Update a few secure boot patches
This commit is contained in:
parent
f339ce1dad
commit
72eed1ed89
|
@ -1,25 +1,26 @@
|
|||
From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001
|
||||
From e36a2d65e25fdf42b50aa5dc17583d7bfd09c4c4 Mon Sep 17 00:00:00 2001
|
||||
From: Dave Howells <dhowells@redhat.com>
|
||||
Date: Tue, 23 Oct 2012 09:36:28 -0400
|
||||
Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
|
||||
Subject: [PATCH 5/9] Add an EFI signature blob parser and key loader.
|
||||
|
||||
X.509 certificates are loaded into the specified keyring as asymmetric type
|
||||
keys.
|
||||
|
||||
[labbott@fedoraproject.org: Drop KEY_ALLOC_TRUSTED]
|
||||
Signed-off-by: David Howells <dhowells@redhat.com>
|
||||
---
|
||||
crypto/asymmetric_keys/Kconfig | 8 +++
|
||||
crypto/asymmetric_keys/Makefile | 1 +
|
||||
crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++
|
||||
crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++
|
||||
include/linux/efi.h | 4 ++
|
||||
4 files changed, 122 insertions(+)
|
||||
4 files changed, 121 insertions(+)
|
||||
create mode 100644 crypto/asymmetric_keys/efi_parser.c
|
||||
|
||||
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
|
||||
index 4870f28403f5..4a1b50d73b80 100644
|
||||
index e28e912000a7..94024e8aedaa 100644
|
||||
--- a/crypto/asymmetric_keys/Kconfig
|
||||
+++ b/crypto/asymmetric_keys/Kconfig
|
||||
@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION
|
||||
@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
|
||||
This option provides support for verifying the signature(s) on a
|
||||
signed PE binary.
|
||||
|
||||
|
@ -33,10 +34,11 @@ index 4870f28403f5..4a1b50d73b80 100644
|
|||
+
|
||||
endif # ASYMMETRIC_KEY_TYPE
|
||||
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
|
||||
index cd1406f9b14a..d9db380bbe53 100644
|
||||
index 6516855bec18..c099fe15ed6d 100644
|
||||
--- a/crypto/asymmetric_keys/Makefile
|
||||
+++ b/crypto/asymmetric_keys/Makefile
|
||||
@@ -7,5 +7,6 @@ asymmetric_keys-y := asymmetric_type.o signature.o
|
||||
@@ -10,6 +10,7 @@ asymmetric_keys-y := \
|
||||
signature.o
|
||||
|
||||
obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
|
||||
+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
|
||||
|
@ -45,10 +47,10 @@ index cd1406f9b14a..d9db380bbe53 100644
|
|||
# X.509 Certificate handling
|
||||
diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
|
||||
new file mode 100644
|
||||
index 000000000000..424896a0b169
|
||||
index 000000000000..636feb18b733
|
||||
--- /dev/null
|
||||
+++ b/crypto/asymmetric_keys/efi_parser.c
|
||||
@@ -0,0 +1,109 @@
|
||||
@@ -0,0 +1,108 @@
|
||||
+/* EFI signature/key/certificate list parser
|
||||
+ *
|
||||
+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
|
||||
|
@ -139,8 +141,7 @@ index 000000000000..424896a0b169
|
|||
+ esize - sizeof(*elem),
|
||||
+ (KEY_POS_ALL & ~KEY_POS_SETATTR) |
|
||||
+ KEY_USR_VIEW,
|
||||
+ KEY_ALLOC_NOT_IN_QUOTA |
|
||||
+ KEY_ALLOC_TRUSTED);
|
||||
+ KEY_ALLOC_NOT_IN_QUOTA);
|
||||
+
|
||||
+ if (IS_ERR(key))
|
||||
+ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
|
||||
|
@ -159,10 +160,10 @@ index 000000000000..424896a0b169
|
|||
+ return 0;
|
||||
+}
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index fac43c611614..414c3c3d988d 100644
|
||||
index 8c274b4ea8e6..ff1877145aa4 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -941,6 +941,10 @@ extern bool efi_poweroff_required(void);
|
||||
@@ -1044,6 +1044,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
|
||||
char * __init efi_md_typeattr_format(char *buf, size_t size,
|
||||
const efi_memory_desc_t *md);
|
||||
|
||||
|
@ -174,5 +175,5 @@ index fac43c611614..414c3c3d988d 100644
|
|||
* efi_range_is_wc - check the WC bit on an address range
|
||||
* @start: starting kvirt address
|
||||
--
|
||||
2.4.3
|
||||
2.5.5
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
From 2246a781c8dbb1207a0b0abbfae201f998c3954b Mon Sep 17 00:00:00 2001
|
||||
From ba2b209daf984514229626803472e0b055832345 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Fri, 26 Oct 2012 12:42:16 -0400
|
||||
Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
|
||||
|
@ -18,18 +18,56 @@ signed with those from loading.
