diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch index 86a285581..3697a4b74 100644 --- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch +++ b/Add-an-EFI-signature-blob-parser-and-key-loader.patch @@ -1,25 +1,26 @@ -From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001 +From e36a2d65e25fdf42b50aa5dc17583d7bfd09c4c4 Mon Sep 17 00:00:00 2001 From: Dave Howells Date: Tue, 23 Oct 2012 09:36:28 -0400 -Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader. +Subject: [PATCH 5/9] Add an EFI signature blob parser and key loader. X.509 certificates are loaded into the specified keyring as asymmetric type keys. +[labbott@fedoraproject.org: Drop KEY_ALLOC_TRUSTED] Signed-off-by: David Howells --- crypto/asymmetric_keys/Kconfig | 8 +++ crypto/asymmetric_keys/Makefile | 1 + - crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++ + crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++ include/linux/efi.h | 4 ++ - 4 files changed, 122 insertions(+) + 4 files changed, 121 insertions(+) create mode 100644 crypto/asymmetric_keys/efi_parser.c diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index 4870f28403f5..4a1b50d73b80 100644 +index e28e912000a7..94024e8aedaa 100644 --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig -@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION +@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION This option provides support for verifying the signature(s) on a signed PE binary. @@ -33,10 +34,11 @@ index 4870f28403f5..4a1b50d73b80 100644 + endif # ASYMMETRIC_KEY_TYPE diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index cd1406f9b14a..d9db380bbe53 100644 +index 6516855bec18..c099fe15ed6d 100644 --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile -@@ -7,5 +7,6 @@ asymmetric_keys-y := asymmetric_type.o signature.o +@@ -10,6 +10,7 @@ asymmetric_keys-y := \ + signature.o obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o +obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o @@ -45,10 +47,10 @@ index cd1406f9b14a..d9db380bbe53 100644 # X.509 Certificate handling diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c new file mode 100644 -index 000000000000..424896a0b169 +index 000000000000..636feb18b733 --- /dev/null +++ b/crypto/asymmetric_keys/efi_parser.c -@@ -0,0 +1,109 @@ +@@ -0,0 +1,108 @@ +/* EFI signature/key/certificate list parser + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. @@ -139,8 +141,7 @@ index 000000000000..424896a0b169 + esize - sizeof(*elem), + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW, -+ KEY_ALLOC_NOT_IN_QUOTA | -+ KEY_ALLOC_TRUSTED); ++ KEY_ALLOC_NOT_IN_QUOTA); + + if (IS_ERR(key)) + pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", @@ -159,10 +160,10 @@ index 000000000000..424896a0b169 + return 0; +} diff --git a/include/linux/efi.h b/include/linux/efi.h -index fac43c611614..414c3c3d988d 100644 +index 8c274b4ea8e6..ff1877145aa4 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -941,6 +941,10 @@ extern bool efi_poweroff_required(void); +@@ -1044,6 +1044,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm, char * __init efi_md_typeattr_format(char *buf, size_t size, const efi_memory_desc_t *md); @@ -174,5 +175,5 @@ index fac43c611614..414c3c3d988d 100644 * efi_range_is_wc - check the WC bit on an address range * @start: starting kvirt address -- -2.4.3 +2.5.5 diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch index 8a484b6d8..05be7a028 100644 --- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch +++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -1,4 +1,4 @@ -From 2246a781c8dbb1207a0b0abbfae201f998c3954b Mon Sep 17 00:00:00 2001 +From ba2b209daf984514229626803472e0b055832345 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Oct 2012 12:42:16 -0400 Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot @@ -18,18 +18,56 @@ signed with those from loading. Signed-off-by: Josh Boyer --- - include/linux/efi.h | 6 ++++ - init/Kconfig | 9 +++++ - kernel/Makefile | 3 ++ - kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 110 insertions(+) + certs/system_keyring.c | 13 ++++++ + include/keys/system_keyring.h | 1 + + include/linux/efi.h | 6 +++ + init/Kconfig | 9 ++++ + kernel/Makefile | 3 ++ + kernel/modsign_uefi.c | 99 +++++++++++++++++++++++++++++++++++++++++++ + 6 files changed, 131 insertions(+) create mode 100644 kernel/modsign_uefi.c +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index 787eeead2f57..4d9123ed5c07 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -30,6 +30,19 @@ extern __initconst const u8 system_certificate_list[]; + extern __initconst const unsigned long system_certificate_list_size; + + /** ++ * get_system_keyring - Return a pointer to the system keyring ++ * ++ */ ++struct key *get_system_keyring(void) ++{ ++ struct key *system_keyring = NULL; ++ ++ system_keyring = builtin_trusted_keys; ++ return system_keyring; ++} ++EXPORT_SYMBOL_GPL(get_system_keyring); ++ ++/** + * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA + * + * Restrict the addition of keys into a keyring based on the key-to-be-added +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index 5bc291a3d261..56ff5715ab67 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -36,6 +36,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted( + #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING + extern struct key *system_blacklist_keyring; + #endif ++extern struct key *get_system_keyring(void); + + #ifdef CONFIG_IMA_BLACKLIST_KEYRING + extern struct key *ima_blacklist_keyring; diff --git a/include/linux/efi.h b/include/linux/efi.h -index 