summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@fedoraproject.org>2019-01-07 16:23:55 -0600
committerJustin M. Forbes <jforbes@fedoraproject.org>2019-01-07 16:23:55 -0600
commit8e8de459e7ba7b89043686df7deea554dd7eecb9 (patch)
tree335ed8db33fd3c598c79c24d6059f4e1c8af86f2
parentcc1db7f34788e8832189b25ed2cc2798435b06bf (diff)
downloadkernel-8e8de459e7ba7b89043686df7deea554dd7eecb9.tar.gz
kernel-8e8de459e7ba7b89043686df7deea554dd7eecb9.tar.xz
kernel-8e8de459e7ba7b89043686df7deea554dd7eecb9.zip
Forgot to remove dropped patches
-rw-r--r--Add-an-EFI-signature-blob-parser-and-key-loader.patch176
-rw-r--r--MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch246
-rw-r--r--MODSIGN-Support-not-importing-certs-from-db.patch88
3 files changed, 0 insertions, 510 deletions
diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch
deleted file mode 100644
index 276eb708d..000000000
--- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch
+++ /dev/null
@@ -1,176 +0,0 @@
-From 73e105771858bf39aeabcbcd2f7b002c24ac4bb0 Mon Sep 17 00:00:00 2001
-From: Dave Howells <dhowells@redhat.com>
-Date: Fri, 5 May 2017 08:21:58 +0100
-Subject: [PATCH] efi: Add an EFI signature blob parser
-
-Add a function to parse an EFI signature blob looking for elements of
-interest. A list is made up of a series of sublists, where all the
-elements in a sublist are of the same type, but sublists can be of
-different types.
-
-For each sublist encountered, the function pointed to by the
-get_handler_for_guid argument is called with the type specifier GUID and
-returns either a pointer to a function to handle elements of that type or
-NULL if the type is not of interest.
-
-If the sublist is of interest, each element is passed to the handler
-function in turn.
-
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- certs/Kconfig | 8 ++++
- certs/Makefile | 1 +
- certs/efi_parser.c | 112 +++++++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 121 insertions(+)
- create mode 100644 certs/efi_parser.c
-
-diff --git a/certs/Kconfig b/certs/Kconfig
-index c94e93d8bccf..650ffcb8db79 100644
---- a/certs/Kconfig
-+++ b/certs/Kconfig
-@@ -83,4 +83,12 @@ config SYSTEM_BLACKLIST_HASH_LIST
- wrapper to incorporate the list into the kernel. Each <hash> should
- be a string of hex digits.
-
-+config EFI_SIGNATURE_LIST_PARSER
-+ bool "EFI signature list parser"
-+ depends on EFI
-+ select X509_CERTIFICATE_PARSER
-+ help
-+ This option provides support for parsing EFI signature lists for
-+ X.509 certificates and turning them into keys.
-+
- endmenu
-diff --git a/certs/Makefile b/certs/Makefile
-index 5d0999b9e21b..7e5e179ac685 100644
---- a/certs/Makefile
-+++ b/certs/Makefile
-@@ -10,6 +10,7 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
- else
- obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
- endif
-+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
-
- ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
-
-diff --git a/certs/efi_parser.c b/certs/efi_parser.c
-new file mode 100644
-index 000000000000..4e396f98f5c7
---- /dev/null
-+++ b/certs/efi_parser.c
-@@ -0,0 +1,112 @@
-+/* EFI signature/key/certificate list parser
-+ *
-+ * Copyright (C) 2012, 2016 Red Hat, Inc. All Rights Reserved.
-+ * Written by David Howells (dhowells@redhat.com)
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public Licence
-+ * as published by the Free Software Foundation; either version
-+ * 2 of the Licence, or (at your option) any later version.
-+ */
-+
-+#define pr_fmt(fmt) "EFI: "fmt
-+#include <linux/module.h>
-+#include <linux/printk.h>
-+#include <linux/err.h>
-+#include <linux/efi.h>
-+
-+/**
-+ * parse_efi_signature_list - Parse an EFI signature list for certificates
-+ * @source: The source of the key
-+ * @data: The data blob to parse
-+ * @size: The size of the data blob
-+ * @get_handler_for_guid: Get the handler func for the sig type (or NULL)
-+ *
-+ * Parse an EFI signature list looking for elements of interest. A list is
-+ * made up of a series of sublists, where all the elements in a sublist are of
-+ * the same type, but sublists can be of different types.
-+ *
-+ * For each sublist encountered, the @get_handler_for_guid function is called
-+ * with the type specifier GUID and returns either a pointer to a function to
-+ * handle elements of that type or NULL if the type is not of interest.
-+ *
-+ * If the sublist is of interest, each element is passed to the handler
-+ * function in turn.