|
|||
|
||||
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
---
|
||||
include/linux/efi.h | 6 ++++
|
||||
init/Kconfig | 9 +++++
|
||||
kernel/Makefile | 3 ++
|
||||
kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++
|
||||
4 files changed, 110 insertions(+)
|
||||
certs/system_keyring.c | 13 ++++++
|
||||
include/keys/system_keyring.h | 1 +
|
||||
include/linux/efi.h | 6 +++
|
||||
init/Kconfig | 9 ++++
|
||||
kernel/Makefile | 3 ++
|
||||
kernel/modsign_uefi.c | 99 +++++++++++++++++++++++++++++++++++++++++++
|
||||
6 files changed, 131 insertions(+)
|
||||
create mode 100644 kernel/modsign_uefi.c
|
||||
|
||||
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
|
||||
index 787eeead2f57..4d9123ed5c07 100644
|
||||
--- a/certs/system_keyring.c
|
||||
+++ b/certs/system_keyring.c
|
||||
@@ -30,6 +30,19 @@ extern __initconst const u8 system_certificate_list[];
|
||||
extern __initconst const unsigned long system_certificate_list_size;
|
||||
|
||||
/**
|
||||
+ * get_system_keyring - Return a pointer to the system keyring
|
||||
+ *
|
||||
+ */
|
||||
+struct key *get_system_keyring(void)
|
||||
+{
|
||||
+ struct key *system_keyring = NULL;
|
||||
+
|
||||
+ system_keyring = builtin_trusted_keys;
|
||||
+ return system_keyring;
|
||||
+}
|
||||
+EXPORT_SYMBOL_GPL(get_system_keyring);
|
||||
+
|
||||
+/**
|
||||
* restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
|
||||
*
|
||||
* Restrict the addition of keys into a keyring based on the key-to-be-added
|
||||
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
|
||||
index 5bc291a3d261..56ff5715ab67 100644
|
||||
--- a/include/keys/system_keyring.h
|
||||
+++ b/include/keys/system_keyring.h
|
||||
@@ -36,6 +36,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
|
||||
#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
|
||||
extern struct key *system_blacklist_keyring;
|
||||
#endif
|
||||
+extern struct key *get_system_keyring(void);
|
||||
|
||||
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
|
||||
extern struct key *ima_blacklist_keyring;
|
||||
diff --git a/include/linux/efi.h b/include/linux/efi.h
|
||||
index 85ef051ac6fb..a042b2ece788 100644
|
||||
index ff1877145aa4..2483de19c719 100644
|
||||
--- a/include/linux/efi.h
|
||||
+++ b/include/linux/efi.h
|
||||
@@ -600,6 +600,12 @@ typedef struct {
|
||||
@@ -658,6 +658,12 @@ typedef struct {
|
||||
u64 table;
|
||||
} efi_config_table_64_t;
|
||||
|
||||
|
@ -43,10 +81,10 @@ index 85ef051ac6fb..a042b2ece788 100644
|
|||
efi_guid_t guid;
|
||||
u32 table;
|
||||
diff --git a/init/Kconfig b/init/Kconfig
|
||||
index 02da9f1fd9df..90c73a0564b1 100644
|
||||
index e5449d5aeff9..5408c96f6604 100644
|
||||
--- a/init/Kconfig
|
||||
+++ b/init/Kconfig
|
||||
@@ -1924,6 +1924,15 @@ config MODULE_SIG_ALL
|
||||
@@ -1979,6 +1979,15 @@ config MODULE_SIG_ALL
|
||||
comment "Do not forget to sign required modules with scripts/sign-file"
|
||||
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
|
||||
|
||||
|
@ -63,10 +101,10 @@ index 02da9f1fd9df..90c73a0564b1 100644
|
|||
prompt "Which hash algorithm should modules be signed with?"
