summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@fedoraproject.org>2017-05-04 16:04:12 -0500
committerJustin M. Forbes <jforbes@fedoraproject.org>2017-05-04 16:04:12 -0500
commitb88f18484ea4501304fcc597456eb789d884871a (patch)
treebe68415f1b1b46a4e80fbc409062abcea055a6a2
parent05e55297ee7dac97581503cd45f381a6f994717a (diff)
downloadkernel-b88f18484ea4501304fcc597456eb789d884871a.tar.gz
kernel-b88f18484ea4501304fcc597456eb789d884871a.tar.xz
kernel-b88f18484ea4501304fcc597456eb789d884871a.zip
Temp fix for blacklist rework until I figure out how I want to fix for upstream
-rw-r--r--MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch43
-rw-r--r--MODSIGN-Support-not-importing-certs-from-db.patch2
2 files changed, 39 insertions, 6 deletions
diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
index e5b531215..5ff792c3c 100644
--- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
+++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
@@ -51,17 +51,36 @@ index 787eeead2f57..4d9123ed5c07 100644
*
* Restrict the addition of keys into a keyring based on the key-to-be-added
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
-index 5bc291a3d261..56ff5715ab67 100644
+index 359c2f9..e7160a6 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
-@@ -36,6 +36,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
+@@ -39,14 +39,26 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
+ extern int mark_hash_blacklisted(const char *hash);
+ extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
+ const char *type);
++extern struct key *blacklist_keyring;
++
++static inline struct key *get_blacklist_keyring(void)
++{
++ return blacklist_keyring;
++}
+ #else
+ static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
+ const char *type)
+ {
return 0;
}
++static inline struct key *get_blacklist_keyring(void)
++{
++ return NULL;
++}
#endif
+
+extern struct key *get_system_keyring(void);
-
++
#ifdef CONFIG_IMA_BLACKLIST_KEYRING
extern struct key *ima_blacklist_keyring;
+
diff --git a/init/Kconfig b/init/Kconfig
index 461ad575a608..93646fd7b1c8 100644
--- a/init/Kconfig
@@ -108,7 +127,7 @@ new file mode 100644
index 000000000000..fe4a6f2bf10a
--- /dev/null
+++ b/kernel/modsign_uefi.c
-@@ -0,0 +1,99 @@
+@@ -0,0 +1,101 @@
+#include <linux/kernel.h>
+#include <linux/sched.h>
+#include <linux/cred.h>
@@ -160,6 +179,7 @@ index 000000000000..fe4a6f2bf10a
+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+ int rc = 0;
+ struct key *keyring = NULL;
++ struct key *blacklist = NULL;
+
+ /* Check if SB is enabled and just return if not */
+ if (!efi_enabled(EFI_SECURE_BOOT))
@@ -194,12 +214,13 @@ index 000000000000..fe4a6f2bf10a
+ kfree(mok);
+ }
+
++ blacklist = get_blacklist_keyring();
+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
+ if (!dbx) {
+ pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
+ } else {
+ rc = parse_efi_signature_list(dbx, dbxsize,
-+ system_blacklist_keyring);
++ blacklist);
+ if (rc)
+ pr_err("Couldn't parse dbx signatures: %d\n", rc);
+ kfree(dbx);
@@ -210,4 +231,16 @@ index 000000000000..fe4a6f2bf10a
+late_initcall(load_uefi_certs);
--
2.9.3
+diff --git a/certs/blacklist.c b/certs/blacklist.c
+index 3eddce0..bd9324c 100644
+--- a/certs/blacklist.c
++++ b/certs/blacklist.c
+@@ -21,7 +21,7 @@
+ #include <keys/system_keyring.h>
+ #include "blacklist.h"
+
+-static struct key *blacklist_keyring;
++struct key *blacklist_keyring;
+ /*
+ * The description must be a type prefix, a colon and then an even number of
diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch
index d7087b5e7..07626b2d3 100644
--- a/MODSIGN-Support-not-importing-certs-from-db.patch
+++ b/MODSIGN-Support-not-importing-certs-from-db.patch
@@ -48,8 +48,8 @@ index fe4a6f2bf10a..a41da14b1ffd 100644
- int rc = 0;
+ int ignore_db, rc = 0;
struct key *keyring = NULL;
+ struct key *blacklist = NULL;
- /* Check if SB is enabled and just return if not */
@@ -60,17 +77,22 @@ static int __init load_uefi_certs(void)
return -EINVAL;
}