From 9d22d52e0c341a88c748e8a1fd24ab35ede3ea60 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 3 Oct 2013 16:44:55 -0400 Subject: [PATCH] Add patch to support not importing certs from db --- kernel.spec | 3 ++ modsign-uefi.patch | 117 ++++++++++++++++++++++++++++++++++++++------- 2 files changed, 104 insertions(+), 16 deletions(-) diff --git a/kernel.spec b/kernel.spec index 6c3aab456..db62f5696 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2252,6 +2252,9 @@ fi # ||----w | # || || %changelog +* Thu Oct 03 2013 Josh Boyer +- Add patch to support not importing certs from db + * Thu Oct 03 2013 Kyle McMartin - Add config-no-extra and disable with_extra on ARM and AArch64 to reduce time building untestable code (because the hardware doesn't exist, or it diff --git a/modsign-uefi.patch b/modsign-uefi.patch index 4002500ce..17009c196 100644 --- a/modsign-uefi.patch +++ b/modsign-uefi.patch @@ -1,7 +1,7 @@ -From 725d7e7fb9ca1065102e640cf8af606169e63075 Mon Sep 17 00:00:00 2001 +From 0a5e59dd7a921f20d77b13aa4e01392086ddbd12 Mon Sep 17 00:00:00 2001 From: Dave Howells Date: Tue, 23 Oct 2012 09:30:54 -0400 -Subject: [PATCH 1/4] Add EFI signature data types +Subject: [PATCH 1/5] Add EFI signature data types Add the data types that are used for containing hashes, keys and certificates for cryptographic verification. @@ -53,10 +53,10 @@ index eed2202..1da1b3c 100644 1.8.3.1 -From f204253a34b477c5d68df711326a694b58e51c76 Mon Sep 17 00:00:00 2001 +From 8b75428a7e1813cd3bc225a959e63d67898e4808 Mon Sep 17 00:00:00 2001 From: Dave Howells Date: Tue, 23 Oct 2012 09:36:28 -0400 -Subject: [PATCH 2/4] Add an EFI signature blob parser and key loader. +Subject: [PATCH 2/5] Add an EFI signature blob parser and key loader. X.509 certificates are loaded into the specified keyring as asymmetric type keys. @@ -233,10 +233,10 @@ index 1da1b3c..42a1d25 100644 1.8.3.1 -From cebc8870a8f0b97b2585a07d9957ead0f21cdc8a Mon Sep 17 00:00:00 2001 +From 920108c0f9cc5854dd329a5dfc904e91d40a4b26 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Oct 2012 12:36:24 -0400 -Subject: [PATCH 3/4] KEYS: Add a system blacklist keyring +Subject: [PATCH 3/5] KEYS: Add a system blacklist keyring This adds an additional keyring that is used to store certificates that are blacklisted. This keyring is searched first when loading signed modules @@ -267,10 +267,10 @@ index 8dabc39..e466de1 100644 #endif /* _KEYS_SYSTEM_KEYRING_H */ diff --git a/init/Kconfig b/init/Kconfig -index 9f3cfdc..547f617 100644 +index 0ff5407..ba76e57 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1676,6 +1676,15 @@ config SYSTEM_TRUSTED_KEYRING +@@ -1680,6 +1680,15 @@ config SYSTEM_TRUSTED_KEYRING Keys in this keyring are used by module signature checking. @@ -285,7 +285,7 @@ index 9f3cfdc..547f617 100644 + menuconfig MODULES bool "Enable loadable module support" - help + option modules diff --git a/kernel/module_signing.c b/kernel/module_signing.c index 0b6b870..0a29b40 100644 --- a/kernel/module_signing.c @@ -310,7 +310,7 @@ index 0b6b870..0a29b40 100644 &key_type_asymmetric, id); if (IS_ERR(key)) diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c -index 4ca7072..b19cc6e 100644 +index 564dd93..389b50d 100644 --- a/kernel/system_keyring.c +++ b/kernel/system_keyring.c @@ -20,6 +20,9 @@ @@ -348,10 +348,10 @@ index 4ca7072..b19cc6e 100644 1.8.3.1 -From aa4f39ac51f8b9f589c13766e5e32a5b7794ed68 Mon Sep 17 00:00:00 2001 +From 69dca9998380c1931227a01205cdf23c34509753 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Oct 2012 12:42:16 -0400 -Subject: [PATCH 4/4] MODSIGN: Import