From: James Bottomley <James.Bottomley@HansenPartnership.com> To: David Howells <firstname.lastname@example.org>, email@example.com Cc: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Subject: Re: [PATCH] certs: Add EFI_CERT_X509_GUID support for dbx entries Date: Wed, 13 Jan 2021 15:56:39 -0800 [thread overview] Message-ID: <c33c8e3839a41e9654f41cc92c7231104931b1d7.camel@HansenPartnership.com> (raw) In-Reply-To: <firstname.lastname@example.org> On Wed, 2021-01-13 at 13:40 +0000, David Howells wrote: > Hi Linus, > > Are you willing to take this between merge windows - or does it need > to wait for the next merge window? It's not technically a bug fix to > the kernel, but it does have a CVE attached to it. > > Note that I've also updated Jarkko's address in his Reviewed-by since > his Intel address no longer works. Sorry, late to the party. I suppose I lost the argument that we shouldn't really be trusting any certs from db when shim is in operation because they're all EFI binary signing ones and will usually simply be the microsoft certificate and possibly an OEM platform one and we're usually pivoting the root of trust to the certificates in the MokList. However, if we are going to do this, we should also be blacklisting the certificates in MokListX which the OS sees through MokListXRT. Since MokListX is an essential piece of our revocation infrastructure it should have been mentioned in the CVE but wasn't for some reason. James
prev parent reply other threads:[~2021-01-14 0:00 UTC|newest] Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-01-13 13:40 David Howells 2021-01-13 19:23 ` David Howells 2021-01-13 23:56 ` James Bottomley [this message]
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=c33c8e3839a41e9654f41cc92c7231104931b1d7.camel@HansenPartnership.com \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --firstname.lastname@example.org \ --email@example.com \ --subject='Re: [PATCH] certs: Add EFI_CERT_X509_GUID support for dbx entries' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.