From: David Howells <dhowells@redhat.com>
To: torvalds@linux-foundation.org
Cc: dhowells@redhat.com, "Jarkko Sakkinen" <jarkko@kernel.org>,
"Eric Snowberg" <eric.snowberg@oracle.com>,
"Mickaël Salaün" <mic@linux.microsoft.com>,
"James Bottomley" <James.Bottomley@HansenPartnership.com>,
keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: [GIT PULL] Add EFI_CERT_X509_GUID support for dbx/mokx entries
Date: Thu, 11 Mar 2021 17:05:06 +0000 [thread overview]
Message-ID: <1884195.1615482306@warthog.procyon.org.uk> (raw)
Hi Linus,
Here's a set of patches from Eric Snowberg[1] that add support for
EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries
cause matching certificates to be rejected). These are currently ignored
and only the hash entries are made use of. Additionally Eric included his
patches to allow such certificates to be preloaded.
These patches deal with CVE-2020-26541.
To quote Eric:
This is the fifth patch series for adding support for
EFI_CERT_X509_GUID entries [2]. It has been expanded to not only
include dbx entries but also entries in the mokx. Additionally my
series to preload these certificate [3] has also been included.
This series is based on v5.11-rc4.
Notes:
(*) These patches fix a security loophole rather than actual fixing kernel
breakage, so they could theoretically wait for the next merge window
if you prefer.
(*) Patch 3 adds the extract-cert target a second time. I think make
should just handle this, though it could be better to add a config
option specifically for building that program (it's used by multiple
options).
Changes:
- Changed Jarkko's acks to his kernel.org address.
ver #3:
- Rolled in changes from Eric to fix conditional building issues[7].
ver #2:
- Rolled in a fix to the second patch to include certs/common.h in
certs/common.c[6].
ver #1:
- I've modified the first patch in the series to fix a configuration
problem[4][5], to move the added functions to a more logical place
within thefile and to add kerneldoc comments.
Link: https://lore.kernel.org/r/20210122181054.32635-1-eric.snowberg@oracle.com [1]
Link: https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/ [2]
Link: https://lore.kernel.org/patchwork/cover/1315485/ [3]
Link: https://lore.kernel.org/r/bc2c24e3-ed68-2521-0bf4-a1f6be4a895d@infradead.org/ [4]
Link: https://lore.kernel.org/r/20210225125638.1841436-1-arnd@kernel.org/ [5]
Link: https://lore.kernel.org/r/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/ [6]
Link: https://lore.kernel.org/r/161428671215.677100.6372209948022011988.stgit@warthog.procyon.org.uk/ # v1
Link: https://lore.kernel.org/r/161433310139.902181.11787442834918634133.stgit@warthog.procyon.org.uk/ # v2
Link: https://lore.kernel.org/r/161529604216.163428.4905283330048991183.stgit@warthog.procyon.org.uk/ # v3
Link: https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg@oracle.com/ [7]
David
---
The following changes since commit 8f0bfc25c907f38e7f9dc498e8f43000d77327ef:
watch_queue: rectify kernel-doc for init_watch() (2021-01-26 11:16:34 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-cve-2020-26541-v3
for you to fetch changes up to ebd9c2ae369a45bdd9f8615484db09be58fc242b:
integrity: Load mokx variables into the blacklist keyring (2021-03-11 16:34:48 +0000)
----------------------------------------------------------------
Fix CVE-2020-26541
----------------------------------------------------------------
Eric Snowberg (4):
certs: Add EFI_CERT_X509_GUID support for dbx entries
certs: Move load_system_certificate_list to a common function
certs: Add ability to preload revocation certs
integrity: Load mokx variables into the blacklist keyring
certs/Kconfig | 17 ++++++
certs/Makefile | 21 ++++++-
certs/blacklist.c | 64 ++++++++++++++++++++++
certs/blacklist.h | 2 +
certs/common.c | 57 +++++++++++++++++++
certs/common.h | 9 +++
certs/revocation_certificates.S | 21 +++++++
certs/system_keyring.c | 55 +++----------------
include/keys/system_keyring.h | 15 +++++
scripts/Makefile | 1 +
.../integrity/platform_certs/keyring_handler.c | 11 ++++
security/integrity/platform_certs/load_uefi.c | 20 ++++++-
12 files changed, 242 insertions(+), 51 deletions(-)
create mode 100644 certs/common.c
create mode 100644 certs/common.h
create mode 100644 certs/revocation_certificates.S
next reply other threads:[~2021-03-11 17:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-11 17:05 David Howells [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-02-10 15:13 [GIT PULL] Add EFI_CERT_X509_GUID support for dbx/mokx entries David Howells
2021-02-10 15:17 ` David Howells
2021-02-23 17:44 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1884195.1615482306@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=eric.snowberg@oracle.com \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@linux.microsoft.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).