-+ *
-+ * Error EBADMSG is returned if the list doesn't parse correctly and 0 is
-+ * returned if the list was parsed correctly. No error can be returned from
-+ * the @get_handler_for_guid function or the element handler function it
-+ * returns.
-+ */
-+int __init parse_efi_signature_list(
-+ const char *source,
-+ const void *data, size_t size,
-+ efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *))
-+{
-+ efi_element_handler_t handler;
-+ unsigned offs = 0;
-+
-+ pr_devel("-->%s(,%zu)\n", __func__, size);
-+
-+ while (size > 0) {
-+ const efi_signature_data_t *elem;
-+ efi_signature_list_t list;
-+ size_t lsize, esize, hsize, elsize;
-+
-+ if (size < sizeof(list))
-+ return -EBADMSG;
-+
-+ memcpy(&list, data, sizeof(list));
-+ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n",
-+ offs,
-+ list.signature_type.b, list.signature_list_size,
-+ list.signature_header_size, list.signature_size);
-+
-+ lsize = list.signature_list_size;
-+ hsize = list.signature_header_size;
-+ esize = list.signature_size;
-+ elsize = lsize - sizeof(list) - hsize;
-+
-+ if (lsize > size) {
-+ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n",
-+ __func__, offs);
-+ return -EBADMSG;
-+ }
-+
-+ if (lsize < sizeof(list) ||
-+ lsize - sizeof(list) < hsize ||
-+ esize < sizeof(*elem) ||
-+ elsize < esize ||
-+ elsize % esize != 0) {
-+ pr_devel("- bad size combo @%x\n", offs);
-+ return -EBADMSG;
-+ }
-+
-+ handler = get_handler_for_guid(&list.signature_type);
-+ if (!handler) {
-+ data += lsize;
-+ size -= lsize;
-+ offs += lsize;
-+ continue;
-+ }
-+
-+ data += sizeof(list) + hsize;
-+ size -= sizeof(list) + hsize;
-+ offs += sizeof(list) + hsize;
-+
-+ for (; elsize > 0; elsize -= esize) {
-+ elem = data;
-+
-+ pr_devel("ELEM[%04x]\n", offs);
-+ handler(source,
-+ &elem->signature_data,
-+ esize - sizeof(*elem));
-+
-+ data += esize;
-+ size -= esize;
-+ offs += esize;
-+ }
-+ }
-+
-+ return 0;
-+}
---
-2.20.1
-
diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
deleted file mode 100644
index 08195ff4e..000000000
--- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch
+++ /dev/null
@@ -1,246 +0,0 @@
-From 90dc66270b02981b19a085c6a9184e3452b7b3e8 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Fri, 5 May 2017 08:21:59 +0100
-Subject: [PATCH 3/4] MODSIGN: Import certificates from UEFI Secure Boot
-
-Secure Boot stores a list of allowed certificates in the 'db' variable.
-This imports those certificates into the system trusted keyring. This
-allows for a third party signing certificate to be used in conjunction
-with signed modules. By importing the public certificate into the 'db'
-variable, a user can allow a module signed with that certificate to
-load. The shim UEFI bootloader has a similar certificate list stored
-in the 'MokListRT' variable. We import those as well.
-
-Secure Boot also maintains a list of disallowed certificates in the 'dbx'
-variable. We load those certificates into the newly introduced system
-blacklist keyring and forbid any module signed with those from loading and
-forbid the use within the kernel of any key with a matching hash.
-
-This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- certs/Kconfig | 16 ++++++
- certs/Makefile | 4 ++
- certs/load_uefi.c | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 3 files changed, 188 insertions(+)
- create mode 100644 certs/load_uefi.c
-
-diff --git a/certs/Kconfig b/certs/Kconfig
-index 630ae09..edf9f75 100644
---- a/certs/Kconfig
-+++ b/certs/Kconfig
-@@ -90,4 +90,20 @@ config EFI_SIGNATURE_LIST_PARSER
- This option provides support for parsing EFI signature lists for
- X.509 certificates and turning them into keys.
-
-+config LOAD_UEFI_KEYS
-+ bool "Load certs and blacklist from UEFI db for module checking"
-+ depends on SYSTEM_BLACKLIST_KEYRING
-+ depends on SECONDARY_TRUSTED_KEYRING
-+ depends on EFI
-+ depends on EFI_SIGNATURE_LIST_PARSER
-+ help
-+ If the kernel is booted in secure boot mode, this option will cause
-+ the kernel to load the certificates from the UEFI db and MokListRT
-+ into the secondary trusted keyring. It will also load any X.509
-+ SHA256 hashes in the dbx list into the blacklist.
