rpms/kernel
7
2
Fork 4
Code Issues Pull Requests Releases Activity

Add patch to support not importing certs from db

Browse Source
This commit is contained in:
Josh Boyer 2013-10-03 16:44:55 -04:00
parent bcab99f59b
commit 9d22d52e0c
2 changed files with 104 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
kernel.spec
View File

@ -2252,6 +2252,9 @@ fi
# ||----w | # ||----w |
# || || # || ||
%changelog %changelog
* Thu Oct 03 2013 Josh Boyer <jwboyer@fedoraproject.org>
- Add patch to support not importing certs from db
* Thu Oct 03 2013 Kyle McMartin <kyle@fedoraproject.org> * Thu Oct 03 2013 Kyle McMartin <kyle@fedoraproject.org>
- Add config-no-extra and disable with_extra on ARM and AArch64 to reduce - Add config-no-extra and disable with_extra on ARM and AArch64 to reduce
time building untestable code (because the hardware doesn't exist, or it time building untestable code (because the hardware doesn't exist, or it

117
modsign-uefi.patch
View File

@ -1,7 +1,7 @@
From 725d7e7fb9ca1065102e640cf8af606169e63075 Mon Sep 17 00:00:00 2001 From 0a5e59dd7a921f20d77b13aa4e01392086ddbd12 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com> From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:30:54 -0400 Date: Tue, 23 Oct 2012 09:30:54 -0400
Subject: [PATCH 1/4] Add EFI signature data types Subject: [PATCH 1/5] Add EFI signature data types
Add the data types that are used for containing hashes, keys and certificates Add the data types that are used for containing hashes, keys and certificates
for cryptographic verification. for cryptographic verification.
@ -53,10 +53,10 @@ index eed2202..1da1b3c 100644
1.8.3.1 1.8.3.1
From f204253a34b477c5d68df711326a694b58e51c76 Mon Sep 17 00:00:00 2001 From 8b75428a7e1813cd3bc225a959e63d67898e4808 Mon Sep 17 00:00:00 2001
From: Dave Howells <dhowells@redhat.com> From: Dave Howells <dhowells@redhat.com>
Date: Tue, 23 Oct 2012 09:36:28 -0400 Date: Tue, 23 Oct 2012 09:36:28 -0400
Subject: [PATCH 2/4] Add an EFI signature blob parser and key loader. Subject: [PATCH 2/5] Add an EFI signature blob parser and key loader.
X.509 certificates are loaded into the specified keyring as asymmetric type X.509 certificates are loaded into the specified keyring as asymmetric type
keys. keys.
@ -233,10 +233,10 @@ index 1da1b3c..42a1d25 100644
1.8.3.1 1.8.3.1
From cebc8870a8f0b97b2585a07d9957ead0f21cdc8a Mon Sep 17 00:00:00 2001 From 920108c0f9cc5854dd329a5dfc904e91d40a4b26 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org> From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:36:24 -0400 Date: Fri, 26 Oct 2012 12:36:24 -0400
Subject: [PATCH 3/4] KEYS: Add a system blacklist keyring Subject: [PATCH 3/5] KEYS: Add a system blacklist keyring
This adds an additional keyring that is used to store certificates that This adds an additional keyring that is used to store certificates that
are blacklisted. This keyring is searched first when loading signed modules are blacklisted. This keyring is searched first when loading signed modules
@ -267,10 +267,10 @@ index 8dabc39..e466de1 100644
#endif /* _KEYS_SYSTEM_KEYRING_H */ #endif /* _KEYS_SYSTEM_KEYRING_H */
diff --git a/init/Kconfig b/init/Kconfig diff --git a/init/Kconfig b/init/Kconfig
index 9f3cfdc..547f617 100644 index 0ff5407..ba76e57 100644
--- a/init/Kconfig --- a/init/Kconfig
+++ b/init/Kconfig +++ b/init/Kconfig
@@ -1676,6 +1676,15 @@ config SYSTEM_TRUSTED_KEYRING @@ -1680,6 +1680,15 @@ config SYSTEM_TRUSTED_KEYRING
Keys in this keyring are used by module signature checking. Keys in this keyring are used by module signature checking.
@ -285,7 +285,7 @@ index 9f3cfdc..547f617 100644
+ +
menuconfig MODULES menuconfig MODULES
bool "Enable loadable module support" bool "Enable loadable module support"
help option modules
diff --git a/kernel/module_signing.c b/kernel/module_signing.c diff --git a/kernel/module_signing.c b/kernel/module_signing.c
index 0b6b870..0a29b40 100644 index 0b6b870..0a29b40 100644
--- a/kernel/module_signing.c --- a/kernel/module_signing.c
@ -310,7 +310,7 @@ index 0b6b870..0a29b40 100644
&key_type_asymmetric, id); &key_type_asymmetric, id);
if (IS_ERR(key)) if (IS_ERR(key))
diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
index 4ca7072..b19cc6e 100644 index 564dd93..389b50d 100644
--- a/kernel/system_keyring.c --- a/kernel/system_keyring.c
+++ b/kernel/system_keyring.c +++ b/kernel/system_keyring.c
@@ -20,6 +20,9 @@ @@ -20,6 +20,9 @@
