diff options
author | Justin M. Forbes <jforbes@fedoraproject.org> | 2017-05-04 16:04:12 -0500 |
---|---|---|
committer | Justin M. Forbes <jforbes@fedoraproject.org> | 2017-05-04 16:04:12 -0500 |
commit | b88f18484ea4501304fcc597456eb789d884871a (patch) | |
tree | be68415f1b1b46a4e80fbc409062abcea055a6a2 | |
parent | 05e55297ee7dac97581503cd45f381a6f994717a (diff) | |
download | kernel-b88f18484ea4501304fcc597456eb789d884871a.tar.gz kernel-b88f18484ea4501304fcc597456eb789d884871a.tar.xz kernel-b88f18484ea4501304fcc597456eb789d884871a.zip |
Temp fix for blacklist rework until I figure out how I want to fix for upstream
-rw-r--r-- | MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch | 43 | ||||
-rw-r--r-- | MODSIGN-Support-not-importing-certs-from-db.patch | 2 |
2 files changed, 39 insertions, 6 deletions
diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch index e5b531215..5ff792c3c 100644 --- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch +++ b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch @@ -51,17 +51,36 @@ index 787eeead2f57..4d9123ed5c07 100644 * * Restrict the addition of keys into a keyring based on the key-to-be-added diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h -index 5bc291a3d261..56ff5715ab67 100644 +index 359c2f9..e7160a6 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h -@@ -36,6 +36,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted( +@@ -39,14 +39,26 @@ extern int restrict_link_by_builtin_and_secondary_trusted( + extern int mark_hash_blacklisted(const char *hash); + extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, + const char *type); ++extern struct key *blacklist_keyring; ++ ++static inline struct key *get_blacklist_keyring(void) ++{ ++ return blacklist_keyring; ++} + #else + static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, + const char *type) + { return 0; } ++static inline struct key *get_blacklist_keyring(void) ++{ ++ return NULL; ++} #endif + +extern struct key *get_system_keyring(void); - ++ #ifdef CONFIG_IMA_BLACKLIST_KEYRING extern struct key *ima_blacklist_keyring; + diff --git a/init/Kconfig b/init/Kconfig index 461ad575a608..93646fd7b1c8 100644 --- a/init/Kconfig @@ -108,7 +127,7 @@ new file mode 100644 index 000000000000..fe4a6f2bf10a --- /dev/null +++ b/kernel/modsign_uefi.c -@@ -0,0 +1,99 @@ +@@ -0,0 +1,101 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/cred.h> @@ -160,6 +179,7 @@ index 000000000000..fe4a6f2bf10a + unsigned long dbsize = 0, dbxsize = 0, moksize = 0; + int rc = 0; + struct key *keyring = NULL; ++ struct key *blacklist = NULL; + + /* Check if SB is enabled and just return if not */ + if (!efi_enabled(EFI_SECURE_BOOT)) @@ -194,12 +214,13 @@ index 000000000000..fe4a6f2bf10a + kfree(mok); + } + ++ blacklist = get_blacklist_keyring(); + dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); + if (!dbx) { + pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); + } else { + rc = parse_efi_signature_list(dbx, dbxsize, -+ system_blacklist_keyring); ++ blacklist); + if (rc) + pr_err("Couldn't parse dbx signatures: %d\n", rc); + kfree(dbx); @@ -210,4 +231,16 @@ index 000000000000..fe4a6f2bf10a +late_initcall(load_uefi_certs); -- 2.9.3 +diff --git a/certs/blacklist.c b/certs/blacklist.c +index 3eddce0..bd9324c 100644 +--- a/certs/blacklist.c ++++ b/certs/blacklist.c +@@ -21,7 +21,7 @@ + #include <keys/system_keyring.h> + #include "blacklist.h" + +-static struct key *blacklist_keyring; ++struct key *blacklist_keyring; + /* + * The description must be a type prefix, a colon and then an even number of diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch index d7087b5e7..07626b2d3 100644 --- a/MODSIGN-Support-not-importing-certs-from-db.patch +++ b/MODSIGN-Support-not-importing-certs-from-db.patch @@ -48,8 +48,8 @@ index fe4a6f2bf10a..a41da14b1ffd 100644 - int rc = 0; + int ignore_db, rc = 0; struct key *keyring = NULL; + struct key *blacklist = NULL; - /* Check if SB is enabled and just return if not */ @@ -60,17 +77,22 @@ static int __init load_uefi_certs(void) return -EINVAL; } |