diff --git a/debian/patches/features/all/db-mok-keyring/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch b/debian/patches/features/all/db-mok-keyring/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch index 69ffb5c04..43493454d 100644 --- a/debian/patches/features/all/db-mok-keyring/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch +++ b/debian/patches/features/all/db-mok-keyring/0001-KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch @@ -1,9 +1,8 @@ -Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git -From fd416971ea1b441df3e1922c441d1ed66a4ca1d2 Mon Sep 17 00:00:00 2001 From: David Howells Date: Fri, 5 May 2017 08:21:56 +0100 Subject: [PATCH 1/7] KEYS: Allow unrestricted boot-time addition of keys to secondary keyring +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=40db8fc497d010ae6cee6297c3882d3dc3d76d48 Allow keys to be added to the system secondary certificates keyring during kernel initialisation in an unrestricted fashion. Such keys are implicitly @@ -13,8 +12,6 @@ This allows keys in the UEFI database to be added in secure boot mode for the purposes of module signing. Signed-off-by: David Howells -(cherry picked from commit 40db8fc497d010ae6cee6297c3882d3dc3d76d48 - git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git) --- certs/internal.h | 18 ++++++++++++++++++ certs/system_keyring.c | 33 +++++++++++++++++++++++++++++++++ diff --git a/debian/patches/features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch b/debian/patches/features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch index d7d7fa96b..bfe9935c3 100644 --- a/debian/patches/features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch +++ b/debian/patches/features/all/db-mok-keyring/0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch @@ -1,6 +1,7 @@ -Origin: https://lore.kernel.org/patchwork/cover/933178/ From: "Lee, Chun-Yi" +Date: Tue, 13 Mar 2018 18:37:59 +0800 Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled +Origin: https://lore.kernel.org/patchwork/patch/933173/ The mok can not be trusted when the secure boot is disabled. Which means that the kernel embedded certificate is the only trusted key. @@ -8,7 +9,11 @@ means that the kernel embedded certificate is the only trusted key. Due to db/dbx are authenticated variables, they needs manufacturer's KEK for update. So db/dbx are secure when secureboot disabled. +Cc: David Howells +Cc: Josh Boyer +Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" +[Rebased by Luca Boccassi] --- certs/load_uefi.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/debian/patches/features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch b/debian/patches/features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch index 490c44103..9edb217cc 100644 --- a/debian/patches/features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch +++ b/debian/patches/features/all/db-mok-keyring/0002-MODSIGN-load-blacklist-from-MOKx.patch @@ -1,11 +1,16 @@ -Origin: https://lore.kernel.org/patchwork/cover/933178/ From: "Lee, Chun-Yi" +Date: Tue, 13 Mar 2018 18:38:01 +0800 Subject: [PATCH 2/4] MODSIGN: load blacklist from MOKx +Origin: https://lore.kernel.org/patchwork/patch/933177/ This patch adds the logic to load the blacklisted hash and certificates from MOKx which is maintained by shim bootloader. +Cc: David Howells +Cc: Josh Boyer +Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" +[Rebased by Luca Boccassi] --- certs/load_uefi.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/debian/patches/features/all/db-mok-keyring/0002-efi-Add-EFI-signature-data-types.patch b/debian/patches/features/all/db-mok-keyring/0002-efi-Add-EFI-signature-data-types.patch index 9138398fe..9506ecff0 100644 --- a/debian/patches/features/all/db-mok-keyring/0002-efi-Add-EFI-signature-data-types.patch +++ b/debian/patches/features/all/db-mok-keyring/0002-efi-Add-EFI-signature-data-types.patch @@ -1,16 +1,13 @@ -Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git -From 31c5efef25006ae5fc1542e4705e863a98b624b6 Mon Sep 17 00:00:00 2001 From: Dave Howells Date: Fri, 5 May 2017 08:21:58 +0100 Subject: [PATCH 2/7] efi: Add EFI signature data types +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=446e0e29d7d53fe7786d33603df5a6682dd00c12 Add the data types that are used for containing hashes, keys and certificates for cryptographic verification along with their corresponding type GUIDs. Signed-off-by: David Howells -(cherry picked from commit 446e0e29d7d53fe7786d33603df5a6682dd00c12 - git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git) --- include/linux/efi.h | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/debian/patches/features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch b/debian/patches/features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch index 757e8edd4..8d2e8b78d 100644 --- a/debian/patches/features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch +++ b/debian/patches/features/all/db-mok-keyring/0003-MODSIGN-checking-the-blacklisted-hash-before-loading-a-kernel-module.patch @@ -1,7 +1,8 @@ -Origin: https://lore.kernel.org/patchwork/cover/933178/ From: "Lee, Chun-Yi" +Date: Tue, 13 Mar 2018 18:38:02 +0800 Subject: [PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a kernel module +Origin: https://lore.kernel.org/patchwork/patch/933175/ This patch adds the logic for checking the kernel module's hash base on blacklist. The hash must be generated by sha256 and enrolled @@ -14,7 +15,11 @@ For example: Whether the signature on ko file is stripped or not, the hash can be compared by kernel. +Cc: David Howells +Cc: Josh Boyer +Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" +[Rebased by Luca Boccassi] --- kernel/module_signing.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 60 insertions(+), 2 deletions(-) @@ -23,7 +28,7 @@ diff --git a/kernel/module_signing.c b/kernel/module_signing.c index d3d6f95..d30ac74 100644 --- a/kernel/module_signing.c +++ b/kernel/module_signing.c -@@ -11,9 +11,12 @@ +@@ -11,9 +11,12 @@h #include #include diff --git a/debian/patches/features/all/db-mok-keyring/0003-efi-Add-an-EFI-signature-blob-parser.patch b/debian/patches/features/all/db-mok-keyring/0003-efi-Add-an-EFI-signature-blob-parser.patch index 152c907c7..bc420e0f0 100644 --- a/debian/patches/features/all/db-mok-keyring/0003-efi-Add-an-EFI-signature-blob-parser.patch +++ b/debian/patches/features/all/db-mok-keyring/0003-efi-Add-an-EFI-signature-blob-parser.patch @@ -1,8 +1,7 @@ -Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git -From b0cea6fe6d97f4fa3ac2dbddd54b79d74045c670 Mon Sep 17 00:00:00 2001 From: Dave Howells Date: Fri, 5 May 2017 08:21:58 +0100 Subject: [PATCH 3/7] efi: Add an EFI signature blob parser +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=41a595bb0dc097c19ad377a0c32c993234aa2525 Add a function to parse an EFI signature blob looking for elements of interest. A list is made up of a series of sublists, where all the @@ -18,8 +17,6 @@ If the sublist is of interest, each element is passed to the handler function in turn. Signed-off-by: David Howells -(cherry picked from commit 41a595bb0dc097c19ad377a0c32c993234aa2525 - git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git) --- certs/Kconfig | 8 ++++ certs/Makefile | 1 + diff --git a/debian/patches/features/all/db-mok-keyring/0004-MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/debian/patches/features/all/db-mok-keyring/0004-MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch index c6628a592..50577d738 100644 --- a/debian/patches/features/all/db-mok-keyring/0004-MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch +++ b/debian/patches/features/all/db-mok-keyring/0004-MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -1,8 +1,7 @@ -Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git -From 3f74625c50a48b870c7312459d30701b6758b9a3 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 5 May 2017 08:21:59 +0100 Subject: [PATCH 4/7] MODSIGN: Import certificates from UEFI Secure Boot +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=7b7aae2efea13b5a7b80305856c28f235ea8b2fa Secure Boot stores a list of allowed certificates in the 'db' variable. This imports those certificates into the system trusted keyring. This @@ -21,8 +20,6 @@ This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS. Signed-off-by: Josh Boyer Signed-off-by: David Howells -(cherry picked from commit 7b7aae2efea13b5a7b80305856c28f235ea8b2fa - git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git) --- certs/Kconfig | 16 +++++ certs/Makefile | 4 ++ diff --git a/debian/patches/features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch b/debian/patches/features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch index 24857e236..7127cabaa 100644 --- a/debian/patches/features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch +++ b/debian/patches/features/all/db-mok-keyring/0004-MODSIGN-check-the-attributes-of-db-and-mok.patch @@ -1,6 +1,7 @@ -Origin: https://lore.kernel.org/patchwork/cover/933178/ From: "Lee, Chun-Yi" +Date: Tue, 13 Mar 2018 18:38:03 +0800 Subject: [PATCH 4/4] MODSIGN: check the attributes of db and mok +Origin: https://lore.kernel.org/patchwork/patch/933176/ That's better for checking the attributes of db and mok variables before loading certificates to kernel keyring. @@ -15,7 +16,11 @@ to forward the mok/mokx content to runtime. They must be runtime-volatile variables. So kernel should checks that the attributes map did not set EFI_VARIABLE_NON_VOLATILE bit before we trust it. +Cc: David Howells +Cc: Josh Boyer +Cc: James Bottomley Signed-off-by: "Lee, Chun-Yi" +[Rebased by Luca Boccassi] --- certs/load_uefi.c | 35 +++++++++++++++++++++++------------ 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/debian/patches/features/all/db-mok-keyring/0005-MODSIGN-Allow-the-db-UEFI-variable-to-be-suppressed.patch b/debian/patches/features/all/db-mok-keyring/0005-MODSIGN-Allow-the-db-UEFI-variable-to-be-suppressed.patch index 5224bbc77..395cb48bd 100644 --- a/debian/patches/features/all/db-mok-keyring/0005-MODSIGN-Allow-the-db-UEFI-variable-to-be-suppressed.patch +++ b/debian/patches/features/all/db-mok-keyring/0005-MODSIGN-Allow-the-db-UEFI-variable-to-be-suppressed.patch @@ -1,8 +1,7 @@ -Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git -From 7defba7cee1c8a882fef24cc9037faab9e546e01 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 5 May 2017 08:21:59 +0100 Subject: [PATCH 5/7] MODSIGN: Allow the "db" UEFI variable to be suppressed +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=b51ca4e4d6c0c8000789de31a1184a41ac611d33 If a user tells shim to not use the certs/hashes in the UEFI db variable for verification purposes, shim will set a UEFI variable called @@ -11,8 +10,6 @@ variable if it is found. Signed-off-by: Josh Boyer Signed-off-by: David Howells -(cherry picked from commit b51ca4e4d6c0c8000789de31a1184a41ac611d33 - git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git) --- certs/load_uefi.c | 44 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 34 insertions(+), 10 deletions(-) diff --git a/debian/patches/features/all/db-mok-keyring/0006-Make-get_cert_list-not-complain-about-cert-lists-tha.patch b/debian/patches/features/all/db-mok-keyring/0006-Make-get_cert_list-not-complain-about-cert-lists-tha.patch index 420e1304e..a22387656 100644 --- a/debian/patches/features/all/db-mok-keyring/0006-Make-get_cert_list-not-complain-about-cert-lists-tha.patch +++ b/debian/patches/features/all/db-mok-keyring/0006-Make-get_cert_list-not-complain-about-cert-lists-tha.patch @@ -1,13 +1,10 @@ -Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git -From 71be2cb73f4def7903c7fe49babe15c908220ac5 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 2 Oct 2017 18:25:29 -0400 Subject: [PATCH 6/7] Make get_cert_list() not complain about cert lists that aren't present. +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=0f4d5c7b49b45e7cf038bb769e33451b78a6445d Signed-off-by: Peter Jones -(cherry picked from commit 0f4d5c7b49b45e7cf038bb769e33451b78a6445d - git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git) --- certs/load_uefi.c | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/debian/patches/features/all/db-mok-keyring/0007-modsign-Use-secondary-trust-keyring-for-module-signi.patch b/debian/patches/features/all/db-mok-keyring/0007-modsign-Use-secondary-trust-keyring-for-module-signi.patch index 998fbf84a..d0d59fe8c 100644 --- a/debian/patches/features/all/db-mok-keyring/0007-modsign-Use-secondary-trust-keyring-for-module-signi.patch +++ b/debian/patches/features/all/db-mok-keyring/0007-modsign-Use-secondary-trust-keyring-for-module-signi.patch @@ -1,13 +1,14 @@ -Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git -From 013d7c3f79a2f4df248f69daca9cbf2175788814 Mon Sep 17 00:00:00 2001 -From: David Howells -Date: Thu, 3 Aug 2017 16:56:22 +0100 -Subject: [PATCH 7/7] modsign: Use secondary trust keyring for module signing +From: Ke Wu +Date: Tue, 6 Nov 2018 15:21:30 -0800 +Subject: modsign: use all trusted keys to verify module signature +Origin: https://git.kernel.org/linus/e84cd7ee630e44a2cc8ae49e85920a271b214cb3 -Use secondary trust keyring for module signing as that's where the UEFI -keys get stashed. +Make mod_verify_sig to use all trusted keys. This allows keys in +secondary_trusted_keys to be used to verify PKCS#7 signature on a +kernel module. -Signed-off-by: David Howells +Signed-off-by: Ke Wu +Signed-off-by: Jessica Yu --- kernel/module_signing.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) @@ -25,6 +26,3 @@ index f2075ce8e4b3..6b9a926fd86b 100644 + VERIFYING_MODULE_SIGNATURE, NULL, NULL); } --- -2.20.1 -