certificates from UEFI Secure Boot +Subject: [PATCH 4/5] MODSIGN: Import certificates from UEFI Secure Boot Secure Boot stores a list of allowed certificates in the 'db' variable. This imports those certificates into the system trusted keyring. This @@ -393,10 +393,10 @@ index 42a1d25..d3e6036 100644 efi_guid_t guid; u64 table; diff --git a/init/Kconfig b/init/Kconfig -index 547f617..8e943bf 100644 +index ba76e57..b09cd98 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1794,6 +1794,15 @@ config MODULE_SIG_ALL +@@ -1799,6 +1799,15 @@ config MODULE_SIG_ALL comment "Do not forget to sign required modules with scripts/sign-file" depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL @@ -413,10 +413,10 @@ index 547f617..8e943bf 100644 prompt "Which hash algorithm should modules be signed with?" depends on MODULE_SIG diff --git a/kernel/Makefile b/kernel/Makefile -index 1ff5e3b..f9b9998 100644 +index 6313698..cb35a89 100644 --- a/kernel/Makefile +++ b/kernel/Makefile -@@ -56,6 +56,7 @@ obj-$(CONFIG_UID16) += uid16.o +@@ -57,6 +57,7 @@ obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o obj-$(CONFIG_MODULES) += module.o obj-$(CONFIG_MODULE_SIG) += module_signing.o @@ -534,3 +534,88 @@ index 0000000..94b0eb3 -- 1.8.3.1 + +From c8e6d256ddfa2182d5b011a4ab70f8c5c9b2b590 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Thu, 3 Oct 2013 10:14:23 -0400 +Subject: [PATCH 5/5] MODSIGN: Support not importing certs from db + +If a user tells shim to not use the certs/hashes in the UEFI db variable +for verification purposes, shim will set a UEFI variable called MokIgnoreDB. +Have the uefi import code look for this and not import things from the db +variable. + +Signed-off-by: Josh Boyer +--- + kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c +index 94b0eb3..ae28b97 100644 +--- a/kernel/modsign_uefi.c ++++ b/kernel/modsign_uefi.c +@@ -8,6 +8,23 @@ + #include + #include "module-internal.h" + ++static __init int check_ignore_db(void) ++{ ++ efi_status_t status; ++ unsigned int db = 0; ++ unsigned long size = sizeof(db); ++ efi_guid_t guid = EFI_SHIM_LOCK_GUID; ++ ++ /* Check and see if the MokIgnoreDB variable exists. If that fails ++ * then we don't ignore DB. If it succeeds, we do. ++ */ ++ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ return 1; ++} ++ + static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) + { + efi_status_t status; +@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void) + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *db = NULL, *dbx = NULL, *mok = NULL; + unsigned long dbsize = 0, dbxsize = 0, moksize = 0; +- int rc = 0; ++ int ignore_db, rc = 0; + + /* Check if SB is enabled and just return if not */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + ++ /* See if the user has setup Ignore DB mode */ ++ ignore_db = check_ignore_db(); ++ + /* Get db, MokListRT, and dbx. They might not exist, so it isn't + * an error if we can't get them. + */ +- db = get_cert_list(L"db", &secure_var, &dbsize); +- if (!db) { +- pr_err("MODSIGN: Couldn't get UEFI db list\n"); +- } else { +- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); +- if (rc) +- pr_err("Couldn't parse db signatures: %d\n", rc); +- kfree(db); ++ if (!ignore_db) { ++ db = get_cert_list(L"db", &secure_var, &dbsize); ++ if (!db) { ++ pr_err("MODSIGN: Couldn't get UEFI db list\n"); ++ } else { ++ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); ++ if (rc) ++ pr_err("Couldn't parse db signatures: %d\n", rc); ++ kfree(db); ++ } + } + + mok = get_cert_list(L"MokListRT", &mok_var, &moksize); +-- +1.8.3.1 +