--- /dev/null
+From 9ddc7622c50ee4afa7edfa64dc74ef2f73feabec Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jan 2021 13:10:53 -0500
+Subject: certs: Add ability to preload revocation certs
+
+From: Eric Snowberg <eric.snowberg@oracle.com>
+
+[ Upstream commit d1f044103dad70c1cec0a8f3abdf00834fec8b98 ]
+
+Add a new Kconfig option called SYSTEM_REVOCATION_KEYS. If set,
+this option should be the filename of a PEM-formated file containing
+X.509 certificates to be included in the default blacklist keyring.
+
+DH Changes:
+ - Make the new Kconfig option depend on SYSTEM_REVOCATION_LIST.
+ - Fix SYSTEM_REVOCATION_KEYS=n, but CONFIG_SYSTEM_REVOCATION_LIST=y[1][2].
+ - Use CONFIG_SYSTEM_REVOCATION_LIST for extract-cert[3].
+ - Use CONFIG_SYSTEM_REVOCATION_LIST for revocation_certificates.o[3].
+
+Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
+Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Randy Dunlap <rdunlap@infradead.org>
+cc: keyrings@vger.kernel.org
+Link: https://lore.kernel.org/r/e1c15c74-82ce-3a69-44de-a33af9b320ea@infradead.org/ [1]
+Link: https://lore.kernel.org/r/20210303034418.106762-1-eric.snowberg@oracle.com/ [2]
+Link: https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg@oracle.com/ [3]
+Link: https://lore.kernel.org/r/20200930201508.35113-3-eric.snowberg@oracle.com/
+Link: https://lore.kernel.org/r/20210122181054.32635-4-eric.snowberg@oracle.com/ # v5
+Link: https://lore.kernel.org/r/161428673564.677100.4112098280028451629.stgit@warthog.procyon.org.uk/
+Link: https://lore.kernel.org/r/161433312452.902181.4146169951896577982.stgit@warthog.procyon.org.uk/ # v2
+Link: https://lore.kernel.org/r/161529606657.163428.3340689182456495390.stgit@warthog.procyon.org.uk/ # v3
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ certs/Kconfig | 8 ++++++++
+ certs/Makefile | 19 +++++++++++++++++--
+ certs/blacklist.c | 21 +++++++++++++++++++++
+ certs/revocation_certificates.S | 21 +++++++++++++++++++++
+ scripts/Makefile | 1 +
+ 5 files changed, 68 insertions(+), 2 deletions(-)
+ create mode 100644 certs/revocation_certificates.S
+
+diff --git a/certs/Kconfig b/certs/Kconfig
+index 76e469b56a77..ab88d2a7f3c7 100644
+--- a/certs/Kconfig
++++ b/certs/Kconfig
+@@ -92,4 +92,12 @@ config SYSTEM_REVOCATION_LIST
+ blacklist keyring and implements a hook whereby a PKCS#7 message can
+ be checked to see if it matches such a certificate.
+
++config SYSTEM_REVOCATION_KEYS
++ string "X.509 certificates to be preloaded into the system blacklist keyring"
++ depends on SYSTEM_REVOCATION_LIST
++ help
++ If set, this option should be the filename of a PEM-formatted file
++ containing X.509 certificates to be included in the default blacklist
++ keyring.
