [PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a
|
||||
kernel module
|
||||
Origin: https://lore.kernel.org/patchwork/patch/933175/
|
||||
|
||||
This patch adds the logic for checking the kernel module's hash
|
||||
base on blacklist. The hash must be generated by sha256 and enrolled
|
||||
|
@ -14,7 +15,11 @@ For example:
|
|||
Whether the signature on ko file is stripped or not, the hash can be
|
||||
compared by kernel.
|
||||
|
||||
Cc: David Howells <dhowells@redhat.com>
|
||||
Cc: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
|
||||
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
||||
[Rebased by Luca Boccassi]
|
||||
---
|
||||
kernel/module_signing.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 60 insertions(+), 2 deletions(-)
|
||||
|
@ -23,7 +28,7 @@ diff --git a/kernel/module_signing.c b/kernel/module_signing.c
|
|||
index d3d6f95..d30ac74 100644
|
||||
--- a/kernel/module_signing.c
|
||||
+++ b/kernel/module_signing.c
|
||||
@@ -11,9 +11,12 @@
|
||||
@@ -11,9 +11,12 @@h
|
||||
|
||||
#include <linux/kernel.h>
|
||||
#include <linux/errno.h>
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
||||
From b0cea6fe6d97f4fa3ac2dbddd54b79d74045c670 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Fri, 5 May 2017 08:21:58 +0100
|
||||
Subject: [PATCH 3/7] efi: Add an EFI signature blob parser
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=41a595bb0dc097c19ad377a0c32c993234aa2525
|
||||
|
||||
Add a function to parse an EFI signature blob looking for elements of
|
||||
interest. A list is made up of a series of sublists, where all the
|
||||
|
@ -18,8 +17,6 @@ If the sublist is of interest, each element is passed to the handler
|
|||
function in turn.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
(cherry picked from commit 41a595bb0dc097c19ad377a0c32c993234aa2525
|
||||
git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git)
|
||||
---
|
||||
certs/Kconfig | 8 ++++
|
||||
certs/Makefile | 1 +
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
||||
From 3f74625c50a48b870c7312459d30701b6758b9a3 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 5 May 2017 08:21:59 +0100
|
||||
Subject: [PATCH 4/7] MODSIGN: Import certificates from UEFI Secure Boot
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=7b7aae2efea13b5a7b80305856c28f235ea8b2fa
|
||||
|
||||
Secure Boot stores a list of allowed certificates in the 'db' variable.
|
||||
This imports those certificates into the system trusted keyring. This
|
||||
|
@ -21,8 +20,6 @@ This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
|
|||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
(cherry picked from commit 7b7aae2efea13b5a7b80305856c28f235ea8b2fa
|
||||
git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git)
|
||||
---
|
||||
certs/Kconfig | 16 +++++
|
||||
certs/Makefile | 4 ++
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
Origin: https://lore.kernel.org/patchwork/cover/933178/
|
||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||
Date: Tue, 13 Mar 2018 18:38:03 +0800
|
||||
Subject: [PATCH 4/4] MODSIGN: check the attributes of db and mok
|
||||
Origin: https://lore.kernel.org/patchwork/patch/933176/
|
||||
|
||||
That's better for checking the attributes of db and mok variables
|
||||
before loading certificates to kernel keyring.
|
||||
|
@ -15,7 +16,11 @@ to forward the mok/mokx content to runtime. They must be runtime-volatile
|
|||
variables. So kernel should checks that the attributes map did not set
|
||||
EFI_VARIABLE_NON_VOLATILE bit before we trust it.
|
||||
|
||||
Cc: David Howells <dhowells@redhat.com>
|
||||
Cc: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
|
||||
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
||||
[Rebased by Luca Boccassi]
|
||||
---
|
||||
certs/load_uefi.c | 35 +++++++++++++++++++++++------------
|
||||
1 file changed, 23 insertions(+), 12 deletions(-)
|
||||
|
|
|
@ -1,8 +1,7 @@
|
|||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
||||
From 7defba7cee1c8a882fef24cc9037faab9e546e01 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 5 May 2017 08:21:59 +0100
|
||||
Subject: [PATCH 5/7] MODSIGN: Allow the "db" UEFI variable to be suppressed
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=b51ca4e4d6c0c8000789de31a1184a41ac611d33
|
||||
|
||||
If a user tells shim to not use the certs/hashes in the UEFI db variable
|
||||
for verification purposes, shim will set a UEFI variable called
|
||||
|
@ -11,8 +10,6 @@ variable if it is found.
|
|||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
(cherry picked from commit b51ca4e4d6c0c8000789de31a1184a41ac611d33
|
||||
git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git)
|
||||
---
|
||||
certs/load_uefi.c | 44 ++++++++++++++++++++++++++++++++++----------
|
||||
1 file changed, 34 insertions(+), 10 deletions(-)
|
||||
|
|
|
@ -1,13 +1,10 @@
|
|||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
||||
From 71be2cb73f4def7903c7fe49babe15c908220ac5 Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Mon, 2 Oct 2017 18:25:29 -0400
|
||||
Subject: [PATCH 6/7] Make get_cert_list() not complain about cert lists that
|
||||
aren't present.
|
||||
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=0f4d5c7b49b45e7cf038bb769e33451b78a6445d
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
(cherry picked from commit 0f4d5c7b49b45e7cf038bb769e33451b78a6445d
|
||||
git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git)
|
||||
---
|
||||
certs/load_uefi.c | 37 ++++++++++++++++++++++---------------
|
||||
1 file changed, 22 insertions(+), 15 deletions(-)
|
||||
|
|
|
@ -1,13 +1,14 @@
|
|||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
||||
From 013d7c3f79a2f4df248f69daca9cbf2175788814 Mon Sep 17 00:00:00 2001
|
||||
From: David Howells <dhowells@redhat.com>
|
||||
Date: Thu, 3 Aug 2017 16:56:22 +0100
|
||||
Subject: [PATCH 7/7] modsign: Use secondary trust keyring for module signing
|
||||
From: Ke Wu <mikewu@google.com>
|
||||
Date: Tue, 6 Nov 2018 15:21:30 -0800
|
||||
Subject: modsign: use all trusted keys to verify module signature
|
||||
Origin: https://git.kernel.org/linus/e84cd7ee630e44a2cc8ae49e85920a271b214cb3
|
||||
|
||||
Use secondary trust keyring for module signing as that's where the UEFI
|
||||
keys get stashed.
|
||||
Make mod_verify_sig to use all trusted keys. This allows keys in
|
||||
secondary_trusted_keys to be used to verify PKCS#7 signature on a
|
||||
kernel module.
|
||||
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
Signed-off-by: Ke Wu <mikewu@google.com>
|
||||
Signed-off-by: Jessica Yu <jeyu@kernel.org>
|
||||
---
|
||||
kernel/module_signing.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
@ -25,6 +26,3 @@ index f2075ce8e4b3..6b9a926fd86b 100644
|
|||
+ VERIFYING_MODULE_SIGNATURE,
|
||||
NULL, NULL);
|
||||
}
|
||||
--
|
||||
2.20.1
|
||||
|
||||
|
|
Loading…
Reference in New Issue