diff --git a/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch b/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch index 6e8a2e039..34934a970 100644 --- a/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch +++ b/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch @@ -6,27 +6,27 @@ Subject: [PATCH 1/3] Make get_cert_list() not complain about cert lists that Signed-off-by: Peter Jones --- - certs/load_uefi.c | 37 ++++++++++++++++++++++--------------- + security/integrity/platform_certs/load_uefi.c | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) -diff --git a/certs/load_uefi.c b/certs/load_uefi.c -index 3d884598601..9ef34c44fd1 100644 ---- a/certs/load_uefi.c -+++ b/certs/load_uefi.c -@@ -35,8 +35,8 @@ static __init bool uefi_check_ignore_db(void) +diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c +index 81b19c52832b..e188f3ecbce3 100644 +--- a/security/integrity/platform_certs/load_uefi.c ++++ b/security/integrity/platform_certs/load_uefi.c +@@ -38,8 +38,8 @@ static __init bool uefi_check_ignore_db(void) /* * Get a certificate list blob from the named EFI variable. */ -static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, - unsigned long *size) +static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid, -+ unsigned long *size, void **cert_list) ++ unsigned long *size , void **cert_list) { efi_status_t status; unsigned long lsize = 4; -@@ -44,26 +44,33 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, +@@ -47,24 +47,31 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, void *db; - + status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); + if (status == EFI_NOT_FOUND) { + *size = 0; @@ -39,14 +39,12 @@ index 3d884598601..9ef34c44fd1 100644 - return NULL; + return efi_status_to_err(status); } - + db = kmalloc(lsize, GFP_KERNEL); - if (!db) { - pr_err("Couldn't allocate memory for uefi cert list\n"); + if (!db) - return NULL; + return -ENOMEM; - } - + status = efi.get_variable(name, guid, NULL, &lsize, db); if (status != EFI_SUCCESS) { kfree(db); @@ -54,15 +52,15 @@ index 3d884598601..9ef34c44fd1 100644 - return NULL; + return efi_status_to_err(status); } - + *size = lsize; - return db; + *cert_list = db; + return 0; } - + /* -@@ -152,10 +159,10 @@ static int __init load_uefi_certs(void) +@@ -153,10 +160,10 @@ static int __init load_uefi_certs(void) * an error if we can't get them. */ if (!uefi_check_ignore_db()) { @@ -74,36 +72,33 @@ index 3d884598601..9ef34c44fd1 100644 - } else { + } else if (dbsize != 0) { rc = parse_efi_signature_list("UEFI:db", - db, dbsize, get_handler_for_db); + db, dbsize, get_handler_for_db); if (rc) -@@ -164,10 +171,10 @@ static int __init load_uefi_certs(void) +@@ -166,10 +173,10 @@ static int __init load_uefi_certs(void) } } - + - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); - if (!mok) { + rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok); + if (rc < 0) { - pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); + pr_info("Couldn't get UEFI MokListRT\n"); - } else { + } else if (moksize != 0) { rc = parse_efi_signature_list("UEFI:MokListRT", mok, moksize, get_handler_for_db); if (rc) -@@ -175,10 +182,10 @@ static int __init load_uefi_certs(void) +@@ -177,10 +184,10 @@ static int __init load_uefi_certs(void) kfree(mok); } - + - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); - if (!dbx) { + rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx); + if (rc < 0) { - pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); + pr_info("Couldn't get UEFI dbx list\n"); - } else { + } else if (dbxsize != 0) { rc = parse_efi_signature_list("UEFI:dbx", dbx, dbxsize, get_handler_for_dbx); --- -2.15.0 - diff --git a/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch b/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch index abb313a29..ec107ba09 100644 --- a/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch +++ b/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch @@ -6,13 +6,13 @@ Subject: [PATCH 3/3] Make get_cert_list() use efi_status_to_str() to print Signed-off-by: Peter Jones --- - certs/load_uefi.c | 6 ++++-- + security/integrity/platform_certs/load_uefi.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -diff --git a/certs/load_uefi.c b/certs/load_uefi.c +diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 9ef34c44fd1..13a2826715d 100644 ---- a/certs/load_uefi.c -+++ b/certs/load_uefi.c +--- a/security/integrity/platform_certs/load_uefi.c ++++ b/security/integrity/platform_certs/load_uefi.c @@ -51,7 +51,8 @@ static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid, } diff --git a/configs/fedora/generic/x86/CONFIG_INTEGRITY_PLATFORM_KEYRING b/configs/fedora/generic/x86/CONFIG_INTEGRITY_PLATFORM_KEYRING new file mode 100644 index 000000000..a7b1b167b --- /dev/null +++ b/configs/fedora/generic/x86/CONFIG_INTEGRITY_PLATFORM_KEYRING @@ -0,0 +1 @@ +CONFIG_INTEGRITY_PLATFORM_KEYRING=y diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index 76db5502b..8f5ba86bd 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -2335,7 +2335,7 @@ CONFIG_INT3406_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y -# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m diff --git a/kernel-i686.config b/kernel-i686.config index 0cb061eb4..1d65fe70d 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -2317,7 +2317,7 @@ CONFIG_INT3406_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y -# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index 5c4802c19..874f87271 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -2380,7 +2380,7 @@ CONFIG_INT3406_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y -# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m diff --git a/kernel-x86_64.config b/kernel-x86_64.config index 42ea7e2cb..eccb4dc9e 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -2362,7 +2362,7 @@ CONFIG_INT3406_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y -# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m diff --git a/kernel.spec b/kernel.spec index 649642aea..970713213 100644 --- a/kernel.spec +++ b/kernel.spec @@ -544,12 +544,6 @@ Patch201: efi-lockdown.patch Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch -Patch204: Add-an-EFI-signature-blob-parser-and-key-loader.patch - -Patch205: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch - -Patch206: MODSIGN-Support-not-importing-certs-from-db.patch - # bz 1497559 - Make kernel MODSIGN code not error on missing variables Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch Patch208: 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch @@ -1878,6 +1872,9 @@ fi # # %changelog +* Mon Jan 07 2019 Justin M. Forbes +- Updates for secure boot + * Mon Jan 07 2019 Laura Abbott - 5.0.0-0.rc1.git0.1 - Linux v5.0-rc1