++
+ endmenu
+diff --git a/certs/Makefile b/certs/Makefile
+index f4b90bad8690..b6db52ebf0be 100644
+--- a/certs/Makefile
++++ b/certs/Makefile
+@@ -4,7 +4,8 @@
+ #
+
+ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
+-obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
++obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o
++obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o
+ ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"")
+ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
+ else
+@@ -29,7 +30,7 @@ $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREF
+ $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS))
+ endif # CONFIG_SYSTEM_TRUSTED_KEYRING
+
+-clean-files := x509_certificate_list .x509.list
++clean-files := x509_certificate_list .x509.list x509_revocation_list
+
+ ifeq ($(CONFIG_MODULE_SIG),y)
+ ###############################################################################
+@@ -104,3 +105,17 @@ targets += signing_key.x509
+ $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE
+ $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
+ endif # CONFIG_MODULE_SIG
++
++ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y)
++
++$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS))
++
++$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
++
++quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2))
++ cmd_extract_certs = scripts/extract-cert $(2) $@
++
++targets += x509_revocation_list
++$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE
++ $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS))
++endif
+diff --git a/certs/blacklist.c b/certs/blacklist.c
+index 59b2f106b294..c973de883cf0 100644
+--- a/certs/blacklist.c
++++ b/certs/blacklist.c
+@@ -16,9 +16,15 @@
+ #include <linux/seq_file.h>
+ #include <keys/system_keyring.h>
+ #include "blacklist.h"
++#include "common.h"
+
+ static struct key *blacklist_keyring;
+
++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
++extern __initconst const u8 revocation_certificate_list[];
++extern __initconst const unsigned long revocation_certificate_list_size;
++#endif
++
+ /*
+ * The description must be a type prefix, a colon and then an even number of
+ * hex digits. The hash is kept in the description.
+@@ -220,3 +226,18 @@ static int __init blacklist_init(void)
+ * Must be initialised before we try and load the keys into the keyring.
+ */
+ device_initcall(blacklist_init);
++
++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
++/*
++ * Load the compiled-in list of revocation X.509 certificates.
++ */
++static __init int load_revocation_certificate_list(void)
++{
++ if (revocation_certificate_list_size)
++ pr_notice("Loading compiled-in revocation X.509 certificates\n");
++
++ return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size,
++ blacklist_keyring);
++}
++late_initcall(load_revocation_certificate_list);
++#endif
+diff --git a/certs/revocation_certificates.S b/certs/revocation_certificates.S
+new file mode 100644
+index 000000000000..f21aae8a8f0e
+--- /dev/null
++++ b/certs/revocation_certificates.S
+@@ -0,0 +1,21 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#include <linux/export.h>
++#include <linux/init.h>
++
++ __INITRODATA
++
++ .align 8
++ .globl revocation_certificate_list
++revocation_certificate_list:
++__revocation_list_start:
++ .incbin "certs/x509_revocation_list"
++__revocation_list_end:
++
++ .align 8
++ .globl revocation_certificate_list_size
++revocation_certificate_list_size:
++#ifdef CONFIG_64BIT
++ .quad __revocation_list_end - __revocation_list_start
++#else
++ .long __revocation_list_end - __revocation_list_start
++#endif
+diff --git a/scripts/Makefile b/scripts/Makefile
+index c36106bce80e..9adb6d247818 100644
+--- a/scripts/Makefile
++++ b/scripts/Makefile
+@@ -14,6 +14,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler
+ hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file
+ hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert
+ hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert
++hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert
+
+ HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include
+ HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include
+--
+2.30.2
+
--- /dev/null
+From af1e14eb85cb3be32c5fce850e9a04516cd709d9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jan 2021 13:10:51 -0500
+Subject: certs: Add EFI_CERT_X509_GUID support for dbx entries
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Eric Snowberg <eric.snowberg@oracle.com>
+
+[ Upstream commit 56c5812623f95313f6a46fbf0beee7fa17c68bbf ]
+
+This fixes CVE-2020-26541.
+
+The Secure Boot Forbidden Signature Database, dbx, contains a list of now
+revoked signatures and keys previously approved to boot with UEFI Secure
+Boot enabled. The dbx is capable of containing any number of
+EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID
+entries.
+
+Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are
+skipped.
+
+Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID
+is found, it is added as an asymmetrical key to the .blacklist keyring.
+Anytime the .platform keyring is used, the keys in the .blacklist keyring
+are referenced, if a matching key is found, the key will be rejected.
+
+[DH: Made the following changes:
+ - Added to have a config option to enable the facility. This allows a
+ Kconfig solution to make sure that pkcs7_validate_trust() is
+ enabled.[1][2]
+ - Moved the functions out from the middle of the blacklist functions.
+ - Added kerneldoc comments.]
