Fix up headers for db/MOK patches
* Set a correct, specific Origin header for each patch, instead of a repo URL and "cherry picked" message * Add back Date header and Cc pseudo-headers for the second series * Note which patches have been modified by Luca
This commit is contained in:
parent
06cccfd2c3
commit
d220ad4bb0
|
@ -1,9 +1,8 @@
|
||||||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
|
||||||
From fd416971ea1b441df3e1922c441d1ed66a4ca1d2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: David Howells <dhowells@redhat.com>
|
From: David Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 5 May 2017 08:21:56 +0100
|
Date: Fri, 5 May 2017 08:21:56 +0100
|
||||||
Subject: [PATCH 1/7] KEYS: Allow unrestricted boot-time addition of keys to
|
Subject: [PATCH 1/7] KEYS: Allow unrestricted boot-time addition of keys to
|
||||||
secondary keyring
|
secondary keyring
|
||||||
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=40db8fc497d010ae6cee6297c3882d3dc3d76d48
|
||||||
|
|
||||||
Allow keys to be added to the system secondary certificates keyring during
|
Allow keys to be added to the system secondary certificates keyring during
|
||||||
kernel initialisation in an unrestricted fashion. Such keys are implicitly
|
kernel initialisation in an unrestricted fashion. Such keys are implicitly
|
||||||
|
@ -13,8 +12,6 @@ This allows keys in the UEFI database to be added in secure boot mode for
|
||||||
the purposes of module signing.
|
the purposes of module signing.
|
||||||
|
|
||||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||||
(cherry picked from commit 40db8fc497d010ae6cee6297c3882d3dc3d76d48
|
|
||||||
git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git)
|
|
||||||
---
|
---
|
||||||
certs/internal.h | 18 ++++++++++++++++++
|
certs/internal.h | 18 ++++++++++++++++++
|
||||||
certs/system_keyring.c | 33 +++++++++++++++++++++++++++++++++
|
certs/system_keyring.c | 33 +++++++++++++++++++++++++++++++++
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
Origin: https://lore.kernel.org/patchwork/cover/933178/
|
|
||||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||||
|
Date: Tue, 13 Mar 2018 18:37:59 +0800
|
||||||
Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled
|
Subject: [PATCH 1/5] MODSIGN: do not load mok when secure boot disabled
|
||||||
|
Origin: https://lore.kernel.org/patchwork/patch/933173/
|
||||||
|
|
||||||
The mok can not be trusted when the secure boot is disabled. Which
|
The mok can not be trusted when the secure boot is disabled. Which
|
||||||
means that the kernel embedded certificate is the only trusted key.
|
means that the kernel embedded certificate is the only trusted key.
|
||||||
|
@ -8,7 +9,11 @@ means that the kernel embedded certificate is the only trusted key.
|
||||||
Due to db/dbx are authenticated variables, they needs manufacturer's
|
Due to db/dbx are authenticated variables, they needs manufacturer's
|
||||||
KEK for update. So db/dbx are secure when secureboot disabled.
|
KEK for update. So db/dbx are secure when secureboot disabled.
|
||||||
|
|
||||||
|
Cc: David Howells <dhowells@redhat.com>
|
||||||
|
Cc: Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
|
||||||
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
||||||
|
[Rebased by Luca Boccassi]
|
||||||
---
|
---
|
||||||
certs/load_uefi.c | 26 +++++++++++++++-----------
|
certs/load_uefi.c | 26 +++++++++++++++-----------
|
||||||
1 file changed, 15 insertions(+), 11 deletions(-)
|
1 file changed, 15 insertions(+), 11 deletions(-)
|
||||||
|
|
|
@ -1,11 +1,16 @@
|
||||||
Origin: https://lore.kernel.org/patchwork/cover/933178/
|
|
||||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||||
|
Date: Tue, 13 Mar 2018 18:38:01 +0800
|
||||||
Subject: [PATCH 2/4] MODSIGN: load blacklist from MOKx
|
Subject: [PATCH 2/4] MODSIGN: load blacklist from MOKx
|
||||||
|
Origin: https://lore.kernel.org/patchwork/patch/933177/
|
||||||
|
|
||||||
This patch adds the logic to load the blacklisted hash and
|
This patch adds the logic to load the blacklisted hash and
|
||||||
certificates from MOKx which is maintained by shim bootloader.
|
certificates from MOKx which is maintained by shim bootloader.
