[GIT PULL] Add EFI_CERT_X509_GUID support for dbx/mokx entries

[GIT PULL] Add EFI_CERT_X509_GUID support for dbx/mokx entries

[David Howells]

Hi Linus,

Here's a set of patches from Eric Snowberg[1] that add support for
EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries
cause matching certificates to be rejected).  These are currently ignored
and only the hash entries are made use of.  Additionally Eric included his
patches to allow such certificates to be preloaded.

These patches deal with CVE-2020-26541.

To quote Eric:

	This is the fifth patch series for adding support for
	EFI_CERT_X509_GUID entries [2].  It has been expanded to not only
	include dbx entries but also entries in the mokx.  Additionally my
	series to preload these certificate [3] has also been included.

	This series is based on v5.11-rc4.

Notes:

 (*) These patches fix a security loophole rather than actual fixing kernel
     breakage, so they could theoretically wait for the next merge window
     if you prefer.

 (*) Patch 3 adds the extract-cert target a second time.  I think make
     should just handle this, though it could be better to add a config
     option specifically for building that program (it's used by multiple
     options).

Changes:
 - Changed Jarkko's acks to his kernel.org address.

ver #3:
 - Rolled in changes from Eric to fix conditional building issues[7].

ver #2:
 - Rolled in a fix to the second patch to include certs/common.h in
   certs/common.c[6].

ver #1:
 - I've modified the first patch in the series to fix a configuration
   problem[4][5], to move the added functions to a more logical place
   within thefile and to add kerneldoc comments.

Link: https://lore.kernel.org/r/20210122181054.32635-1-eric.snowberg@oracle.com [1]
Link: https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/ [2]
Link: https://lore.kernel.org/patchwork/cover/1315485/ [3]
Link: https://lore.kernel.org/r/bc2c24e3-ed68-2521-0bf4-a1f6be4a895d@infradead.org/ [4]
Link: https://lore.kernel.org/r/20210225125638.1841436-1-arnd@kernel.org/ [5]
Link: https://lore.kernel.org/r/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/ [6]
Link: https://lore.kernel.org/r/161428671215.677100.6372209948022011988.stgit@warthog.procyon.org.uk/ # v1
Link: https://lore.kernel.org/r/161433310139.902181.11787442834918634133.stgit@warthog.procyon.org.uk/ # v2
Link: https://lore.kernel.org/r/161529604216.163428.4905283330048991183.stgit@warthog.procyon.org.uk/ # v3
Link: https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg@oracle.com/ [7]

David
---
The following changes since commit 8f0bfc25c907f38e7f9dc498e8f43000d77327ef:

  watch_queue: rectify kernel-doc for init_watch() (2021-01-26 11:16:34 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-cve-2020-26541-v3

for you to fetch changes up to ebd9c2ae369a45bdd9f8615484db09be58fc242b:

  integrity: Load mokx variables into the blacklist keyring (2021-03-11 16:34:48 +0000)

----------------------------------------------------------------
Fix CVE-2020-26541

----------------------------------------------------------------
Eric Snowberg (4):
      certs: Add EFI_CERT_X509_GUID support for dbx entries
      certs: Move load_system_certificate_list to a common function
      certs: Add ability to preload revocation certs
      integrity: Load mokx variables into the blacklist keyring

 certs/Kconfig                                      | 17 ++++++
 certs/Makefile                                     | 21 ++++++-
 certs/blacklist.c                                  | 64 ++++++++++++++++++++++
 certs/blacklist.h                                  |  2 +
 certs/common.c                                     | 57 +++++++++++++++++++
 certs/common.h                                     |  9 +++
 certs/revocation_certificates.S                    | 21 +++++++
 certs/system_keyring.c                             | 55 +++----------------
 include/keys/system_keyring.h                      | 15 +++++
 scripts/Makefile                                   |  1 +
 .../integrity/platform_certs/keyring_handler.c     | 11 ++++
 security/integrity/platform_certs/load_uefi.c      | 20 ++++++-
 12 files changed, 242 insertions(+), 51 deletions(-)
 create mode 100644 certs/common.c
 create mode 100644 certs/common.h
 create mode 100644 certs/revocation_certificates.S

Re: [GIT PULL] Add EFI_CERT_X509_GUID support for dbx/mokx entries

[David Howells]