+
+Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+cc: Randy Dunlap <rdunlap@infradead.org>
+cc: Mickaël Salaün <mic@digikod.net>
+cc: Arnd Bergmann <arnd@kernel.org>
+cc: keyrings@vger.kernel.org
+Link: https://lore.kernel.org/r/20200901165143.10295-1-eric.snowberg@oracle.com/ # rfc
+Link: https://lore.kernel.org/r/20200909172736.73003-1-eric.snowberg@oracle.com/ # v2
+Link: https://lore.kernel.org/r/20200911182230.62266-1-eric.snowberg@oracle.com/ # v3
+Link: https://lore.kernel.org/r/20200916004927.64276-1-eric.snowberg@oracle.com/ # v4
+Link: https://lore.kernel.org/r/20210122181054.32635-2-eric.snowberg@oracle.com/ # v5
+Link: https://lore.kernel.org/r/161428672051.677100.11064981943343605138.stgit@warthog.procyon.org.uk/
+Link: https://lore.kernel.org/r/161433310942.902181.4901864302675874242.stgit@warthog.procyon.org.uk/ # v2
+Link: https://lore.kernel.org/r/161529605075.163428.14625520893961300757.stgit@warthog.procyon.org.uk/ # v3
+Link: https://lore.kernel.org/r/bc2c24e3-ed68-2521-0bf4-a1f6be4a895d@infradead.org/ [1]
+Link: https://lore.kernel.org/r/20210225125638.1841436-1-arnd@kernel.org/ [2]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ certs/Kconfig | 9 ++++
+ certs/blacklist.c | 43 +++++++++++++++++++
+ certs/blacklist.h | 2 +
+ certs/system_keyring.c | 6 +++
+ include/keys/system_keyring.h | 15 +++++++
+ .../platform_certs/keyring_handler.c | 11 +++++
+ 6 files changed, 86 insertions(+)
+
+diff --git a/certs/Kconfig b/certs/Kconfig
+index c94e93d8bccf..76e469b56a77 100644
+--- a/certs/Kconfig
++++ b/certs/Kconfig
+@@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST
+ wrapper to incorporate the list into the kernel. Each <hash> should
+ be a string of hex digits.
+
++config SYSTEM_REVOCATION_LIST
++ bool "Provide system-wide ring of revocation certificates"
++ depends on SYSTEM_BLACKLIST_KEYRING
++ depends on PKCS7_MESSAGE_PARSER=y
++ help
++ If set, this allows revocation certificates to be stored in the
++ blacklist keyring and implements a hook whereby a PKCS#7 message can
++ be checked to see if it matches such a certificate.
++
+ endmenu
+diff --git a/certs/blacklist.c b/certs/blacklist.c
+index f1c434b04b5e..59b2f106b294 100644
+--- a/certs/blacklist.c
++++ b/certs/blacklist.c
+@@ -144,6 +144,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len)
+ }
+ EXPORT_SYMBOL_GPL(is_binary_blacklisted);
+
++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
++/**
++ * add_key_to_revocation_list - Add a revocation certificate to the blacklist
++ * @data: The data blob containing the certificate
++ * @size: The size of data blob
++ */
++int add_key_to_revocation_list(const char *data, size_t size)
++{
++ key_ref_t key;
++
++ key = key_create_or_update(make_key_ref(blacklist_keyring, true),
++ "asymmetric",
++ NULL,
++ data,
++ size,
++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
++ KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
++
++ if (IS_ERR(key)) {
++ pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
++ return PTR_ERR(key);
++ }
++
++ return 0;
++}
++
++/**
++ * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
++ * @pkcs7: The PKCS#7 message to check
++ */
++int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
++{
++ int ret;
++
++ ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
++
++ if (ret == 0)
++ return -EKEYREJECTED;
++
++ return -ENOKEY;
++}
++#endif
++
+ /*
+ * Initialise the blacklist
+ */
+diff --git a/certs/blacklist.h b/certs/blacklist.h
+index 1efd6fa0dc60..51b320cf8574 100644
+--- a/certs/blacklist.h
++++ b/certs/blacklist.h
+@@ -1,3 +1,5 @@
+ #include <linux/kernel.h>
++#include <linux/errno.h>
++#include <crypto/pkcs7.h>
+
+ extern const char __initconst *const blacklist_hashes[];
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index 798291177186..cc165b359ea3 100644
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
+@@ -241,6 +241,12 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
+ pr_devel("PKCS#7 platform keyring is not available\n");
+ goto error;
+ }
++
++ ret = is_key_on_revocation_list(pkcs7);