|
||||||
|
|
||||||
|
Cc: David Howells <dhowells@redhat.com>
|
||||||
|
Cc: Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
|
||||||
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
||||||
|
[Rebased by Luca Boccassi]
|
||||||
---
|
---
|
||||||
certs/load_uefi.c | 16 +++++++++++++---
|
certs/load_uefi.c | 16 +++++++++++++---
|
||||||
1 file changed, 13 insertions(+), 3 deletions(-)
|
1 file changed, 13 insertions(+), 3 deletions(-)
|
||||||
|
|
|
@ -1,16 +1,13 @@
|
||||||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
|
||||||
From 31c5efef25006ae5fc1542e4705e863a98b624b6 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dave Howells <dhowells@redhat.com>
|
From: Dave Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 5 May 2017 08:21:58 +0100
|
Date: Fri, 5 May 2017 08:21:58 +0100
|
||||||
Subject: [PATCH 2/7] efi: Add EFI signature data types
|
Subject: [PATCH 2/7] efi: Add EFI signature data types
|
||||||
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=446e0e29d7d53fe7786d33603df5a6682dd00c12
|
||||||
|
|
||||||
Add the data types that are used for containing hashes, keys and
|
Add the data types that are used for containing hashes, keys and
|
||||||
certificates for cryptographic verification along with their corresponding
|
certificates for cryptographic verification along with their corresponding
|
||||||
type GUIDs.
|
type GUIDs.
|
||||||
|
|
||||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||||
(cherry picked from commit 446e0e29d7d53fe7786d33603df5a6682dd00c12
|
|
||||||
git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git)
|
|
||||||
---
|
---
|
||||||
include/linux/efi.h | 25 +++++++++++++++++++++++++
|
include/linux/efi.h | 25 +++++++++++++++++++++++++
|
||||||
1 file changed, 25 insertions(+)
|
1 file changed, 25 insertions(+)
|
||||||
|
|
|
@ -1,7 +1,8 @@
|
||||||
Origin: https://lore.kernel.org/patchwork/cover/933178/
|
|
||||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||||
|
Date: Tue, 13 Mar 2018 18:38:02 +0800
|
||||||
Subject: [PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a
|
Subject: [PATCH 3/4] MODSIGN: checking the blacklisted hash before loading a
|
||||||
kernel module
|
kernel module
|
||||||
|
Origin: https://lore.kernel.org/patchwork/patch/933175/
|
||||||
|
|
||||||
This patch adds the logic for checking the kernel module's hash
|
This patch adds the logic for checking the kernel module's hash
|
||||||
base on blacklist. The hash must be generated by sha256 and enrolled
|
base on blacklist. The hash must be generated by sha256 and enrolled
|
||||||
|
@ -14,7 +15,11 @@ For example:
|
||||||
Whether the signature on ko file is stripped or not, the hash can be
|
Whether the signature on ko file is stripped or not, the hash can be
|
||||||
compared by kernel.
|
compared by kernel.
|
||||||
|
|
||||||
|
Cc: David Howells <dhowells@redhat.com>
|
||||||
|
Cc: Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
|
||||||
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
||||||
|
[Rebased by Luca Boccassi]
|
||||||
---
|
---
|
||||||
kernel/module_signing.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++--
|
kernel/module_signing.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++--
|
||||||
1 file changed, 60 insertions(+), 2 deletions(-)
|
1 file changed, 60 insertions(+), 2 deletions(-)
|
||||||
|
@ -23,7 +28,7 @@ diff --git a/kernel/module_signing.c b/kernel/module_signing.c
|
||||||
index d3d6f95..d30ac74 100644
|
index d3d6f95..d30ac74 100644
|
||||||
--- a/kernel/module_signing.c
|
--- a/kernel/module_signing.c
|
||||||
+++ b/kernel/module_signing.c
|
+++ b/kernel/module_signing.c
|
||||||
@@ -11,9 +11,12 @@
|
@@ -11,9 +11,12 @@h
|
||||||
|
|
||||||
#include <linux/kernel.h>
|
#include <linux/kernel.h>
|
||||||
#include <linux/errno.h>
|
#include <linux/errno.h>
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
|
||||||
From b0cea6fe6d97f4fa3ac2dbddd54b79d74045c670 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Dave Howells <dhowells@redhat.com>
|
From: Dave Howells <dhowells@redhat.com>
|
||||||
Date: Fri, 5 May 2017 08:21:58 +0100
|
Date: Fri, 5 May 2017 08:21:58 +0100
|
||||||
Subject: [PATCH 3/7] efi: Add an EFI signature blob parser
|
Subject: [PATCH 3/7] efi: Add an EFI signature blob parser
|
||||||
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=41a595bb0dc097c19ad377a0c32c993234aa2525
|
||||||
|
|
||||||
Add a function to parse an EFI signature blob looking for elements of
|
Add a function to parse an EFI signature blob looking for elements of
|
||||||
interest. A list is made up of a series of sublists, where all the
|
interest. A list is made up of a series of sublists, where all the
|
||||||
|
@ -18,8 +17,6 @@ If the sublist is of interest, each element is passed to the handler
|
||||||
function in turn.
