From: Eric Snowberg <eric.snowberg@oracle.com>
To: dhowells@redhat.com, dwmw2@infradead.org
Cc: masahiroy@kernel.org, michal.lkml@markovi.net,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-kbuild@vger.kernel.org, jarkko.sakkinen@linux.intel.com,
eric.snowberg@oracle.com
Subject: [PATCH 0/2] Preloaded revocation keys
Date: Wed, 30 Sep 2020 20:15:06 +0000 [thread overview]
Message-ID: <20200930201508.35113-1-eric.snowberg@oracle.com> (raw)
The Secure Boot Forbidden Signature Database, dbx, contains a list of
now revoked signatures and keys previously approved to boot with UEFI
Secure Boot enabled. Currently EFI_CERT_X509_SHA256_GUID and
EFI_CERT_SHA256_GUID can be preloaded (at build time) into the system
blacklist keyring.
Add the ability to also preload EFI_CERT_X509_GUID dbx entries.
This series can be applied on its own; however to use preloaded
revocation certificates, [1] should be applied first.
[1] https://www.spinics.net/lists/keyrings/msg08422.html
Eric Snowberg (2):
certs: Move load_system_certificate_list to a common function
certs: Add ability to preload revocation certs
certs/Kconfig | 8 +++++
certs/Makefile | 20 ++++++++++--
certs/blacklist.c | 17 ++++++++++
certs/common.c | 56 +++++++++++++++++++++++++++++++++
certs/common.h | 9 ++++++
certs/revocation_certificates.S | 21 +++++++++++++
certs/system_keyring.c | 49 ++---------------------------
scripts/Makefile | 1 +
8 files changed, 132 insertions(+), 49 deletions(-)
create mode 100644 certs/common.c
create mode 100644 certs/common.h
create mode 100644 certs/revocation_certificates.S
base-commit: 02de58b24d2e1b2cf947d57205bd2221d897193c
--
2.18.1
next reply other threads:[~2020-09-30 20:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-30 20:15 Eric Snowberg [this message]
2020-09-30 20:15 ` [PATCH 1/2] certs: Move load_system_certificate_list to a common function Eric Snowberg
2020-09-30 21:02 ` Jarkko Sakkinen
2020-09-30 21:15 ` Eric Snowberg
2020-09-30 21:49 ` Jarkko Sakkinen
2020-09-30 20:15 ` [PATCH 2/2] certs: Add ability to preload revocation certs Eric Snowberg
2020-09-30 20:56 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200930201508.35113-1-eric.snowberg@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jarkko.sakkinen@linux.intel.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=masahiroy@kernel.org \
--cc=michal.lkml@markovi.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).