85ef051ac6fb..a042b2ece788 100644 +index ff1877145aa4..2483de19c719 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -600,6 +600,12 @@ typedef struct { +@@ -658,6 +658,12 @@ typedef struct { u64 table; } efi_config_table_64_t; @@ -43,10 +81,10 @@ index 85ef051ac6fb..a042b2ece788 100644 efi_guid_t guid; u32 table; diff --git a/init/Kconfig b/init/Kconfig -index 02da9f1fd9df..90c73a0564b1 100644 +index e5449d5aeff9..5408c96f6604 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1924,6 +1924,15 @@ config MODULE_SIG_ALL +@@ -1979,6 +1979,15 @@ config MODULE_SIG_ALL comment "Do not forget to sign required modules with scripts/sign-file" depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL @@ -63,10 +101,10 @@ index 02da9f1fd9df..90c73a0564b1 100644 prompt "Which hash algorithm should modules be signed with?" depends on MODULE_SIG diff --git a/kernel/Makefile b/kernel/Makefile -index d4988410b410..55e886239e7e 100644 +index e2ec54e2b952..8dab549985d8 100644 --- a/kernel/Makefile +++ b/kernel/Makefile -@@ -47,6 +47,7 @@ endif +@@ -57,6 +57,7 @@ endif obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_MODULES) += module.o obj-$(CONFIG_MODULE_SIG) += module_signing.o @@ -74,7 +112,7 @@ index d4988410b410..55e886239e7e 100644 obj-$(CONFIG_KALLSYMS) += kallsyms.o obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o obj-$(CONFIG_KEXEC_CORE) += kexec_core.o -@@ -103,6 +104,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o +@@ -113,6 +114,8 @@ obj-$(CONFIG_MEMBARRIER) += membarrier.o obj-$(CONFIG_HAS_IOMEM) += memremap.o @@ -85,10 +123,10 @@ index d4988410b410..55e886239e7e 100644 # config_data.h contains the same information as ikconfig.h but gzipped. diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c new file mode 100644 -index 000000000000..94b0eb38a284 +index 000000000000..fe4a6f2bf10a --- /dev/null +++ b/kernel/modsign_uefi.c -@@ -0,0 +1,92 @@ +@@ -0,0 +1,99 @@ +#include +#include +#include @@ -139,11 +177,18 @@ index 000000000000..94b0eb38a284 + void *db = NULL, *dbx = NULL, *mok = NULL; + unsigned long dbsize = 0, dbxsize = 0, moksize = 0; + int rc = 0; ++ struct key *keyring = NULL; + + /* Check if SB is enabled and just return if not */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + ++ keyring = get_system_keyring(); ++ if (!keyring) { ++ pr_err("MODSIGN: Couldn't get system keyring\n"); ++ return -EINVAL; ++ } ++ + /* Get db, MokListRT, and dbx. They might not exist, so it isn't + * an error if we can't get them. + */ @@ -151,7 +196,7 @@ index 000000000000..94b0eb38a284 + if (!db) { + pr_err("MODSIGN: Couldn't get UEFI db list\n"); + } else { -+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); ++ rc = parse_efi_signature_list(db, dbsize, keyring); + if (rc) + pr_err("Couldn't parse db signatures: %d\n", rc); + kfree(db); @@ -161,7 +206,7 @@ index 000000000000..94b0eb38a284 + if (!mok) { + pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); + } else { -+ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring); ++ rc = parse_efi_signature_list(mok, moksize, keyring); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + kfree(mok); @@ -182,5 +227,5 @@ index 000000000000..94b0eb38a284 +} +late_initcall(load_uefi_certs); -- -2.4.3 +2.5.5 diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch index bb5ae2a2c..3339ce76e 100644 --- a/MODSIGN-Support-not-importing-certs-from-db.patch +++ b/MODSIGN-Support-not-importing-certs-from-db.patch @@ -1,7 +1,7 @@ -From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001 +From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 3 Oct 2013 10:14:23 -0400 -Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db +Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db If a user tells shim to not use the certs/hashes in the UEFI db variable for verification purposes, shim will set a UEFI variable called MokIgnoreDB. @@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c -index 94b0eb38a284..ae28b974d49a 100644 +index 03f601a0052c..321c79a3b282 100644 --- a/kernel/modsign_uefi.c +++ b/kernel/modsign_uefi.c @@ -8,6 +8,23 @@ @@ -41,16 +41,18 @@ index 94b0eb38a284..ae28b974d49a 100644 static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) { efi_status_t status; -@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void) +@@ -47,7 +64,7 @@ static int __init load_uefi_certs(void) efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; void *db = NULL, *dbx = NULL, *mok = NULL; unsigned long dbsize = 0, dbxsize = 0, moksize = 0; - int rc = 0; + int ignore_db, rc = 0; + struct key *keyring = NULL; /* Check if SB is enabled and just return if not */ - if (!efi_enabled(EFI_SECURE_BOOT)) - return 0; +@@ -60,17 +77,22 @@ static int __init load_uefi_certs(void) + return -EINVAL; + } + /* See if the user has setup Ignore DB mode */ + ignore_db = check_ignore_db(); @@ -62,7 +64,7 @@ index 94b0eb38a284..ae28b974d49a 100644 - if (!db) { - pr_err("MODSIGN: Couldn't get UEFI db list\n"); - } else { -- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); +- rc = parse_efi_signature_list(db, dbsize, keyring); - if (rc) - pr_err("Couldn't parse db signatures: %d\n", rc); - kfree(db); @@ -71,7 +73,7 @@ index 94b0eb38a284..ae28b974d49a 100644 + if (!db) { + pr_err("MODSIGN: Couldn't get UEFI db list\n"); + } else { -+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); ++ rc = parse_efi_signature_list(db, dbsize, keyring); + if (rc) + pr_err("Couldn't parse db signatures: %d\n", rc); + kfree(db); @@ -80,5 +82,5 @@ index 94b0eb38a284..ae28b974d49a 100644 mok = get_cert_list(L"MokListRT", &mok_var, &moksize); -- -2.4.3 +2.5.5