++ if (ret != -ENOKEY) {
++ pr_devel("PKCS#7 platform key is on revocation list\n");
++ goto error;
++ }
+ }
+ ret = pkcs7_validate_trust(pkcs7, trusted_keys);
+ if (ret < 0) {
+diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
+index fb8b07daa9d1..875e002a4180 100644
+--- a/include/keys/system_keyring.h
++++ b/include/keys/system_keyring.h
+@@ -31,6 +31,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
+ #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
+ #endif
+
++extern struct pkcs7_message *pkcs7;
+ #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
+ extern int mark_hash_blacklisted(const char *hash);
+ extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
+@@ -49,6 +50,20 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
+ }
+ #endif
+
++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
++extern int add_key_to_revocation_list(const char *data, size_t size);
++extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
++#else
++static inline int add_key_to_revocation_list(const char *data, size_t size)
++{
++ return 0;
++}
++static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
++{
++ return -ENOKEY;
++}
++#endif
++
+ #ifdef CONFIG_IMA_BLACKLIST_KEYRING
+ extern struct key *ima_blacklist_keyring;
+
+diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
+index c5ba695c10e3..5604bd57c990 100644
+--- a/security/integrity/platform_certs/keyring_handler.c
++++ b/security/integrity/platform_certs/keyring_handler.c
+@@ -55,6 +55,15 @@ static __init void uefi_blacklist_binary(const char *source,
+ uefi_blacklist_hash(source, data, len, "bin:", 4);
+ }
+
++/*
++ * Add an X509 cert to the revocation list.
++ */
++static __init void uefi_revocation_list_x509(const char *source,
++ const void *data, size_t len)
++{
++ add_key_to_revocation_list(data, len);
++}
++
+ /*
+ * Return the appropriate handler for particular signature list types found in
+ * the UEFI db and MokListRT tables.
+@@ -76,5 +85,7 @@ __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
+ return uefi_blacklist_x509_tbs;
+ if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
+ return uefi_blacklist_binary;
++ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
++ return uefi_revocation_list_x509;
+ return 0;
+ }
+--
+2.30.2
+
--- /dev/null
+From 33b3585127b774a81e7b82a221bf0422283f9978 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jan 2021 13:10:52 -0500
+Subject: certs: Move load_system_certificate_list to a common function
+
+From: Eric Snowberg <eric.snowberg@oracle.com>
+
+[ Upstream commit 2565ca7f5ec1a98d51eea8860c4ab923f1ca2c85 ]
+
+Move functionality within load_system_certificate_list to a common
+function, so it can be reused in the future.
+
+DH Changes:
+ - Added inclusion of common.h to common.c (Eric [1]).
+
+Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
+Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: keyrings@vger.kernel.org
+Link: https://lore.kernel.org/r/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/ [1]
+Link: https://lore.kernel.org/r/20200930201508.35113-2-eric.snowberg@oracle.com/
+Link: https://lore.kernel.org/r/20210122181054.32635-3-eric.snowberg@oracle.com/ # v5
+Link: https://lore.kernel.org/r/161428672825.677100.7545516389752262918.stgit@warthog.procyon.org.uk/
+Link: https://lore.kernel.org/r/161433311696.902181.3599366124784670368.stgit@warthog.procyon.org.uk/ # v2
+Link: https://lore.kernel.org/r/161529605850.163428.7786675680201528556.stgit@warthog.procyon.org.uk/ # v3
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ certs/Makefile | 2 +-
+ certs/common.c | 57 ++++++++++++++++++++++++++++++++++++++++++
+ certs/common.h | 9 +++++++
+ certs/system_keyring.c | 49 +++---------------------------------
+ 4 files changed, 70 insertions(+), 47 deletions(-)
+ create mode 100644 certs/common.c
+ create mode 100644 certs/common.h
+
+diff --git a/certs/Makefile b/certs/Makefile
+index f4c25b67aad9..f4b90bad8690 100644
+--- a/certs/Makefile
++++ b/certs/Makefile
+@@ -3,7 +3,7 @@
+ # Makefile for the linux kernel signature checking certificates.