-+
-+ The effect of this is that, if the kernel is booted in secure boot
-+ mode, modules signed with UEFI-stored keys will be permitted to be
-+ loaded and keys that match the blacklist will be rejected.
-+
- endmenu
-diff --git a/certs/Makefile b/certs/Makefile
-index 738151a..a5e057a 100644
---- a/certs/Makefile
-+++ b/certs/Makefile
-@@ -11,6 +11,10 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o
- endif
- obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o
-
-+obj-$(CONFIG_LOAD_UEFI_KEYS) += load_uefi.o
-+$(obj)/load_uefi.o: KBUILD_CFLAGS += -fshort-wchar
-+
-+
- ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y)
-
- $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS))
-diff --git a/certs/load_uefi.c b/certs/load_uefi.c
-new file mode 100644
-index 0000000..b44e464
---- /dev/null
-+++ b/certs/load_uefi.c
-@@ -0,0 +1,168 @@
-+#include <linux/kernel.h>
-+#include <linux/sched.h>
-+#include <linux/cred.h>
-+#include <linux/err.h>
-+#include <linux/efi.h>
-+#include <linux/slab.h>
-+#include <keys/asymmetric-type.h>
-+#include <keys/system_keyring.h>
-+#include "internal.h"
-+
-+static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID;
-+static __initdata efi_guid_t efi_cert_x509_sha256_guid = EFI_CERT_X509_SHA256_GUID;
-+static __initdata efi_guid_t efi_cert_sha256_guid = EFI_CERT_SHA256_GUID;
-+
-+/*
-+ * Get a certificate list blob from the named EFI variable.
-+ */
-+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
-+ unsigned long *size)
-+{
-+ efi_status_t status;
-+ unsigned long lsize = 4;
-+ unsigned long tmpdb[4];
-+ void *db;
-+
-+ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb);
-+ if (status != EFI_BUFFER_TOO_SMALL) {
-+ pr_err("Couldn't get size: 0x%lx\n", status);
-+ return NULL;
-+ }
-+
-+ db = kmalloc(lsize, GFP_KERNEL);
-+ if (!db) {
-+ pr_err("Couldn't allocate memory for uefi cert list\n");
-+ return NULL;
-+ }
-+
-+ status = efi.get_variable(name, guid, NULL, &lsize, db);
-+ if (status != EFI_SUCCESS) {
-+ kfree(db);
-+ pr_err("Error reading db var: 0x%lx\n", status);
-+ return NULL;
-+ }
-+
-+ *size = lsize;
-+ return db;
-+}
-+
-+/*
-+ * Blacklist an X509 TBS hash.
-+ */
-+static __init void uefi_blacklist_x509_tbs(const char *source,
-+ const void *data, size_t len)
-+{
-+ char *hash, *p;
-+
-+ hash = kmalloc(4 + len * 2 + 1, GFP_KERNEL);
-+ if (!hash)
-+ return;
-+ p = memcpy(hash, "tbs:", 4);
-+ p += 4;
-+ bin2hex(p, data, len);
-+ p += len * 2;
-+ *p = 0;
-+
-+ mark_hash_blacklisted(hash);
-+ kfree(hash);
-+}
-+
-+/*
-+ * Blacklist the hash of an executable.
-+ */
-+static __init void uefi_blacklist_binary(const char *source,
-+ const void *data, size_t len)
-+{
-+ char *hash, *p;
-+
-+ hash = kmalloc(4 + len * 2 + 1, GFP_KERNEL);
-+ if (!hash)
-+ return;
-+ p = memcpy(hash, "bin:", 4);
-+ p += 4;
-+ bin2hex(p, data, len);
-+ p += len * 2;
-+ *p = 0;
-+
-+ mark_hash_blacklisted(hash);
-+ kfree(hash);
-+}
-+
-+/*
-+ * Return the appropriate handler for particular signature list types found in
-+ * the UEFI db and MokListRT tables.
-+ */
-+static __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
-+{
-+ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
-+ return add_trusted_secondary_key;
-+ return 0;
-+}
-+
-+/*
-+ * Return the appropriate handler for particular signature list types found in
-+ * the UEFI dbx and MokListXRT tables.
-+ */
-+static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
-+{
-+ if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0)
-+ return uefi_blacklist_x509_tbs;
-+ if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
-+ return uefi_blacklist_binary;
-+ return 0;
-+}
-+
-+/*
-+ * Load the certs contained in the UEFI databases
-+ */
-+static int __init load_uefi_certs(void)
-+{
-+ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
-+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
-+ void *db = NULL, *dbx = NULL, *mok = NULL;
-+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
-+ int rc = 0;
-+
-+ if (!efi.get_variable)
-+ return false;
-+
-+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't
-+ * an error if we can't get them.