|
function in turn.
|
||||||
|
|
||||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||||
(cherry picked from commit 41a595bb0dc097c19ad377a0c32c993234aa2525
|
|
||||||
git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git)
|
|
||||||
---
|
---
|
||||||
certs/Kconfig | 8 ++++
|
certs/Kconfig | 8 ++++
|
||||||
certs/Makefile | 1 +
|
certs/Makefile | 1 +
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
|
||||||
From 3f74625c50a48b870c7312459d30701b6758b9a3 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
Date: Fri, 5 May 2017 08:21:59 +0100
|
Date: Fri, 5 May 2017 08:21:59 +0100
|
||||||
Subject: [PATCH 4/7] MODSIGN: Import certificates from UEFI Secure Boot
|
Subject: [PATCH 4/7] MODSIGN: Import certificates from UEFI Secure Boot
|
||||||
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=7b7aae2efea13b5a7b80305856c28f235ea8b2fa
|
||||||
|
|
||||||
Secure Boot stores a list of allowed certificates in the 'db' variable.
|
Secure Boot stores a list of allowed certificates in the 'db' variable.
|
||||||
This imports those certificates into the system trusted keyring. This
|
This imports those certificates into the system trusted keyring. This
|
||||||
|
@ -21,8 +20,6 @@ This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
|
||||||
|
|
||||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||||
(cherry picked from commit 7b7aae2efea13b5a7b80305856c28f235ea8b2fa
|
|
||||||
git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git)
|
|
||||||
---
|
---
|
||||||
certs/Kconfig | 16 +++++
|
certs/Kconfig | 16 +++++
|
||||||
certs/Makefile | 4 ++
|
certs/Makefile | 4 ++
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
Origin: https://lore.kernel.org/patchwork/cover/933178/
|
|
||||||
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
From: "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
|
||||||
|
Date: Tue, 13 Mar 2018 18:38:03 +0800
|
||||||
Subject: [PATCH 4/4] MODSIGN: check the attributes of db and mok
|
Subject: [PATCH 4/4] MODSIGN: check the attributes of db and mok
|
||||||
|
Origin: https://lore.kernel.org/patchwork/patch/933176/
|
||||||
|
|
||||||
That's better for checking the attributes of db and mok variables
|
That's better for checking the attributes of db and mok variables
|
||||||
before loading certificates to kernel keyring.
|
before loading certificates to kernel keyring.
|
||||||
|
@ -15,7 +16,11 @@ to forward the mok/mokx content to runtime. They must be runtime-volatile
|
||||||
variables. So kernel should checks that the attributes map did not set
|
variables. So kernel should checks that the attributes map did not set
|
||||||
EFI_VARIABLE_NON_VOLATILE bit before we trust it.
|
EFI_VARIABLE_NON_VOLATILE bit before we trust it.
|
||||||
|
|
||||||
|
Cc: David Howells <dhowells@redhat.com>
|
||||||
|
Cc: Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
|
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
|
||||||
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
|
||||||
|
[Rebased by Luca Boccassi]
|
||||||
---
|
---
|
||||||
certs/load_uefi.c | 35 +++++++++++++++++++++++------------
|
certs/load_uefi.c | 35 +++++++++++++++++++++++------------
|
||||||
1 file changed, 23 insertions(+), 12 deletions(-)
|
1 file changed, 23 insertions(+), 12 deletions(-)
|
||||||
|
|
|
@ -1,8 +1,7 @@
|
||||||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
|
||||||
From 7defba7cee1c8a882fef24cc9037faab9e546e01 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
Date: Fri, 5 May 2017 08:21:59 +0100
|
Date: Fri, 5 May 2017 08:21:59 +0100
|
||||||
Subject: [PATCH 5/7] MODSIGN: Allow the "db" UEFI variable to be suppressed
|
Subject: [PATCH 5/7] MODSIGN: Allow the "db" UEFI variable to be suppressed
|
||||||
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=b51ca4e4d6c0c8000789de31a1184a41ac611d33
|
||||||
|
|
||||||
If a user tells shim to not use the certs/hashes in the UEFI db variable
|
If a user tells shim to not use the certs/hashes in the UEFI db variable
|
||||||
for verification purposes, shim will set a UEFI variable called
|
for verification purposes, shim will set a UEFI variable called
|
||||||
|
@ -11,8 +10,6 @@ variable if it is found.
