From: Sasha Levin Date: Mon, 28 Jun 2021 13:48:43 +0000 (-0400) Subject: Fixes for 5.10 X-Git-Tag: v5.12.14~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a5153dbc345d2f81f9302c70f1448d49eb2ad345;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/certs-add-ability-to-preload-revocation-certs.patch b/queue-5.10/certs-add-ability-to-preload-revocation-certs.patch new file mode 100644 index 00000000000..1a64cec900a --- /dev/null +++ b/queue-5.10/certs-add-ability-to-preload-revocation-certs.patch @@ -0,0 +1,181 @@ +From 9ddc7622c50ee4afa7edfa64dc74ef2f73feabec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jan 2021 13:10:53 -0500 +Subject: certs: Add ability to preload revocation certs + +From: Eric Snowberg + +[ Upstream commit d1f044103dad70c1cec0a8f3abdf00834fec8b98 ] + +Add a new Kconfig option called SYSTEM_REVOCATION_KEYS. If set, +this option should be the filename of a PEM-formated file containing +X.509 certificates to be included in the default blacklist keyring. + +DH Changes: + - Make the new Kconfig option depend on SYSTEM_REVOCATION_LIST. + - Fix SYSTEM_REVOCATION_KEYS=n, but CONFIG_SYSTEM_REVOCATION_LIST=y[1][2]. + - Use CONFIG_SYSTEM_REVOCATION_LIST for extract-cert[3]. + - Use CONFIG_SYSTEM_REVOCATION_LIST for revocation_certificates.o[3]. + +Signed-off-by: Eric Snowberg +Acked-by: Jarkko Sakkinen +Signed-off-by: David Howells +cc: Randy Dunlap +cc: keyrings@vger.kernel.org +Link: https://lore.kernel.org/r/e1c15c74-82ce-3a69-44de-a33af9b320ea@infradead.org/ [1] +Link: https://lore.kernel.org/r/20210303034418.106762-1-eric.snowberg@oracle.com/ [2] +Link: https://lore.kernel.org/r/20210304175030.184131-1-eric.snowberg@oracle.com/ [3] +Link: https://lore.kernel.org/r/20200930201508.35113-3-eric.snowberg@oracle.com/ +Link: https://lore.kernel.org/r/20210122181054.32635-4-eric.snowberg@oracle.com/ # v5 +Link: https://lore.kernel.org/r/161428673564.677100.4112098280028451629.stgit@warthog.procyon.org.uk/ +Link: https://lore.kernel.org/r/161433312452.902181.4146169951896577982.stgit@warthog.procyon.org.uk/ # v2 +Link: https://lore.kernel.org/r/161529606657.163428.3340689182456495390.stgit@warthog.procyon.org.uk/ # v3 +Signed-off-by: Sasha Levin +--- + certs/Kconfig | 8 ++++++++ + certs/Makefile | 19 +++++++++++++++++-- + certs/blacklist.c | 21 +++++++++++++++++++++ + certs/revocation_certificates.S | 21 +++++++++++++++++++++ + scripts/Makefile | 1 + + 5 files changed, 68 insertions(+), 2 deletions(-) + create mode 100644 certs/revocation_certificates.S + +diff --git a/certs/Kconfig b/certs/Kconfig +index 76e469b56a77..ab88d2a7f3c7 100644 +--- a/certs/Kconfig ++++ b/certs/Kconfig +@@ -92,4 +92,12 @@ config SYSTEM_REVOCATION_LIST + blacklist keyring and implements a hook whereby a PKCS#7 message can + be checked to see if it matches such a certificate. + ++config SYSTEM_REVOCATION_KEYS ++ string "X.509 certificates to be preloaded into the system blacklist keyring" ++ depends on SYSTEM_REVOCATION_LIST ++ help ++ If set, this option should be the filename of a PEM-formatted file ++ containing X.509 certificates to be included in the default blacklist ++ keyring. ++ + endmenu +diff --git a/certs/Makefile b/certs/Makefile +index f4b90bad8690..b6db52ebf0be 100644 +--- a/certs/Makefile ++++ b/certs/Makefile +@@ -4,7 +4,8 @@ + # + + obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o +-obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o ++obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o ++obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o + ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") + obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o + else +@@ -29,7 +30,7 @@ $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREF + $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) + endif # CONFIG_SYSTEM_TRUSTED_KEYRING + +-clean-files := x509_certificate_list .x509.list ++clean-files := x509_certificate_list .x509.list x509_revocation_list + + ifeq ($(CONFIG_MODULE_SIG),y) + ############################################################################### +@@ -104,3 +105,17 @@ targets += signing_key.x509 + $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE + $(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY)) + endif # CONFIG_MODULE_SIG ++ ++ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) ++ ++$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS)) ++ ++$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list ++ ++quiet_cmd_extract_certs = EXTRACT_CERTS $(patsubst "%",%,$(2)) ++ cmd_extract_certs = scripts/extract-cert $(2) $@ ++ ++targets += x509_revocation_list ++$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE ++ $(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS)) ++endif +diff --git a/certs/blacklist.c b/certs/blacklist.c +index 59b2f106b294..c973de883cf0 100644 +--- a/certs/blacklist.c ++++ b/certs/blacklist.c +@@ -16,9 +16,15 @@ + #include + #include + #include "blacklist.h" ++#include "common.h" + + static struct key *blacklist_keyring; + ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST ++extern __initconst const u8 revocation_certificate_list[]; ++extern __initconst const unsigned long revocation_certificate_list_size; ++#endif ++ + /* + * The description must be a type prefix, a colon and then an even number of + * hex digits. The hash is kept in the description. +@@ -220,3 +226,18 @@ static int __init blacklist_init(void) + * Must be initialised before we try and load the keys into the keyring. + */ + device_initcall(blacklist_init); ++ ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST ++/* ++ * Load the compiled-in list of revocation X.509 certificates. ++ */ ++static __init int load_revocation_certificate_list(void) ++{ ++ if (revocation_certificate_list_size) ++ pr_notice("Loading compiled-in revocation X.509 certificates\n"); ++ ++ return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size, ++ blacklist_keyring); ++} ++late_initcall(load_revocation_certificate_list); ++#endif +diff --git a/certs/revocation_certificates.S b/certs/revocation_certificates.S +new file mode 100644 +index 000000000000..f21aae8a8f0e +--- /dev/null ++++ b/certs/revocation_certificates.S +@@ -0,0 +1,21 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++#include ++#include ++ ++ __INITRODATA ++ ++ .align 8 ++ .globl revocation_certificate_list ++revocation_certificate_list: ++__revocation_list_start: ++ .incbin "certs/x509_revocation_list" ++__revocation_list_end: ++ ++ .align 8 ++ .globl revocation_certificate_list_size ++revocation_certificate_list_size: ++#ifdef CONFIG_64BIT ++ .quad __revocation_list_end - __revocation_list_start ++#else ++ .long __revocation_list_end - __revocation_list_start ++#endif +diff --git a/scripts/Makefile b/scripts/Makefile +index c36106bce80e..9adb6d247818 100644 +--- a/scripts/Makefile ++++ b/scripts/Makefile +@@ -14,6 +14,7 @@ hostprogs-always-$(CONFIG_ASN1) += asn1_compiler + hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file + hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert + hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert ++hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert + + HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include + HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include +-- +2.30.2 + diff --git a/queue-5.10/certs-add-efi_cert_x509_guid-support-for-dbx-entries.patch b/queue-5.10/certs-add-efi_cert_x509_guid-support-for-dbx-entries.patch new file mode 100644 index 00000000000..30e5f3c8c8f --- /dev/null +++ b/queue-5.10/certs-add-efi_cert_x509_guid-support-for-dbx-entries.patch @@ -0,0 +1,225 @@ +From af1e14eb85cb3be32c5fce850e9a04516cd709d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jan 2021 13:10:51 -0500 +Subject: certs: Add EFI_CERT_X509_GUID support for dbx entries +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Snowberg + +[ Upstream commit 56c5812623f95313f6a46fbf0beee7fa17c68bbf ] + +This fixes CVE-2020-26541. + +The Secure Boot Forbidden Signature Database, dbx, contains a list of now +revoked signatures and keys previously approved to boot with UEFI Secure +Boot enabled. The dbx is capable of containing any number of +EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID +entries. + +Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are +skipped. + +Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID +is found, it is added as an asymmetrical key to the .blacklist keyring. +Anytime the .platform keyring is used, the keys in the .blacklist keyring +are referenced, if a matching key is found, the key will be rejected. + +[DH: Made the following changes: + - Added to have a config option to enable the facility. This allows a + Kconfig solution to make sure that pkcs7_validate_trust() is + enabled.