diff options
| -rw-r--r-- | 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch | 49 | ||||
| -rw-r--r-- | 0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch | 8 | ||||
| -rw-r--r-- | Add-an-EFI-signature-blob-parser-and-key-loader.patch | 176 | ||||
| -rw-r--r-- | MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch | 246 | ||||
| -rw-r--r-- | MODSIGN-Support-not-importing-certs-from-db.patch | 88 | ||||
| -rw-r--r-- | configs/fedora/generic/x86/CONFIG_INTEGRITY_PLATFORM_KEYRING | 1 | ||||
| -rw-r--r-- | gitrev | 2 | ||||
| -rw-r--r-- | kernel-i686-debug.config | 2 | ||||
| -rw-r--r-- | kernel-i686.config | 2 | ||||
| -rw-r--r-- | kernel-x86_64-debug.config | 2 | ||||
| -rw-r--r-- | kernel-x86_64.config | 2 | ||||
| -rw-r--r-- | kernel.spec | 19 | ||||
| -rwxr-xr-x | scripts/create_headers_tarball.sh | 8 | ||||
| -rwxr-xr-x | scripts/generate-git-snapshot.sh | 2 | ||||
| -rw-r--r-- | scripts/kernel-version.sh | 2 | ||||
| -rw-r--r-- | sources | 1 |
16 files changed, 51 insertions, 559 deletions
diff --git a/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch b/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch index 6e8a2e039..34934a970 100644 --- a/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch +++ b/0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch @@ -6,27 +6,27 @@ Subject: [PATCH 1/3] Make get_cert_list() not complain about cert lists that Signed-off-by: Peter Jones <pjones@redhat.com> --- - certs/load_uefi.c | 37 ++++++++++++++++++++++--------------- + security/integrity/platform_certs/load_uefi.c | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) -diff --git a/certs/load_uefi.c b/certs/load_uefi.c -index 3d884598601..9ef34c44fd1 100644 ---- a/certs/load_uefi.c -+++ b/certs/load_uefi.c -@@ -35,8 +35,8 @@ static __init bool uefi_check_ignore_db(void) +diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c +index 81b19c52832b..e188f3ecbce3 100644 +--- a/security/integrity/platform_certs/load_uefi.c ++++ b/security/integrity/platform_certs/load_uefi.c +@@ -38,8 +38,8 @@ static __init bool uefi_check_ignore_db(void) /* * Get a certificate list blob from the named EFI variable. */ -static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, - unsigned long *size) +static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid, -+ unsigned long *size, void **cert_list) ++ unsigned long *size , void **cert_list) { efi_status_t status; unsigned long lsize = 4; -@@ -44,26 +44,33 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, +@@ -47,24 +47,31 @@ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, void *db; - + status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); + if (status == EFI_NOT_FOUND) { + *size = 0; @@ -39,14 +39,12 @@ index 3d884598601..9ef34c44fd1 100644 - return NULL; + return efi_status_to_err(status); } - + db = kmalloc(lsize, GFP_KERNEL); - if (!db) { - pr_err("Couldn't allocate memory for uefi cert list\n"); + if (!db) - return NULL; + return -ENOMEM; - } - + status = efi.get_variable(name, guid, NULL, &lsize, db); if (status != EFI_SUCCESS) { kfree(db); @@ -54,15 +52,15 @@ index 3d884598601..9ef34c44fd1 100644 - return NULL; + return efi_status_to_err(status); } - + *size = lsize; - return db; + *cert_list = db; + return 0; } - + /* -@@ -152,10 +159,10 @@ static int __init load_uefi_certs(void) +@@ -153,10 +160,10 @@ static int __init load_uefi_certs(void) * an error if we can't get them. */ if (!uefi_check_ignore_db()) { @@ -74,36 +72,33 @@ index 3d884598601..9ef34c44fd1 100644 - } else { + } else if (dbsize != 0) { rc = parse_efi_signature_list("UEFI:db", - db, dbsize, get_handler_for_db); + db, dbsize, get_handler_for_db); if (rc) -@@ -164,10 +171,10 @@ static int __init load_uefi_certs(void) +@@ -166,10 +173,10 @@ static int __init load_uefi_certs(void) } } - + - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); - if (!mok) { + rc = get_cert_list(L"MokListRT", &mok_var, &moksize, &mok); + if (rc < 0) { - pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); + pr_info("Couldn't get UEFI MokListRT\n"); - } else { + } else if (moksize != 0) { rc = parse_efi_signature_list("UEFI:MokListRT", mok, moksize, get_handler_for_db); if (rc) -@@ -175,10 +182,10 @@ static int __init load_uefi_certs(void) +@@ -177,10 +184,10 @@ static int __init load_uefi_certs(void) kfree(mok); } - + - dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); - if (!dbx) { + rc = get_cert_list(L"dbx", &secure_var, &dbxsize, &dbx); + if (rc < 0) { - pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); + pr_info("Couldn't get UEFI dbx list\n"); - } else { + } else if (dbxsize != 0) { rc = parse_efi_signature_list("UEFI:dbx", dbx, dbxsize, get_handler_for_dbx); --- -2.15.0 - diff --git a/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch b/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch index abb313a29..ec107ba09 100644 --- a/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch +++ b/0003-Make-get_cert_list-use-efi_status_to_str-to-print-er.patch @@ -6,13 +6,13 @@ Subject: [PATCH 3/3] Make get_cert_list() use efi_status_to_str() to print Signed-off-by: Peter Jones <pjones@redhat.com> --- - certs/load_uefi.c | 6 ++++-- + security/integrity/platform_certs/load_uefi.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) -diff --git a/certs/load_uefi.c b/certs/load_uefi.c +diff --git a/security/integrity/platform_certs/load_uefi.c b/security/integrity/platform_certs/load_uefi.c index 9ef34c44fd1..13a2826715d 100644 ---- a/certs/load_uefi.c -+++ b/certs/load_uefi.c +--- a/security/integrity/platform_certs/load_uefi.c ++++ b/security/integrity/platform_certs/load_uefi.c @@ -51,7 +51,8 @@ static __init int get_cert_list(efi_char16_t *name, efi_guid_t *guid, } diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch deleted file mode 100644 index 276eb708d..000000000 --- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch +++ /dev/null @@ -1,176 +0,0 @@ -From 73e105771858bf39aeabcbcd2f7b002c24ac4bb0 Mon Sep 17 00:00:00 2001 -From: Dave Howells <dhowells@redhat.com> -Date: Fri, 5 May 2017 08:21:58 +0100 -Subject: [PATCH] efi: Add an EFI signature blob parser - -Add a function to parse an EFI signature blob looking for elements of -interest. A list is made up of a series of sublists, where all the -elements in a sublist are of the same type, but sublists can be of -different types. - -For each sublist encountered, the function pointed to by the -get_handler_for_guid argument is called with the type specifier GUID and -returns either a pointer to a function to handle elements of that type or -NULL if the type is not of interest. - -If the sublist is of interest, each element is passed to the handler -function in turn. - -Signed-off-by: David Howells <dhowells@redhat.com> ---- - certs/Kconfig | 8 ++++ - certs/Makefile | 1 + - certs/efi_parser.c | 112 +++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 121 insertions(+) - create mode 100644 certs/efi_parser.c - -diff --git a/certs/Kconfig b/certs/Kconfig -index c94e93d8bccf..650ffcb8db79 100644 ---- a/certs/Kconfig -+++ b/certs/Kconfig -@@ -83,4 +83,12 @@ config SYSTEM_BLACKLIST_HASH_LIST - wrapper to incorporate the list into the kernel. Each <hash> should - be a string of hex digits. - -+config EFI_SIGNATURE_LIST_PARSER -+ bool "EFI signature list parser" -+ depends on EFI -+ select X509_CERTIFICATE_PARSER -+ help -+ This option provides support for parsing EFI signature lists for -+ X.509 certificates and turning them into keys. -+ - endmenu -diff --git a/certs/Makefile b/certs/Makefile -index 5d0999b9e21b..7e5e179ac685 100644 ---- a/certs/Makefile -+++ b/certs/Makefile -@@ -10,6 +10,7 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o - else - obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o - endif -+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o - - ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) - -diff --git a/certs/efi_parser.c b/certs/efi_parser.c -new file mode 100644 -index 000000000000..4e396f98f5c7 ---- /dev/null -+++ b/certs/efi_parser.c -@@ -0,0 +1,112 @@ -+/* EFI signature/key/certificate list parser -+ * -+ * Copyright (C) 2012, 2016 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) "EFI: "fmt -+#include <linux/module.h> -+#include <linux/printk.h> -+#include <linux/err.h> -+#include <linux/efi.h> -+ -+/** -+ * parse_efi_signature_list - Parse an EFI signature list for certificates -+ * @source: The source of the key -+ * @data: The data blob to parse -+ * @size: The size of the data blob -+ * @get_handler_for_guid: Get the handler func for the sig type (or NULL) -+ * -+ * Parse an EFI signature list looking for elements of interest. A list is -+ * made up of a series of sublists, where all the elements in a sublist are of -+ * the same type, but sublists can be of different types. -+ * -+ * For each sublist encountered, the @get_handler_for_guid function is called -+ * with the type specifier GUID and returns either a pointer to a function to -+ * handle elements of that type or NULL if the type is not of interest. -+ * -+ * If the sublist is of interest, each element is passed to the handler -+ * function in turn. -+ * -+ * Error EBADMSG is returned if the list doesn't parse correctly and 0 is -+ * returned if the list was parsed correctly. No error can be returned from -+ * the @get_handler_for_guid function or the element handler function it -+ * returns. -+ */ -+int __init parse_efi_signature_list( -+ const char *source, -+ const void *data, size_t size, -+ efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *)) -+{ -+ efi_element_handler_t handler; -+ unsigned offs = 0; -+ -+ pr_devel("-->%s(,%zu)\n", __func__, size); -+ -+ while (size > 0) { -+ const efi_signature_data_t *elem; -+ efi_signature_list_t list; -+ size_t lsize, esize, hsize, elsize; -+ -+ if (size < sizeof(list)) -+ return -EBADMSG; -+ -+ memcpy(&list, data, sizeof(list)); -+ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n", -+ offs, -+ list.signature_type.b, list.signature_list_size, -+ list.signature_header_size, list.signature_size); -+ -+ lsize = list.signature_list_size; -+ hsize = list.signature_header_size; -+ esize = list.signature_size; -+ elsize = lsize - sizeof(list) - hsize; -+ -+ if (lsize > size) { -+ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n", -+ __func__, offs); -+ return -EBADMSG; -+ } -+ -+ if (lsize < sizeof(list) || -+ lsize - sizeof(list) < hsize || -+ esize < sizeof(*elem) || -+ elsize < esize || -+ elsize % esize != 0) { -+ pr_devel("- bad size combo @%x\n", offs); -+ return -EBADMSG; -+ } -+ -+ handler = get_handler_for_guid(&list.signature_type); -+ if (!handler) { -+ data += lsize; -+ size -= lsize; -+ offs += lsize; -+ continue; -+ } -+ -+ data += sizeof(list) + hsize; -+ size -= sizeof(list) + hsize; -+ offs += sizeof(list) + hsize; -+ -+ for (; elsize > 0; elsize -= esize) { -+ elem = data; -+ -+ pr_devel("ELEM[%04x]\n", offs); -+ handler(source, -+ &elem->signature_data, -+ esize - sizeof(*elem)); -+ -+ data += esize; -+ size -= esize; -+ offs += esize; -+ } -+ } -+ -+ return 0; -+} --- -2.20.1 - diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch deleted file mode 100644 index 08195ff4e..000000000 --- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch +++ /dev/null @@ -1,246 +0,0 @@ -From 90dc66270b02981b19a085c6a9184e3452b7b3e8 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Fri, 5 May 2017 08:21:59 +0100 -Subject: [PATCH 3/4] MODSIGN: Import certificates from UEFI Secure Boot - -Secure Boot stores a list of allowed certificates in the 'db' variable. -This imports those certificates into the system trusted keyring. This -allows for a third party signing certificate to be used in conjunction -with signed modules. By importing the public certificate into the 'db' -variable, a user can allow a module signed with that certificate to -load. The shim UEFI bootloader has a similar certificate list stored -in the 'MokListRT' variable. We import those as well. - -Secure Boot also maintains a list of disallowed certificates in the 'dbx' -variable. We load those certificates into the newly introduced system -blacklist keyring and forbid any module signed with those from loading and -forbid the use within the kernel of any key with a matching hash. - -This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> -Signed-off-by: David Howells <dhowells@redhat.com> ---- - certs/Kconfig | 16 ++++++ - certs/Makefile | 4 ++ - certs/load_uefi.c | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 188 insertions(+) - create mode 100644 certs/load_uefi.c - -diff --git a/certs/Kconfig b/certs/Kconfig -index 630ae09..edf9f75 100644 ---- a/certs/Kconfig -+++ b/certs/Kconfig -@@ -90,4 +90,20 @@ config EFI_SIGNATURE_LIST_PARSER - This option provides support for parsing EFI signature lists for - X.509 certificates and turning them into keys. - -+config LOAD_UEFI_KEYS -+ bool "Load certs and blacklist from UEFI db for module checking" -+ depends on SYSTEM_BLACKLIST_KEYRING -+ depends on SECONDARY_TRUSTED_KEYRING -+ depends on EFI -+ depends on EFI_SIGNATURE_LIST_PARSER -+ help -+ If the kernel is booted in secure boot mode, this option will cause -+ the kernel to load the certificates from the UEFI db and MokListRT -+ into the secondary trusted keyring. It will