-+ */
-+ db = get_cert_list(L"db", &secure_var, &dbsize);
-+ if (!db) {
-+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
-+ } else {
-+ rc = parse_efi_signature_list("UEFI:db",
-+ db, dbsize, get_handler_for_db);
-+ if (rc)
-+ pr_err("Couldn't parse db signatures: %d\n", rc);
-+ kfree(db);
-+ }
-+
-+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
-+ if (!mok) {
-+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
-+ } else {
-+ rc = parse_efi_signature_list("UEFI:MokListRT",
-+ mok, moksize, get_handler_for_db);
-+ if (rc)
-+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
-+ kfree(mok);
-+ }
-+
-+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
-+ if (!dbx) {
-+ pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
-+ } else {
-+ rc = parse_efi_signature_list("UEFI:dbx",
-+ dbx, dbxsize,
-+ get_handler_for_dbx);
-+ if (rc)
-+ pr_err("Couldn't parse dbx signatures: %d\n", rc);
-+ kfree(dbx);
-+ }
-+
-+ return rc;
-+}
-+late_initcall(load_uefi_certs);
---
-2.9.3
-
diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch
deleted file mode 100644
index 13fecd2f2..000000000
--- a/MODSIGN-Support-not-importing-certs-from-db.patch
+++ /dev/null
@@ -1,88 +0,0 @@
-From 9f1958a0cc911e1f79b2733ee5029dbd819ff328 Mon Sep 17 00:00:00 2001
-From: Josh Boyer <jwboyer@fedoraproject.org>
-Date: Fri, 5 May 2017 08:21:59 +0100
-Subject: [PATCH 4/4] MODSIGN: Allow the "db" UEFI variable to be suppressed
-
-If a user tells shim to not use the certs/hashes in the UEFI db variable
-for verification purposes, shim will set a UEFI variable called
-MokIgnoreDB. Have the uefi import code look for this and ignore the db
-variable if it is found.
-
-Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
-Signed-off-by: David Howells <dhowells@redhat.com>
----
- certs/load_uefi.c | 44 ++++++++++++++++++++++++++++++++++----------
- 1 file changed, 34 insertions(+), 10 deletions(-)
-
-diff --git a/certs/load_uefi.c b/certs/load_uefi.c
-index b44e464..3d88459 100644
---- a/certs/load_uefi.c
-+++ b/certs/load_uefi.c
-@@ -13,6 +13,26 @@ static __initdata efi_guid_t efi_cert_x509_sha256_guid = EFI_CERT_X509_SHA256_GU
- static __initdata efi_guid_t efi_cert_sha256_guid = EFI_CERT_SHA256_GUID;
-
- /*
-+ * Look to see if a UEFI variable called MokIgnoreDB exists and return true if
-+ * it does.
-+ *
-+ * This UEFI variable is set by the shim if a user tells the shim to not use
-+ * the certs/hashes in the UEFI db variable for verification purposes. If it
-+ * is set, we should ignore the db variable also and the true return indicates
-+ * this.
-+ */
-+static __init bool uefi_check_ignore_db(void)
-+{
-+ efi_status_t status;
-+ unsigned int db = 0;
-+ unsigned long size = sizeof(db);
-+ efi_guid_t guid = EFI_SHIM_LOCK_GUID;
-+
-+ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
-+ return status == EFI_SUCCESS;
-+}
-+
-+/*
- * Get a certificate list blob from the named EFI variable.
- */
- static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid,
-@@ -113,7 +133,9 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty
- }
-
- /*
-- * Load the certs contained in the UEFI databases
-+ * Load the certs contained in the UEFI databases into the secondary trusted
-+ * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
-+ * keyring.
- */
- static int __init load_uefi_certs(void)
- {
-@@ -129,15 +151,17 @@ static int __init load_uefi_certs(void)
- /* Get db, MokListRT, and dbx. They might not exist, so it isn't
- * an error if we can't get them.
- */
-- db = get_cert_list(L"db", &secure_var, &dbsize);
-- if (!db) {
-- pr_err("MODSIGN: Couldn't get UEFI db list\n");
-- } else {
-- rc = parse_efi_signature_list("UEFI:db",
-- db, dbsize, get_handler_for_db);
-- if (rc)
-- pr_err("Couldn't parse db signatures: %d\n", rc);
-- kfree(db);
-+ if (!uefi_check_ignore_db()) {
-+ db = get_cert_list(L"db", &secure_var, &dbsize);
-+ if (!db) {
-+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
-+ } else {
-+ rc = parse_efi_signature_list("UEFI:db",
-+ db, dbsize, get_handler_for_db);
-+ if (rc)
-+ pr_err("Couldn't parse db signatures: %d\n", rc);
-+ kfree(db);
-+ }
- }
-
- mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
---
-2.9.3
-