David Howells <dhowells@redhat.com> wrote:

> This set of patches from Eric Snowberg that add support for
> EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries
> cause matching certificates to be rejected).  These are currently ignored
> and only the hash entries are made use of.
> 
> These patches fix CVE-2020-26541.
> 
> To quote Eric:
> 
> 	This is the fifth patch series for adding support for
> 	EFI_CERT_X509_GUID entries [1].  It has been expanded to not only
> 	include dbx entries but also entries in the mokx.  Additionally my
> 	series to preload these certificate [2] has also been included.
> 
> 	This series is based on v5.11-rc4.
> 
> 	[1] https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/
> 	[2] https://lore.kernel.org/patchwork/cover/1315485/
> 
> Note that this is based on top of the collected minor fixes I sent you a
> preceding pull request for.  If you would rather this was not based on my
> keys-misc branch, but was instead based on your tree directly, I can rebase
> it.  Note that there would be very minor conflict between the two branches,
> but I think git merge should be able to handle it automatically.

Please drop this request for now.  It turns out there's a broken dependency
in there:

	https://lore.kernel.org/keyrings/20210217165058.1336155-1-eric.snowberg@oracle.com/

I'll look at folding that in, but I'm not sure Eric's solution is the right
one.  I suspect there needs to be something in Kconfig somewhere.

David

Re: [GIT PULL] Add EFI_CERT_X509_GUID support for dbx/mokx entries

[David Howells]

David Howells <dhowells@redhat.com> wrote:

> This set of patches from Eric Snowberg that add support for
> EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries
> cause matching certificates to be rejected).  These are currently ignored
> and only the hash entries are made use of.

This is aimed at the next merge window.

David

[GIT PULL] Add EFI_CERT_X509_GUID support for dbx/mokx entries

[David Howells]

Hi Linus,

This set of patches from Eric Snowberg that add support for
EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries
cause matching certificates to be rejected).  These are currently ignored
and only the hash entries are made use of.

These patches fix CVE-2020-26541.

To quote Eric:

	This is the fifth patch series for adding support for
	EFI_CERT_X509_GUID entries [1].  It has been expanded to not only
	include dbx entries but also entries in the mokx.  Additionally my
	series to preload these certificate [2] has also been included.

	This series is based on v5.11-rc4.

	[1] https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/
	[2] https://lore.kernel.org/patchwork/cover/1315485/

Note that this is based on top of the collected minor fixes I sent you a
preceding pull request for.  If you would rather this was not based on my
keys-misc branch, but was instead based on your tree directly, I can rebase
it.  Note that there would be very minor conflict between the two branches,
but I think git merge should be able to handle it automatically.

David
---
The following changes since commit 8f0bfc25c907f38e7f9dc498e8f43000d77327ef:

  watch_queue: rectify kernel-doc for init_watch() (2021-01-26 11:16:34 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-cve-2020-26541

for you to fetch changes up to 0b641da796d30d00f3b055e7a94ce9426107428a:

  integrity: Load mokx variables into the blacklist keyring (2021-02-03 15:39:04 +0000)

----------------------------------------------------------------
Fix CVE-2020-26541

----------------------------------------------------------------
Eric Snowberg (4):
      certs: Add EFI_CERT_X509_GUID support for dbx entries
      certs: Move load_system_certificate_list to a common function
      certs: Add ability to preload revocation certs
      integrity: Load mokx variables into the blacklist keyring

 certs/Kconfig                                      |  8 ++++
 certs/Makefile                                     | 20 ++++++--
 certs/blacklist.c                                  | 49 +++++++++++++++++++
 certs/blacklist.h                                  | 12 +++++
 certs/common.c                                     | 56 ++++++++++++++++++++++
 certs/common.h                                     |  9 ++++
 certs/revocation_certificates.S                    | 21 ++++++++
 certs/system_keyring.c                             | 55 ++++-----------------
 include/keys/system_keyring.h                      | 11 +++++
 scripts/Makefile                                   |  1 +
 .../integrity/platform_certs/keyring_handler.c     | 11 +++++
 security/integrity/platform_certs/load_uefi.c      | 20 +++++++-
 12 files changed, 222 insertions(+), 51 deletions(-)
 create mode 100644 certs/common.c
 create mode 100644 certs/common.h
 create mode 100644 certs/revocation_certificates.S