|
||||||
|
|
||||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||||
(cherry picked from commit b51ca4e4d6c0c8000789de31a1184a41ac611d33
|
|
||||||
git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git)
|
|
||||||
---
|
---
|
||||||
certs/load_uefi.c | 44 ++++++++++++++++++++++++++++++++++----------
|
certs/load_uefi.c | 44 ++++++++++++++++++++++++++++++++++----------
|
||||||
1 file changed, 34 insertions(+), 10 deletions(-)
|
1 file changed, 34 insertions(+), 10 deletions(-)
|
||||||
|
|
|
@ -1,13 +1,10 @@
|
||||||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
|
||||||
From 71be2cb73f4def7903c7fe49babe15c908220ac5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
From: Peter Jones <pjones@redhat.com>
|
||||||
Date: Mon, 2 Oct 2017 18:25:29 -0400
|
Date: Mon, 2 Oct 2017 18:25:29 -0400
|
||||||
Subject: [PATCH 6/7] Make get_cert_list() not complain about cert lists that
|
Subject: [PATCH 6/7] Make get_cert_list() not complain about cert lists that
|
||||||
aren't present.
|
aren't present.
|
||||||
|
Origin: https://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git/commit/?id=0f4d5c7b49b45e7cf038bb769e33451b78a6445d
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||||
(cherry picked from commit 0f4d5c7b49b45e7cf038bb769e33451b78a6445d
|
|
||||||
git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git)
|
|
||||||
---
|
---
|
||||||
certs/load_uefi.c | 37 ++++++++++++++++++++++---------------
|
certs/load_uefi.c | 37 ++++++++++++++++++++++---------------
|
||||||
1 file changed, 22 insertions(+), 15 deletions(-)
|
1 file changed, 22 insertions(+), 15 deletions(-)
|
||||||
|
|
|
@ -1,13 +1,14 @@
|
||||||
Origin: git://git.kernel.org/pub/scm/linux/kernel/git/jforbes/linux.git
|
From: Ke Wu <mikewu@google.com>
|
||||||
From 013d7c3f79a2f4df248f69daca9cbf2175788814 Mon Sep 17 00:00:00 2001
|
Date: Tue, 6 Nov 2018 15:21:30 -0800
|
||||||
From: David Howells <dhowells@redhat.com>
|
Subject: modsign: use all trusted keys to verify module signature
|
||||||
Date: Thu, 3 Aug 2017 16:56:22 +0100
|
Origin: https://git.kernel.org/linus/e84cd7ee630e44a2cc8ae49e85920a271b214cb3
|
||||||
Subject: [PATCH 7/7] modsign: Use secondary trust keyring for module signing
|
|
||||||
|
|
||||||
Use secondary trust keyring for module signing as that's where the UEFI
|
Make mod_verify_sig to use all trusted keys. This allows keys in
|
||||||
keys get stashed.
|
secondary_trusted_keys to be used to verify PKCS#7 signature on a
|
||||||
|
kernel module.
|
||||||
|
|
||||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
Signed-off-by: Ke Wu <mikewu@google.com>
|
||||||
|
Signed-off-by: Jessica Yu <jeyu@kernel.org>
|
||||||
---
|
---
|
||||||
kernel/module_signing.c | 3 ++-
|
kernel/module_signing.c | 3 ++-
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
@ -25,6 +26,3 @@ index f2075ce8e4b3..6b9a926fd86b 100644
|
||||||
+ VERIFYING_MODULE_SIGNATURE,
|
+ VERIFYING_MODULE_SIGNATURE,
|
||||||
NULL, NULL);
|
NULL, NULL);
|
||||||
}
|
}
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue