forked from rpms/kernel
Updates for secure boot
This commit is contained in:
Justin M. Forbes
parent
27b219978f
commit
cc1db7f347
@ -6,27 +6,27 @@ Subject: [PATCH 1/3] Make get_cert_list() not complain about cert lists that
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
certs/load_uefi.c | 37 ++++++++++++++++++++++---------------
|
||||
security/integrity/platform_certs/load_uefi.c | 37 ++++++++++++++++++++++---------------
|
||||
1 file changed, 22 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/certs/load_uefi.c b/certs/load_uefi.c
|
||||
index 3d884598601..9ef34c44fd1 100644
|
||||
--- a/certs/load_uefi.c
|
||||
+++ b/certs/load_uefi.c
|
||||
@@ -35,8 +35,8 @@ static __init bool uefi_check_ignore_db(void)
|
||||
diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
|
||||
index 81b19c52832b..e188f3ecbce3 100644
|
||||
--- a/security/integrity/platform_certs/load_uefi.c
|
||||
+++ b/security/integrity/platform_certs/load_uefi.c
|
||||
@@ -38,8 +38,8 @@ static __init bool uefi_check_ignore_db(void)
|
||||
/*
|
||||
* Get a certificate list blob from the named EFI variable.
|
||||
*/
|
||||
-static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
|
||||
- unsigned long *size)
|
||||
+static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid,
|
||||
+ unsigned long *size, void **cert_list)
|
||||
+ unsigned long *size , void **cert_list)
|
||||
{
|
||||
efi_status_t status;
|
||||
unsigned long lsize = 4;
|
||||
@@ -44,26 +44,33 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
|
||||
@@ -47,24 +47,31 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
|
||||
void *db;
|
||||
|
||||
|
||||
status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
|
||||
+ if (status == EFI_NOT_FOUND) {
|
||||
+ *size = 0;
|
||||
@ -39,14 +39,12 @@ index 3d884598601..9ef34c44fd1 100644
|
||||
- return NULL;
|
||||
+ return efi_status_to_err(status);
|
||||
}
|
||||
|
||||
|
||||
db = kmalloc(lsize, GFP_KERNEL);
|
||||
if (!db) {
|
||||
pr_err("Couldn't allocate memory for uefi cert list\n");
|
||||
if (!db)
|
||||
- return NULL;
|
||||
+ return -ENOMEM;
|
||||
}
|
||||
|
||||
|
||||
status = efi.get_variable(name, guid, NULL, &lsize, db);
|
||||
if (status != EFI_SUCCESS) {
|
||||
kfree(db);
|
||||
@ -54,15 +52,15 @@ index 3d884598601..9ef34c44fd1 100644
|
||||
- return NULL;
|
||||
+ return efi_status_to_err(status);
|
||||
}
|
||||
|
||||
|
||||
*size = lsize;
|
||||
- return db;
|
||||
+ *cert_list = db;
|
||||
+ return 0;
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
@@ -152,10 +159,10 @@ static int __init load_uefi_certs(void)
|
||||
@@ -153,10 +160,10 @@ static int __init load_uefi_certs(void)
|
||||
* an error if we can't get them.
