Update a few secure boot patches

Add-an-EFI-signature-blob-parser-and-key-loader.patch

@@ -1,25 +1,26 @@
-From c279ba86f93cf6a75d078e2d0e3f59d4ba8a2dd0 Mon Sep 17 00:00:00 2001
+From e36a2d65e25fdf42b50aa5dc17583d7bfd09c4c4 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells@redhat.com>
 Date: Tue, 23 Oct 2012 09:36:28 -0400
-Subject: [PATCH 16/20] Add an EFI signature blob parser and key loader.
+Subject: [PATCH 5/9] Add an EFI signature blob parser and key loader.
 
 X.509 certificates are loaded into the specified keyring as asymmetric type
 keys.
 
+[labbott@fedoraproject.org: Drop KEY_ALLOC_TRUSTED]
 Signed-off-by: David Howells <dhowells@redhat.com>
 ---
  crypto/asymmetric_keys/Kconfig      |   8 +++
  crypto/asymmetric_keys/Makefile     |   1 +
- crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++
+ crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++
  include/linux/efi.h                 |   4 ++
- 4 files changed, 122 insertions(+)
+ 4 files changed, 121 insertions(+)
  create mode 100644 crypto/asymmetric_keys/efi_parser.c
 
 diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
-index 4870f28403f5..4a1b50d73b80 100644
+index e28e912000a7..94024e8aedaa 100644
 --- a/crypto/asymmetric_keys/Kconfig
 +++ b/crypto/asymmetric_keys/Kconfig
-@@ -67,4 +67,12 @@ config SIGNED_PE_FILE_VERIFICATION
+@@ -60,4 +60,12 @@ config SIGNED_PE_FILE_VERIFICATION
  	  This option provides support for verifying the signature(s) on a
  	  signed PE binary.
  
@@ -33,10 +34,11 @@ index 4870f28403f5..4a1b50d73b80 100644
 +
  endif # ASYMMETRIC_KEY_TYPE
 diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
-index cd1406f9b14a..d9db380bbe53 100644
+index 6516855bec18..c099fe15ed6d 100644
 --- a/crypto/asymmetric_keys/Makefile
 +++ b/crypto/asymmetric_keys/Makefile
-@@ -7,5 +7,6 @@ asymmetric_keys-y := asymmetric_type.o signature.o
+@@ -10,6 +10,7 @@ asymmetric_keys-y := \
+ 	signature.o
  
  obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o
 +obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
@@ -45,10 +47,10 @@ index cd1406f9b14a..d9db380bbe53 100644
  # X.509 Certificate handling
 diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c
 new file mode 100644
-index 000000000000..424896a0b169
+index 000000000000..636feb18b733
 --- /dev/null
 +++ b/crypto/asymmetric_keys/efi_parser.c
-@@ -0,0 +1,109 @@
+@@ -0,0 +1,108 @@
 +/* EFI signature/key/certificate list parser
 + *
 + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved.
@@ -139,8 +141,7 @@ index 000000000000..424896a0b169
 +				esize - sizeof(*elem),
 +				(KEY_POS_ALL & ~KEY_POS_SETATTR) |
 +				KEY_USR_VIEW,
-+				KEY_ALLOC_NOT_IN_QUOTA |
++				KEY_ALLOC_NOT_IN_QUOTA);
-+				KEY_ALLOC_TRUSTED);
 +
 +			if (IS_ERR(key))
 +				pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
@@ -159,10 +160,10 @@ index 000000000000..424896a0b169
 +	return 0;
 +}
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index fac43c611614..414c3c3d988d 100644
+index 8c274b4ea8e6..ff1877145aa4 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -941,6 +941,10 @@ extern bool efi_poweroff_required(void);
+@@ -1044,6 +1044,10 @@ extern int efi_memattr_apply_permissions(struct mm_struct *mm,
  char * __init efi_md_typeattr_format(char *buf, size_t size,
  				     const efi_memory_desc_t *md);
  
@@ -174,5 +175,5 @@ index fac43c611614..414c3c3d988d 100644
   * efi_range_is_wc - check the WC bit on an address range
   * @start: starting kvirt address
 -- 
-2.4.3
+2.5.5
 

MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch

@@ -1,4 +1,4 @@
-From 2246a781c8dbb1207a0b0abbfae201f998c3954b Mon Sep 17 00:00:00 2001
+From ba2b209daf984514229626803472e0b055832345 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Fri, 26 Oct 2012 12:42:16 -0400
 Subject: [PATCH] MODSIGN: Import certificates from UEFI Secure Boot
@@ -18,18 +18,56 @@ signed with those from loading.
 
 Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
 ---
- include/linux/efi.h   |  6 ++++
+ certs/system_keyring.c        | 13 ++++++
- init/Kconfig          |  9 +++++
+ include/keys/system_keyring.h |  1 +
- kernel/Makefile       |  3 ++
+ include/linux/efi.h           |  6 +++
- kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++
+ init/Kconfig                  |  9 ++++
- 4 files changed, 110 insertions(+)
+ kernel/Makefile               |  3 ++
+ kernel/modsign_uefi.c         | 99 +++++++++++++++++++++++++++++++++++++++++++
+ 6 files changed, 131 insertions(+)
  create mode 100644 kernel/modsign_uefi.c
 
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index 787eeead2f57..4d9123ed5c07 100644
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
+@@ -30,6 +30,19 @@ extern __initconst const u8 system_certificate_list[];
+ extern __initconst const unsigned long system_certificate_list_size;
+ 
+ /**
++ * get_system_keyring - Return a pointer to the system keyring
++ *
++ */
++struct key *get_system_keyring(void)
++{
++	struct key *system_keyring = NULL;
++
++	system_keyring = builtin_trusted_keys;
++	return system_keyring;
++}
++EXPORT_SYMBOL_GPL(get_system_keyring);
++
++/**
+  * restrict_link_to_builtin_trusted - Restrict keyring addition by built in CA
+  *
+  * Restrict the addition of keys into a keyring based on the key-to-be-added
+diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
+index 5bc291a3d261..56ff5715ab67 100644
+--- a/include/keys/system_keyring.h
++++ b/include/keys/system_keyring.h
+@@ -36,6 +36,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
+ #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+ extern struct key *system_blacklist_keyring;
+ #endif
++extern struct key *get_system_keyring(void);
+ 
+ #ifdef CONFIG_IMA_BLACKLIST_KEYRING
+ extern struct key *ima_blacklist_keyring;
 diff --git a/include/linux/efi.h b/include/linux/efi.h
-index 85ef051ac6fb..a042b2ece788 100644
+index ff1877145aa4..2483de19c719 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
-@@ -600,6 +600,12 @@ typedef struct {
+@@ -658,6 +658,12 @@ typedef struct {
  	u64 table;
  } efi_config_table_64_t;
  
@@ -43,10 +81,10 @@ index 85ef051ac6fb..a042b2ece788 100644
  	efi_guid_t guid;
  	u32 table;
 diff --git a/init/Kconfig b/init/Kconfig
-index 02da9f1fd9df..90c73a0564b1 100644
+index e5449d5aeff9..5408c96f6604 100644
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1924,6 +1924,15 @@ config MODULE_SIG_ALL
+@@ -1979,6 +1979,15 @@ config MODULE_SIG_ALL
  comment "Do not forget to sign required modules with scripts/sign-file"
  	depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
  
@@ -63,10 +101,10 @@ index 02da9f1fd9df..90c73a0564b1 100644
  	prompt "Which hash algorithm should modules be signed with?"
  	depends on MODULE_SIG
 diff --git a/kernel/Makefile b/kernel/Makefile
-index d4988410b410..55e886239e7e 100644
+index e2ec54e2b952..8dab549985d8 100644
 --- a/kernel/Makefile
 +++ b/kernel/Makefile
-@@ -47,6 +47,7 @@ endif
+@@ -57,6 +57,7 @@ endif
  obj-$(CONFIG_UID16) += uid16.o
  obj-$(CONFIG_MODULES) += module.o
  obj-$(CONFIG_MODULE_SIG) += module_signing.o
@@ -74,7 +112,7 @@ index d4988410b410..55e886239e7e 100644
  obj-$(CONFIG_KALLSYMS) += kallsyms.o
  obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o
  obj-$(CONFIG_KEXEC_CORE) += kexec_core.o
-@@ -103,6 +104,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
+@@ -113,6 +114,8 @@ obj-$(CONFIG_MEMBARRIER) += membarrier.o
  