|
||||
depends on MODULE_SIG
|
||||
diff --git a/kernel/Makefile b/kernel/Makefile
|
||||
index d4988410b410..55e886239e7e 100644
|
||||
index e2ec54e2b952..8dab549985d8 100644
|
||||
--- a/kernel/Makefile
|
||||
+++ b/kernel/Makefile
|
||||
@@ -47,6 +47,7 @@ endif
|
||||
@@ -57,6 +57,7 @@ endif
|
||||
obj-$(CONFIG_UID16) += uid16.o
|
||||
obj-$(CONFIG_MODULES) += module.o
|
||||
obj-$(CONFIG_MODULE_SIG) += module_signing.o
|
||||
|
@ -74,7 +112,7 @@ index d4988410b410..55e886239e7e 100644
|
|||
obj-$(CONFIG_KALLSYMS) += kallsyms.o
|
||||
obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
|
||||
obj-$(CONFIG_KEXEC_CORE) += kexec_core.o
|
||||
@@ -103,6 +104,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
|
||||
@@ -113,6 +114,8 @@ obj-$(CONFIG_MEMBARRIER) += membarrier.o
|
||||
|
||||
obj-$(CONFIG_HAS_IOMEM) += memremap.o
|
||||
|
||||
|
@ -85,10 +123,10 @@ index d4988410b410..55e886239e7e 100644
|
|||
# config_data.h contains the same information as ikconfig.h but gzipped.
|
||||
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
|
||||
new file mode 100644
|
||||
index 000000000000..94b0eb38a284
|
||||
index 000000000000..fe4a6f2bf10a
|
||||
--- /dev/null
|
||||
+++ b/kernel/modsign_uefi.c
|
||||
@@ -0,0 +1,92 @@
|
||||
@@ -0,0 +1,99 @@
|
||||
+#include <linux/kernel.h>
|
||||
+#include <linux/sched.h>
|
||||
+#include <linux/cred.h>
|
||||
|
@ -139,11 +177,18 @@ index 000000000000..94b0eb38a284
|
|||
+ void *db = NULL, *dbx = NULL, *mok = NULL;
|
||||
+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
||||
+ int rc = 0;
|
||||
+ struct key *keyring = NULL;
|
||||
+
|
||||
+ /* Check if SB is enabled and just return if not */
|
||||
+ if (!efi_enabled(EFI_SECURE_BOOT))
|
||||
+ return 0;
|
||||
+
|
||||
+ keyring = get_system_keyring();
|
||||
+ if (!keyring) {
|
||||
+ pr_err("MODSIGN: Couldn't get system keyring\n");
|
||||
+ return -EINVAL;
|
||||
+ }
|
||||
+
|
||||
+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't
|
||||
+ * an error if we can't get them.
|
||||
+ */
|
||||
|
@ -151,7 +196,7 @@ index 000000000000..94b0eb38a284
|
|||
+ if (!db) {
|
||||
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
||||
+ rc = parse_efi_signature_list(db, dbsize, keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse db signatures: %d\n", rc);
|
||||
+ kfree(db);
|
||||
|
@ -161,7 +206,7 @@ index 000000000000..94b0eb38a284
|
|||
+ if (!mok) {
|
||||
+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
|
||||
+ rc = parse_efi_signature_list(mok, moksize, keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
|
||||
+ kfree(mok);
|
||||
|
@ -182,5 +227,5 @@ index 000000000000..94b0eb38a284
|
|||
+}
|
||||
+late_initcall(load_uefi_certs);
|
||||
--
|
||||
2.4.3
|
||||
2.5.5
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001
|
||||
From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001
|
||||
From: Josh Boyer <jwboyer@fedoraproject.org>
|
||||
Date: Thu, 3 Oct 2013 10:14:23 -0400
|
||||
Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
|
||||
Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db
|
||||
|
||||
If a user tells shim to not use the certs/hashes in the UEFI db variable
|
||||
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
|
||||
|
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
|
|||
1 file changed, 31 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
|
||||
index 94b0eb38a284..ae28b974d49a 100644
|
||||
index 03f601a0052c..321c79a3b282 100644
|
||||
--- a/kernel/modsign_uefi.c
|
||||
+++ b/kernel/modsign_uefi.c
|
||||
@@ -8,6 +8,23 @@
|
||||
|
@ -41,16 +41,18 @@ index 94b0eb38a284..ae28b974d49a 100644
|
|||
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
|
||||
{
|
||||
efi_status_t status;
|
||||
@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
|
||||
@@ -47,7 +64,7 @@ static int __init load_uefi_certs(void)
|
||||
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
|
||||
void *db = NULL, *dbx = NULL, *mok = NULL;
|
||||
unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
|
||||
- int rc = 0;
|
||||
+ int ignore_db, rc = 0;
|
||||
struct key *keyring = NULL;
|
||||
|
||||
/* Check if SB is enabled and just return if not */
|
||||
if (!efi_enabled(EFI_SECURE_BOOT))
|
||||
return 0;
|
||||
@@ -60,17 +77,22 @@ static int __init load_uefi_certs(void)
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
+ /* See if the user has setup Ignore DB mode */
|
||||
+ ignore_db = check_ignore_db();
|
||||
|
@ -62,7 +64,7 @@ index 94b0eb38a284..ae28b974d49a 100644
|
|||
- if (!db) {
|
||||
- pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||
- } else {
|
||||
- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
||||
- rc = parse_efi_signature_list(db, dbsize, keyring);
|
||||
- if (rc)
|
||||
- pr_err("Couldn't parse db signatures: %d\n", rc);
|
||||
- kfree(db);
|
||||
|
@ -71,7 +73,7 @@ index 94b0eb38a284..ae28b974d49a 100644
|
|||
+ if (!db) {
|
||||
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
|
||||
+ } else {
|
||||
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
|
||||
+ rc = parse_efi_signature_list(db, dbsize, keyring);
|
||||
+ if (rc)
|
||||
+ pr_err("Couldn't parse db signatures: %d\n", rc);
|
||||
+ kfree(db);
|
||||
|
@ -80,5 +82,5 @@ index 94b0eb38a284..ae28b974d49a 100644
|
|||
|
||||
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
|
||||
--
|
||||
2.4.3
|
||||
2.5.5
|
||||
|
||||
|
|
Loading…
Reference in New Issue