[1][2] + - Moved the functions out from the middle of the blacklist functions. + - Added kerneldoc comments.] + +Signed-off-by: Eric Snowberg +Signed-off-by: David Howells +Reviewed-by: Jarkko Sakkinen +cc: Randy Dunlap +cc: Mickaël Salaün +cc: Arnd Bergmann +cc: keyrings@vger.kernel.org +Link: https://lore.kernel.org/r/20200901165143.10295-1-eric.snowberg@oracle.com/ # rfc +Link: https://lore.kernel.org/r/20200909172736.73003-1-eric.snowberg@oracle.com/ # v2 +Link: https://lore.kernel.org/r/20200911182230.62266-1-eric.snowberg@oracle.com/ # v3 +Link: https://lore.kernel.org/r/20200916004927.64276-1-eric.snowberg@oracle.com/ # v4 +Link: https://lore.kernel.org/r/20210122181054.32635-2-eric.snowberg@oracle.com/ # v5 +Link: https://lore.kernel.org/r/161428672051.677100.11064981943343605138.stgit@warthog.procyon.org.uk/ +Link: https://lore.kernel.org/r/161433310942.902181.4901864302675874242.stgit@warthog.procyon.org.uk/ # v2 +Link: https://lore.kernel.org/r/161529605075.163428.14625520893961300757.stgit@warthog.procyon.org.uk/ # v3 +Link: https://lore.kernel.org/r/bc2c24e3-ed68-2521-0bf4-a1f6be4a895d@infradead.org/ [1] +Link: https://lore.kernel.org/r/20210225125638.1841436-1-arnd@kernel.org/ [2] +Signed-off-by: Sasha Levin +--- + certs/Kconfig | 9 ++++ + certs/blacklist.c | 43 +++++++++++++++++++ + certs/blacklist.h | 2 + + certs/system_keyring.c | 6 +++ + include/keys/system_keyring.h | 15 +++++++ + .../platform_certs/keyring_handler.c | 11 +++++ + 6 files changed, 86 insertions(+) + +diff --git a/certs/Kconfig b/certs/Kconfig +index c94e93d8bccf..76e469b56a77 100644 +--- a/certs/Kconfig ++++ b/certs/Kconfig +@@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST + wrapper to incorporate the list into the kernel. Each should + be a string of hex digits. + ++config SYSTEM_REVOCATION_LIST ++ bool "Provide system-wide ring of revocation certificates" ++ depends on SYSTEM_BLACKLIST_KEYRING ++ depends on PKCS7_MESSAGE_PARSER=y ++ help ++ If set, this allows revocation certificates to be stored in the ++ blacklist keyring and implements a hook whereby a PKCS#7 message can ++ be checked to see if it matches such a certificate. ++ + endmenu +diff --git a/certs/blacklist.c b/certs/blacklist.c +index f1c434b04b5e..59b2f106b294 100644 +--- a/certs/blacklist.c ++++ b/certs/blacklist.c +@@ -144,6 +144,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len) + } + EXPORT_SYMBOL_GPL(is_binary_blacklisted); + ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST ++/** ++ * add_key_to_revocation_list - Add a revocation certificate to the blacklist ++ * @data: The data blob containing the certificate ++ * @size: The size of data blob ++ */ ++int add_key_to_revocation_list(const char *data, size_t size) ++{ ++ key_ref_t key; ++ ++ key = key_create_or_update(make_key_ref(blacklist_keyring, true), ++ "asymmetric", ++ NULL, ++ data, ++ size, ++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW), ++ KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); ++ ++ if (IS_ERR(key)) { ++ pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); ++ return PTR_ERR(key); ++ } ++ ++ return 0; ++} ++ ++/** ++ * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked ++ * @pkcs7: The PKCS#7 message to check ++ */ ++int is_key_on_revocation_list(struct pkcs7_message *pkcs7) ++{ ++ int ret; ++ ++ ret = pkcs7_validate_trust(pkcs7, blacklist_keyring); ++ ++ if (ret == 0) ++ return -EKEYREJECTED; ++ ++ return -ENOKEY; ++} ++#endif ++ + /* + * Initialise the blacklist + */ +diff --git a/certs/blacklist.h