+ #
+
+-obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
++obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
+ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
+ ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"")
+ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
+diff --git a/certs/common.c b/certs/common.c
+new file mode 100644
+index 000000000000..16a220887a53
+--- /dev/null
++++ b/certs/common.c
+@@ -0,0 +1,57 @@
++// SPDX-License-Identifier: GPL-2.0-or-later
++
++#include <linux/kernel.h>
++#include <linux/key.h>
++#include "common.h"
++
++int load_certificate_list(const u8 cert_list[],
++ const unsigned long list_size,
++ const struct key *keyring)
++{
++ key_ref_t key;
++ const u8 *p, *end;
++ size_t plen;
++
++ p = cert_list;
++ end = p + list_size;
++ while (p < end) {
++ /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
++ * than 256 bytes in size.
++ */
++ if (end - p < 4)
++ goto dodgy_cert;
++ if (p[0] != 0x30 &&
++ p[1] != 0x82)
++ goto dodgy_cert;
++ plen = (p[2] << 8) | p[3];
++ plen += 4;
++ if (plen > end - p)
++ goto dodgy_cert;
++
++ key = key_create_or_update(make_key_ref(keyring, 1),
++ "asymmetric",
++ NULL,
++ p,
++ plen,
++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
++ KEY_USR_VIEW | KEY_USR_READ),
++ KEY_ALLOC_NOT_IN_QUOTA |
++ KEY_ALLOC_BUILT_IN |
++ KEY_ALLOC_BYPASS_RESTRICTION);
++ if (IS_ERR(key)) {
++ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
++ PTR_ERR(key));
++ } else {
++ pr_notice("Loaded X.509 cert '%s'\n",
++ key_ref_to_ptr(key)->description);
++ key_ref_put(key);
++ }
++ p += plen;
++ }
++
++ return 0;
++
++dodgy_cert:
++ pr_err("Problem parsing in-kernel X.509 certificate list\n");
++ return 0;
++}
+diff --git a/certs/common.h b/certs/common.h
+new file mode 100644
+index 000000000000..abdb5795936b
+--- /dev/null
++++ b/certs/common.h
+@@ -0,0 +1,9 @@
++/* SPDX-License-Identifier: GPL-2.0-or-later */
++
++#ifndef _CERT_COMMON_H
++#define _CERT_COMMON_H
++
++int load_certificate_list(const u8 cert_list[], const unsigned long list_size,
++ const struct key *keyring);
++
++#endif
+diff --git a/certs/system_keyring.c b/certs/system_keyring.c
+index cc165b359ea3..a44a8915c94c 100644
+--- a/certs/system_keyring.c
++++ b/certs/system_keyring.c
+@@ -15,6 +15,7 @@
+ #include <keys/asymmetric-type.h>
+ #include <keys/system_keyring.h>
+ #include <crypto/pkcs7.h>
++#include "common.h"
+
+ static struct key *builtin_trusted_keys;
+ #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
+@@ -136,54 +137,10 @@ device_initcall(system_trusted_keyring_init);
+ */
+ static __init int load_system_certificate_list(void)
+ {
+- key_ref_t key;
+- const u8 *p, *end;
+- size_t plen;
+-
+ pr_notice("Loading compiled-in X.509 certificates\n");
+
+- p = system_certificate_list;
+- end = p + system_certificate_list_size;
+- while (p < end) {
+- /* Each cert begins with an ASN.1 SEQUENCE tag and must be more
+- * than 256 bytes in size.