@ -348,10 +348,10 @@ index 4ca7072..b19cc6e 100644
1.8.3.1 1.8.3.1
From aa4f39ac51f8b9f589c13766e5e32a5b7794ed68 Mon Sep 17 00:00:00 2001 From 69dca9998380c1931227a01205cdf23c34509753 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org> From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Fri, 26 Oct 2012 12:42:16 -0400 Date: Fri, 26 Oct 2012 12:42:16 -0400
Subject: [PATCH 4/4] MODSIGN: Import certificates from UEFI Secure Boot Subject: [PATCH 4/5] MODSIGN: Import certificates from UEFI Secure Boot
Secure Boot stores a list of allowed certificates in the 'db' variable. Secure Boot stores a list of allowed certificates in the 'db' variable.
This imports those certificates into the system trusted keyring. This This imports those certificates into the system trusted keyring. This
@ -393,10 +393,10 @@ index 42a1d25..d3e6036 100644
efi_guid_t guid; efi_guid_t guid;
u64 table; u64 table;
diff --git a/init/Kconfig b/init/Kconfig diff --git a/init/Kconfig b/init/Kconfig
index 547f617..8e943bf 100644 index ba76e57..b09cd98 100644
--- a/init/Kconfig --- a/init/Kconfig
+++ b/init/Kconfig +++ b/init/Kconfig
@@ -1794,6 +1794,15 @@ config MODULE_SIG_ALL @@ -1799,6 +1799,15 @@ config MODULE_SIG_ALL
comment "Do not forget to sign required modules with scripts/sign-file" comment "Do not forget to sign required modules with scripts/sign-file"
depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
@ -413,10 +413,10 @@ index 547f617..8e943bf 100644
prompt "Which hash algorithm should modules be signed with?" prompt "Which hash algorithm should modules be signed with?"
depends on MODULE_SIG depends on MODULE_SIG
diff --git a/kernel/Makefile b/kernel/Makefile diff --git a/kernel/Makefile b/kernel/Makefile
index 1ff5e3b..f9b9998 100644 index 6313698..cb35a89 100644
--- a/kernel/Makefile --- a/kernel/Makefile
+++ b/kernel/Makefile +++ b/kernel/Makefile
@@ -56,6 +56,7 @@ obj-$(CONFIG_UID16) += uid16.o @@ -57,6 +57,7 @@ obj-$(CONFIG_UID16) += uid16.o
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
obj-$(CONFIG_MODULES) += module.o obj-$(CONFIG_MODULES) += module.o
obj-$(CONFIG_MODULE_SIG) += module_signing.o obj-$(CONFIG_MODULE_SIG) += module_signing.o
@ -534,3 +534,88 @@ index 0000000..94b0eb3
-- --
1.8.3.1 1.8.3.1
From c8e6d256ddfa2182d5b011a4ab70f8c5c9b2b590 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Thu, 3 Oct 2013 10:14:23 -0400
Subject: [PATCH 5/5] MODSIGN: Support not importing certs from db
If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
Have the uefi import code look for this and not import things from the db
variable.
Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
---
kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++---------
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
index 94b0eb3..ae28b97 100644
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -8,6 +8,23 @@
#include <keys/system_keyring.h>
#include "module-internal.h"
+static __init int check_ignore_db(void)
+{
+ efi_status_t status;
+ unsigned int db = 0;
+ unsigned long size = sizeof(db);
+ efi_guid_t guid = EFI_SHIM_LOCK_GUID;
+
+ /* Check and see if the MokIgnoreDB variable exists. If that fails
+ * then we don't ignore DB. If it succeeds, we do.
+ */
+ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
+ if (status != EFI_SUCCESS)
+ return 0;
+
+ return 1;
+}
+
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
{
efi_status_t status;
@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
void *db = NULL, *dbx = NULL, *mok = NULL;
unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
- int rc = 0;
+ int ignore_db, rc = 0;
/* Check if SB is enabled and just return if not */
if (!efi_enabled(EFI_SECURE_BOOT))
return 0;
+ /* See if the user has setup Ignore DB mode */
+ ignore_db = check_ignore_db();
+
/* Get db, MokListRT, and dbx. They might not exist, so it isn't
* an error if we can't get them.
*/
- db = get_cert_list(L"db", &secure_var, &dbsize);
- if (!db) {
- pr_err("MODSIGN: Couldn't get UEFI db list\n");
- } else {
- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
- if (rc)
- pr_err("Couldn't parse db signatures: %d\n", rc);
- kfree(db);
+ if (!ignore_db) {
+ db = get_cert_list(L"db", &secure_var, &dbsize);
+ if (!db) {
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
+ } else {
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
+ if (rc)
+ pr_err("Couldn't parse db signatures: %d\n", rc);
+ kfree(db);
+ }
}
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
--
1.8.3.1