b/certs/blacklist.h +index 1efd6fa0dc60..51b320cf8574 100644 +--- a/certs/blacklist.h ++++ b/certs/blacklist.h +@@ -1,3 +1,5 @@ + #include ++#include ++#include + + extern const char __initconst *const blacklist_hashes[]; +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index 798291177186..cc165b359ea3 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -241,6 +241,12 @@ int verify_pkcs7_message_sig(const void *data, size_t len, + pr_devel("PKCS#7 platform keyring is not available\n"); + goto error; + } ++ ++ ret = is_key_on_revocation_list(pkcs7); ++ if (ret != -ENOKEY) { ++ pr_devel("PKCS#7 platform key is on revocation list\n"); ++ goto error; ++ } + } + ret = pkcs7_validate_trust(pkcs7, trusted_keys); + if (ret < 0) { +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index fb8b07daa9d1..875e002a4180 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -31,6 +31,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted( + #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted + #endif + ++extern struct pkcs7_message *pkcs7; + #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING + extern int mark_hash_blacklisted(const char *hash); + extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, +@@ -49,6 +50,20 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) + } + #endif + ++#ifdef CONFIG_SYSTEM_REVOCATION_LIST ++extern int add_key_to_revocation_list(const char *data, size_t size); ++extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7); ++#else ++static inline int add_key_to_revocation_list(const char *data, size_t size) ++{ ++ return 0; ++} ++static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7) ++{ ++ return -ENOKEY; ++} ++#endif ++ + #ifdef CONFIG_IMA_BLACKLIST_KEYRING + extern struct key *ima_blacklist_keyring; + +diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c +index c5ba695c10e3..5604bd57c990 100644 +--- a/security/integrity/platform_certs/keyring_handler.c ++++ b/security/integrity/platform_certs/keyring_handler.c +@@ -55,6 +55,15 @@ static __init void uefi_blacklist_binary(const char *source, + uefi_blacklist_hash(source, data, len, "bin:", 4); + } + ++/* ++ * Add an X509 cert to the revocation list. ++ */ ++static __init void uefi_revocation_list_x509(const char *source, ++ const void *data, size_t len) ++{ ++ add_key_to_revocation_list(data, len); ++} ++ + /* + * Return the appropriate handler for particular signature list types found in + * the UEFI db and MokListRT tables. +@@ -76,5 +85,7 @@ __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type) + return uefi_blacklist_x509_tbs; + if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0) + return uefi_blacklist_binary; ++ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) ++ return uefi_revocation_list_x509; + return 0; + } +-- +2.30.2 + diff --git a/queue-5.10/certs-move-load_system_certificate_list-to-a-common-.patch b/queue-5.10/certs-move-load_system_certificate_list-to-a-common-.patch new file mode 100644 index 00000000000..3ac4bf0daa2 --- /dev/null +++ b/queue-5.10/certs-move-load_system_certificate_list-to-a-common-.patch @@ -0,0 +1,198 @@ +From 33b3585127b774a81e7b82a221bf0422283f9978 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jan 2021 13:10:52 -0500 +Subject: certs: Move load_system_certificate_list to a common function + +From: Eric Snowberg + +[ Upstream commit 2565ca7f5ec1a98d51eea8860c4ab923f1ca2c85 ] + +Move functionality within load_system_certificate_list to a common +function, so it can be reused in the future. + +DH Changes: + - Added inclusion of common.h to common.c (Eric [1]). + +Signed-off-by: Eric Snowberg +Acked-by: Jarkko Sakkinen +Signed-off-by: David Howells +cc: keyrings@vger.kernel.org +Link: https://lore.kernel.org/r/EDA280F9-F72D-4181-93C7-CDBE95976FF7@oracle.com/ [1] +Link: https://lore.kernel.org/r/20200930201508.35113-2-eric.snowberg@oracle.com/ +Link: https://lore.kernel.org/r/20210122181054.32635-3-eric.snowberg@oracle.com/ # v5 +Link: https://lore.kernel.org/r/161428672825.677100.7545516389752262918.stgit@warthog.procyon.org.uk/ +Link: https://lore.kernel.org/r/161433311696.902181.3599366124784670368.stgit@warthog.procyon.org.uk/ # v2 +Link: https://lore.kernel.org/r/161529605850.163428.7786675680201528556.stgit@warthog.procyon.org.uk/ # v3 +Signed-off-by: Sasha Levin +--- + certs/Makefile | 2 +- + certs/common.c | 57 ++++++++++++++++++++++++++++++++++++++++++ + certs/common.h | 9 +++++++ + certs/system_keyring.c | 49 +++--------------------------------- + 4 files changed, 70 insertions(+), 47 deletions(-) + create mode 100644 certs/common.c + create mode 100644 certs/common.h + +diff --git a/certs/Makefile b/certs/Makefile +index f4c25b67aad9..f4b90bad8690 100644 +--- a/certs/Makefile ++++ b/certs/Makefile +@@ -3,7 +3,7 @@ + # Makefile for the linux kernel signature checking certificates. + # + +-obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o ++obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o + obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o + ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") + obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o +diff --git a/certs/common.c b/certs/common.c +new file mode 100644 +index 000000000000..16a220887a53 +--- /dev/null ++++ b/certs/common.c +@@ -0,0 +1,57 @@ ++// SPDX-License-Identifier: GPL-2.0-or-later ++ ++#include ++#include ++#include "common.h" ++ ++int load_certificate_list(const u8 cert_list[], ++ const unsigned long list_size, ++ const struct key *keyring) ++{ ++ key_ref_t key; ++ const u8 *p, *end; ++ size_t plen; ++ ++ p = cert_list; ++ end = p + list_size; ++ while (p < end) { ++ /* Each cert begins with an ASN.1 SEQUENCE tag and must be more ++ * than 256 bytes in size. ++ */ ++ if (end - p < 4) ++ goto dodgy_cert; ++ if (p[0] != 0x30 && ++ p[1] != 0x82) ++ goto dodgy_cert; ++ plen = (p[2] << 8) | p[3]; ++ plen += 4; ++ if (plen > end - p) ++ goto dodgy_cert; ++ ++ key = key_create_or_update(make_key_ref(keyring, 1), ++ "asymmetric", ++ NULL, ++ p, ++ plen, ++ ((KEY_POS_ALL & ~KEY_POS_SETATTR) | ++ KEY_USR_VIEW | KEY_USR_READ), ++ KEY_ALLOC_NOT_IN_QUOTA | ++ KEY_ALLOC_BUILT_IN | ++ KEY_ALLOC_BYPASS_RESTRICTION); ++ if (IS_ERR(key)) { ++ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", ++ PTR_ERR(key)); ++ } else { ++ pr_notice("Loaded X.509 cert '%s'\n", ++ key_ref_to_ptr(key)->description); ++ key_ref_put(key); ++ } ++ p += plen; ++ } ++ ++ return 0; ++ ++dodgy_cert: ++ pr_err("Problem parsing in-kernel X.509 certificate list\n"); ++ return 0; ++} +diff --git a/certs/common.h b/certs/common.h +new file mode 100644 +index 000000000000..abdb5795936b +--- /dev/null ++++ b/certs/common.h +@@ -0,0 +1,9 @@ ++/* SPDX-License-Identifier: GPL-2.0-or-later */ ++ ++#ifndef _CERT_COMMON_H ++#define _CERT_COMMON_H ++ ++int load_certificate_list(const u8 cert_list[], const unsigned long list_size, ++ const struct key *keyring); ++ ++#endif +diff --git a/certs/system_keyring.c b/certs/system_keyring.c +index cc165b359ea3..a44a8915c94c 100644 +--- a/certs/system_keyring.c ++++ b/certs/system_keyring.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include "common.h" + + static struct key *builtin_trusted_keys; + #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING +@@ -136,54 +137,10 @@ device_initcall(system_trusted_keyring_init); + */ + static __init int load_system_certificate_list(void) + { +- key_ref_t key; +- const u8 *p, *end; +- size_t plen; +- + pr_notice("Loading compiled-in X.509 certificates\n"); + +- p = system_certificate_list; +- end = p + system_certificate_list_size; +- while (p < end) { +- /* Each cert begins with an ASN.1 SEQUENCE tag and must be more +- * than 256 bytes in size. +- */ +- if (end - p < 4) +- goto dodgy_cert; +- if (p[0] != 0x30 && +- p[1] != 0x82) +- goto dodgy_cert; +- plen = (p[2] << 8) | p[3]; +- plen += 4; +- if (plen > end - p) +- goto dodgy_cert; +- +- key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1), +- "asymmetric", +- NULL, +- p, +- plen, +- ((KEY_POS_ALL & ~KEY_POS_SETATTR) | +- KEY_USR_VIEW | KEY_USR_READ), +- KEY_ALLOC_NOT_IN_QUOTA | +- KEY_ALLOC_BUILT_IN | +- KEY_ALLOC_BYPASS_RESTRICTION); +- if (IS_ERR(key)) { +- pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", +- PTR_ERR(key)); +- } else { +- pr_notice("Loaded X.509 cert '%s'\n", +- key_ref_to_ptr(key)->description); +- key_ref_put(key); +- } +- p += plen; +- } +- +- return 0; +- +-dodgy_cert: +- pr_err("Problem parsing in-kernel X.509 certificate list\n"); +- return 0; ++ return load_certificate_list(system_certificate_list, system_certificate_list_size, ++ builtin_trusted_keys); + } + late_initcall(load_system_certificate_list); + +-- +2.30.2 + diff --git a/queue-5.10/integrity-load-mokx-variables-into-the-blacklist-key.patch b/queue-5.10/integrity-load-mokx-variables-into-the-blacklist-key.patch new file mode 100644 index 00000000000..5688e6d04ca --- /dev/null +++ b/queue-5.10/integrity-load-mokx-variables-into-the-blacklist-key.patch @@ -0,0 +1,73 @@ +From 8c622c8bf1e2a72439e18508dbfc3809584d056d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Jan 2021 13:10:54 -0500 +Subject: integrity: Load mokx variables into the blacklist keyring + +From: Eric Snowberg + +[ Upstream commit ebd9c2ae369a45bdd9f8615484db09be58fc242b ] + +During boot the Secure Boot Forbidden Signature Database, dbx, +is loaded into the blacklist keyring. Systems booted with shim +have an equivalent Forbidden Signature Database called mokx. +Currently mokx is only used by shim and grub, the contents are +ignored by the kernel. + +Add the ability to load mokx into the blacklist keyring during boot. + +Signed-off-by: Eric Snowberg +Suggested-by: James Bottomley +Signed-off-by: David Howells +Reviewed-by: Jarkko Sakkinen +cc: keyrings@vger.kernel.org +Link: https://lore.kernel.org/r/c33c8e3839a41e9654f41cc92c7231104931b1d7.camel@HansenPartnership.com/ +Link: https://lore.kernel.org/r/20210122181054.32635-5-eric.snowberg@oracle.com/ # v5 +Link: https://lore.kernel.org/r/161428674320.677100.12637282414018170743.stgit@warthog.procyon.org.uk/ +Link: https://lore.kernel.org/r/161433313205.902181.2502803393898221637.stgit@warthog.procyon.org.uk/ # v2 +Link: https://lore.kernel.org/r/161529607422.163428.13530426573612578854.stgit@warthog.procyon.org.uk/ # v3 +Signed-off-by: Sasha Levin +--- + security/integrity/platform_certs/load_uefi.c | 20 +++++++++++++++++-- + 1 file changed, 18 insertions(+), 2 deletions(-) + +diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c +index ee4b4c666854..f290f78c3f30 100644 +--- a/security/integrity/platform_certs/load_uefi.c ++++ b/security/integrity/platform_certs/load_uefi.c +@@ -132,8 +132,9 @@ static int __init load_moklist_certs(void) + static int __init load_uefi_certs(void) + { + efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; +- void *db = NULL, *dbx = NULL; +- unsigned long dbsize = 0, dbxsize = 0; ++ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; ++ void *db = NULL, *dbx = NULL, *mokx = NULL; ++ unsigned long dbsize = 0, dbxsize = 0, mokxsize = 0; + efi_status_t status; + int rc = 0; + +@@ -175,6 +176,21 @@ static int __init load_uefi_certs(void) + kfree(dbx); + } + ++ mokx = get_cert_list(L"MokListXRT", &mok_var, &mokxsize, &status); ++ if (!mokx) { ++ if (status == EFI_NOT_FOUND) ++ pr_debug("mokx variable wasn't found\n"); ++ else ++ pr_info("Couldn't get mokx list\n"); ++ } else { ++ rc = parse_efi_signature_list("UEFI:MokListXRT", ++ mokx, mokxsize, ++ get_handler_for_dbx); ++ if (rc) ++ pr_err("Couldn't parse mokx signatures %d\n", rc); ++ kfree(mokx); ++ } ++ + /* Load the MokListRT certs */ + rc = load_moklist_certs(); + +-- +2.30.2 + diff --git a/queue-5.10/series b/queue-5.10/series index 0b328bce239..77970221c15 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -94,3 +94,7 @@ kvm-svm-call-sev-guest-decommission-if-asid-binding-fails.patch swiotlb-manipulate-orig_addr-when-tlb_addr-has-offset.patch netfs-fix-test-for-whether-we-can-skip-read-when-writing-beyond-eof.patch revert-drm-add-a-locked-version-of-drm_is_current_master.patch +certs-add-efi_cert_x509_guid-support-for-dbx-entries.patch +certs-move-load_system_certificate_list-to-a-common-.patch +certs-add-ability-to-preload-revocation-certs.patch +integrity-load-mokx-variables-into-the-blacklist-key.patch