  obj-$(CONFIG_HAS_IOMEM) += memremap.o
  
@@ -85,10 +123,10 @@ index d4988410b410..55e886239e7e 100644
  # config_data.h contains the same information as ikconfig.h but gzipped.
 diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
 new file mode 100644
-index 000000000000..94b0eb38a284
+index 000000000000..fe4a6f2bf10a
 --- /dev/null
 +++ b/kernel/modsign_uefi.c
-@@ -0,0 +1,92 @@
+@@ -0,0 +1,99 @@
 +#include <linux/kernel.h>
 +#include <linux/sched.h>
 +#include <linux/cred.h>
@@ -139,11 +177,18 @@ index 000000000000..94b0eb38a284
 +	void *db = NULL, *dbx = NULL, *mok = NULL;
 +	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
 +	int rc = 0;
++	struct key *keyring = NULL;
 +
 +	/* Check if SB is enabled and just return if not */
 +	if (!efi_enabled(EFI_SECURE_BOOT))
 +		return 0;
 +
++	keyring = get_system_keyring();
++	if (!keyring) {
++		pr_err("MODSIGN: Couldn't get system keyring\n");
++		return -EINVAL;
++	}
++
 +	/* Get db, MokListRT, and dbx.  They might not exist, so it isn't
 +	 * an error if we can't get them.
 +	 */
@@ -151,7 +196,7 @@ index 000000000000..94b0eb38a284
 +	if (!db) {
 +		pr_err("MODSIGN: Couldn't get UEFI db list\n");
 +	} else {
-+		rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
++		rc = parse_efi_signature_list(db, dbsize, keyring);
 +		if (rc)
 +			pr_err("Couldn't parse db signatures: %d\n", rc);
 +		kfree(db);
@@ -161,7 +206,7 @@ index 000000000000..94b0eb38a284
 +	if (!mok) {
 +		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
 +	} else {
-+		rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring);
++		rc = parse_efi_signature_list(mok, moksize, keyring);
 +		if (rc)
 +			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
 +		kfree(mok);
@@ -182,5 +227,5 @@ index 000000000000..94b0eb38a284
 +}
 +late_initcall(load_uefi_certs);
 -- 
-2.4.3
+2.5.5
 

MODSIGN-Support-not-importing-certs-from-db.patch

@@ -1,7 +1,7 @@
-From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001
+From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer@fedoraproject.org>
 Date: Thu, 3 Oct 2013 10:14:23 -0400
-Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
+Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db
 
 If a user tells shim to not use the certs/hashes in the UEFI db variable
 for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
@@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
  1 file changed, 31 insertions(+), 9 deletions(-)
 
 diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
-index 94b0eb38a284..ae28b974d49a 100644
+index 03f601a0052c..321c79a3b282 100644
 --- a/kernel/modsign_uefi.c
 +++ b/kernel/modsign_uefi.c
 @@ -8,6 +8,23 @@
@@ -41,16 +41,18 @@ index 94b0eb38a284..ae28b974d49a 100644
  static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
  {
  	efi_status_t status;
-@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
+@@ -47,7 +64,7 @@ static int __init load_uefi_certs(void)
  	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
  	void *db = NULL, *dbx = NULL, *mok = NULL;
  	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
 -	int rc = 0;
 +	int ignore_db, rc = 0;
+ 	struct key *keyring = NULL;
  
  	/* Check if SB is enabled and just return if not */
- 	if (!efi_enabled(EFI_SECURE_BOOT))
+@@ -60,17 +77,22 @@ static int __init load_uefi_certs(void)
- 		return 0;
+ 		return -EINVAL;
+ 	}
  
 +	/* See if the user has setup Ignore DB mode */
 +	ignore_db = check_ignore_db();
@@ -62,7 +64,7 @@ index 94b0eb38a284..ae28b974d49a 100644
 -	if (!db) {
 -		pr_err("MODSIGN: Couldn't get UEFI db list\n");
 -	} else {
--		rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
+-		rc = parse_efi_signature_list(db, dbsize, keyring);
 -		if (rc)
 -			pr_err("Couldn't parse db signatures: %d\n", rc);
 -		kfree(db);
@@ -71,7 +73,7 @@ index 94b0eb38a284..ae28b974d49a 100644
 +		if (!db) {
 +			pr_err("MODSIGN: Couldn't get UEFI db list\n");
 +		} else {
-+			rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
++			rc = parse_efi_signature_list(db, dbsize, keyring);
 +			if (rc)
 +				pr_err("Couldn't parse db signatures: %d\n", rc);
 +			kfree(db);
@@ -80,5 +82,5 @@ index 94b0eb38a284..ae28b974d49a 100644
  
  	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
 -- 
-2.4.3
+2.5.5