|
||||
*/
|
||||
if (!uefi_check_ignore_db()) {
|
||||
@ -74,36 +72,33 @@ index 3d884598601..9ef34c44fd1 100644
|
||||
- } else {
|
||||
+ } else if (dbsize != 0) {
|
||||
rc = parse_efi_signature_list("UEFI:db",
|
||||
db, dbsize, get_handler_for_db);
|
||||
db, dbsize, get_handler_for_db);
|
||||
if (rc)
|
||||
@@ -164,10 +171,10 @@ static int __init load_uefi_certs(void)
|
||||
@@ -166,10 +173,10 @@ static int __init load_uefi_certs(void)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
- mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
|
||||
- if (!mok) {
|
||||
+ rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok);
|
||||
+ if (rc < 0) {
|
||||
pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
|
||||
pr_info("Couldn't get UEFI MokListRT\n");
|
||||
- } else {
|
||||
+ } else if (moksize != 0) {
|
||||
rc = parse_efi_signature_list("UEFI:MokListRT",
|
||||
mok, moksize, get_handler_for_db);
|
||||
if (rc)
|
||||
@@ -175,10 +182,10 @@ static int __init load_uefi_certs(void)
|
||||
@@ -177,10 +184,10 @@ static int __init load_uefi_certs(void)
|
||||
kfree(mok);
|
||||
}
|
||||
|
||||
|
||||
- dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
|
||||
- if (!dbx) {
|
||||
+ rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx);
|
||||
+ if (rc < 0) {
|
||||
pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
|
||||
pr_info("Couldn't get UEFI dbx list\n");
|
||||
- } else {
|
||||
+ } else if (dbxsize != 0) {
|
||||
rc = parse_efi_signature_list("UEFI:dbx",
|
||||
dbx, dbxsize,
|
||||
get_handler_for_dbx);
|
||||
--
|
||||
2.15.0
|
||||
|
||||
|
||||
@ -6,13 +6,13 @@ Subject: [PATCH 3/3] Make get_cert_list() use efi_status_to_str() to print
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
certs/load_uefi.c | 6 ++++--
|
||||
security/integrity/platform_certs/load_uefi.c | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/certs/load_uefi.c b/certs/load_uefi.c
|
||||
diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c
|
||||
index 9ef34c44fd1..13a2826715d 100644
|
||||
--- a/certs/load_uefi.c
|
||||
+++ b/certs/load_uefi.c
|
||||
--- a/security/integrity/platform_certs/load_uefi.c
|
||||
+++ b/security/integrity/platform_certs/load_uefi.c
|
||||
@@ -51,7 +51,8 @@ static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid,
|
||||
}
|
||||
|
||||
|
||||
@ -0,0 +1 @@
|
||||
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
|
||||
@ -2335,7 +2335,7 @@ CONFIG_INT3406_THERMAL=m
|
||||
CONFIG_INT340X_THERMAL=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
CONFIG_INTEL_ATOMISP2_PM=m
|
||||
|
||||
@ -2317,7 +2317,7 @@ CONFIG_INT3406_THERMAL=m
|
||||
CONFIG_INT340X_THERMAL=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
CONFIG_INTEL_ATOMISP2_PM=m
|
||||
|
||||
@ -2380,7 +2380,7 @@ CONFIG_INT3406_THERMAL=m
|
||||
CONFIG_INT340X_THERMAL=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
CONFIG_INTEL_ATOMISP2_PM=m
|
||||
|
||||
@ -2362,7 +2362,7 @@ CONFIG_INT3406_THERMAL=m
|
||||
CONFIG_INT340X_THERMAL=m
|
||||
CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y
|
||||
CONFIG_INTEGRITY_AUDIT=y
|
||||
# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set
|
||||
CONFIG_INTEGRITY_PLATFORM_KEYRING=y
|
||||
CONFIG_INTEGRITY_SIGNATURE=y
|
||||
CONFIG_INTEGRITY=y
|
||||
CONFIG_INTEL_ATOMISP2_PM=m
|
||||
|
||||
@ -544,12 +544,6 @@ Patch201: efi-lockdown.patch
|
||||
|
||||
Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch
|
||||
|
||||
Patch204: Add-an-EFI-signature-blob-parser-and-key-loader.patch
|
||||
|
||||
Patch205: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
|
||||
|
||||
Patch206: MODSIGN-Support-not-importing-certs-from-db.patch
|
||||
|
||||
# bz 1497559 - Make kernel MODSIGN code not error on missing variables
|
||||
Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch
|
||||
Patch208: 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch
|
||||
@ -1878,6 +1872,9 @@ fi
|
||||
#
|
||||
#
|
||||
%changelog
|
||||
* Mon Jan 07 2019 Justin M. Forbes <jforbes@fedoraproject.org>
|
||||
- Updates for secure boot
|
||||
|
||||
* Mon Jan 07 2019 Laura Abbott <labbott@redhat.com> - 5.0.0-0.rc1.git0.1
|
||||
- Linux v5.0-rc1
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user