+- */
+- if (end - p < 4)
+- goto dodgy_cert;
+- if (p[0] != 0x30 &&
+- p[1] != 0x82)
+- goto dodgy_cert;
+- plen = (p[2] << 8) | p[3];
+- plen += 4;
+- if (plen > end - p)
+- goto dodgy_cert;
+-
+- key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
+- "asymmetric",
+- NULL,
+- p,
+- plen,
+- ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
+- KEY_USR_VIEW | KEY_USR_READ),
+- KEY_ALLOC_NOT_IN_QUOTA |
+- KEY_ALLOC_BUILT_IN |
+- KEY_ALLOC_BYPASS_RESTRICTION);
+- if (IS_ERR(key)) {
+- pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
+- PTR_ERR(key));
+- } else {
+- pr_notice("Loaded X.509 cert '%s'\n",
+- key_ref_to_ptr(key)->description);
+- key_ref_put(key);
+- }
+- p += plen;
+- }
+-
+- return 0;
+-
+-dodgy_cert:
+- pr_err("Problem parsing in-kernel X.509 certificate list\n");
+- return 0;
++ return load_certificate_list(system_certificate_list, system_certificate_list_size,
++ builtin_trusted_keys);
+ }
+ late_initcall(load_system_certificate_list);
+
+--
+2.30.2
+
--- /dev/null
+From 8c622c8bf1e2a72439e18508dbfc3809584d056d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Jan 2021 13:10:54 -0500
+Subject: integrity: Load mokx variables into the blacklist keyring
+
+From: Eric Snowberg <eric.snowberg@oracle.com>
+
+[ Upstream commit ebd9c2ae369a45bdd9f8615484db09be58fc242b ]
+
+During boot the Secure Boot Forbidden Signature Database, dbx,
+is loaded into the blacklist keyring. Systems booted with shim
+have an equivalent Forbidden Signature Database called mokx.
+Currently mokx is only used by shim and grub, the contents are
+ignored by the kernel.
+
+Add the ability to load mokx into the blacklist keyring during boot.
+
+Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
+Suggested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
+cc: keyrings@vger.kernel.org
+Link: https://lore.kernel.org/r/c33c8e3839a41e9654f41cc92c7231104931b1d7.camel@HansenPartnership.com/
+Link: https://lore.kernel.org/r/20210122181054.32635-5-eric.snowberg@oracle.com/ # v5
+Link: https://lore.kernel.org/r/161428674320.677100.12637282414018170743.stgit@warthog.procyon.org.uk/
+Link: https://lore.kernel.org/r/161433313205.902181.2502803393898221637.stgit@warthog.procyon.org.uk/ # v2
+Link: https://lore.kernel.org/r/161529607422.163428.13530426573612578854.stgit@warthog.procyon.org.uk/ # v3
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ security/integrity/platform_certs/load_uefi.c | 20 +++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
+index ee4b4c666854..f290f78c3f30 100644
+--- a/security/integrity/platform_certs/load_uefi.c
++++ b/security/integrity/platform_certs/load_uefi.c
+@@ -132,8 +132,9 @@ static int __init load_moklist_certs(void)
+ static int __init load_uefi_certs(void)
+ {
+ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
+- void *db = NULL, *dbx = NULL;
+- unsigned long dbsize = 0, dbxsize = 0;
++ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
++ void *db = NULL, *dbx = NULL, *mokx = NULL;
++ unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0;
+ efi_status_t status;
+ int rc = 0;
+
+@@ -175,6 +176,21 @@ static int __init load_uefi_certs(void)
+ kfree(dbx);
+ }
+
++ mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status);
++ if (!mokx) {
++ if (status == EFI_NOT_FOUND)
++ pr_debug("mokx variable wasn't found\n");
++ else
++ pr_info("Couldn't get mokx list\n");
++ } else {
++ rc = parse_efi_signature_list("UEFI:MokListXRT",
++ mokx, mokxsize,
++ get_handler_for_dbx);
++ if (rc)
++ pr_err("Couldn't parse mokx signatures %d\n", rc);
++ kfree(mokx);
++ }
++
+ /* Load the MokListRT certs */
+ rc = load_moklist_certs();
+
+--
+2.30.2
+
swiotlb-manipulate-orig_addr-when-tlb_addr-has-offset.patch
netfs-fix-test-for-whether-we-can-skip-read-when-writing-beyond-eof.patch
revert-drm-add-a-locked-version-of-drm_is_current_master.patch
+certs-add-efi_cert_x509_guid-support-for-dbx-entries.patch
+certs-move-load_system_certificate_list-to-a-common-.patch
+certs-add-ability-to-preload-revocation-certs.patch
+integrity-load-mokx-variables-into-the-blacklist-key.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