also load any X.509 -+ SHA256 hashes in the dbx list into the blacklist. -+ -+ The effect of this is that, if the kernel is booted in secure boot -+ mode, modules signed with UEFI-stored keys will be permitted to be -+ loaded and keys that match the blacklist will be rejected. -+ - endmenu -diff --git a/certs/Makefile b/certs/Makefile -index 738151a..a5e057a 100644 ---- a/certs/Makefile -+++ b/certs/Makefile -@@ -11,6 +11,10 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o - endif - obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o - -+obj-$(CONFIG_LOAD_UEFI_KEYS) += load_uefi.o -+$(obj)/load_uefi.o: KBUILD_CFLAGS += -fshort-wchar -+ -+ - ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) - - $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) -diff --git a/certs/load_uefi.c b/certs/load_uefi.c -new file mode 100644 -index 0000000..b44e464 ---- /dev/null -+++ b/certs/load_uefi.c -@@ -0,0 +1,168 @@ -+#include <linux/kernel.h> -+#include <linux/sched.h> -+#include <linux/cred.h> -+#include <linux/err.h> -+#include <linux/efi.h> -+#include <linux/slab.h> -+#include <keys/asymmetric-type.h> -+#include <keys/system_keyring.h> -+#include "internal.h" -+ -+static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID; -+static __initdata efi_guid_t efi_cert_x509_sha256_guid = EFI_CERT_X509_SHA256_GUID; -+static __initdata efi_guid_t efi_cert_sha256_guid = EFI_CERT_SHA256_GUID; -+ -+/* -+ * Get a certificate list blob from the named EFI variable. -+ */ -+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, -+ unsigned long *size) -+{ -+ efi_status_t status; -+ unsigned long lsize = 4; -+ unsigned long tmpdb[4]; -+ void *db; -+ -+ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); -+ if (status != EFI_BUFFER_TOO_SMALL) { -+ pr_err("Couldn't get size: 0x%lx\n", status); -+ return NULL; -+ } -+ -+ db = kmalloc(lsize, GFP_KERNEL); -+ if (!db) { -+ pr_err("Couldn't allocate memory for uefi cert list\n"); -+ return NULL; -+ } -+ -+ status = efi.get_variable(name, guid, NULL, &lsize, db); -+ if (status != EFI_SUCCESS) { -+ kfree(db); -+ pr_err("Error reading db var: 0x%lx\n", status); -+ return NULL; -+ } -+ -+ *size = lsize; -+ return db; -+} -+ -+/* -+ * Blacklist an X509 TBS hash. -+ */ -+static __init void uefi_blacklist_x509_tbs(const char *source, -+ const void *data, size_t len) -+{ -+ char *hash, *p; -+ -+ hash = kmalloc(4 + len * 2 + 1, GFP_KERNEL); -+ if (!hash) -+ return; -+ p = memcpy(hash, "tbs:", 4); -+ p += 4; -+ bin2hex(p, data, len); -+ p += len * 2; -+ *p = 0; -+ -+ mark_hash_blacklisted(hash); -+ kfree(hash); -+} -+ -+/* -+ * Blacklist the hash of an executable. -+ */ -+static __init void uefi_blacklist_binary(const char *source, -+ const void *data, size_t len) -+{ -+ char *hash, *p; -+ -+ hash = kmalloc(4 + len * 2 + 1, GFP_KERNEL); -+ if (!hash) -+ return; -+ p = memcpy(hash, "bin:", 4); -+ p += 4; -+ bin2hex(p, data, len); -+ p += len * 2; -+ *p = 0; -+ -+ mark_hash_blacklisted(hash); -+ kfree(hash); -+} -+ -+/* -+ * Return the appropriate handler for particular signature list types found in -+ * the UEFI db and MokListRT tables. -+ */ -+static __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) -+{ -+ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) -+ return add_trusted_secondary_key; -+ return 0; -+} -+ -+/* -+ * Return the appropriate handler for particular signature list types found in -+ * the UEFI dbx and MokListXRT tables. -+ */ -+static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type) -+{ -+ if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0) -+ return uefi_blacklist_x509_tbs; -+ if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0) -+ return uefi_blacklist_binary; -+ return 0; -+} -+ -+/* -+ * Load the certs contained in the UEFI databases -+ */ -+static int __init load_uefi_certs(void) -+{ -+ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; -+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; -+ void *db = NULL, *dbx = NULL, *mok = NULL; -+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0; -+ int rc = 0; -+ -+ if (!efi.get_variable) -+ return false; -+ -+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't -+ * an error if we can't get them. -+ */ -+ db = get_cert_list(L"db", &secure_var, &dbsize); -+ if (!db) { -+ pr_err("MODSIGN: Couldn't get UEFI db list\n"); -+ } else { -+ rc = parse_efi_signature_list("UEFI:db", -+ db, dbsize, get_handler_for_db); -+ if (rc) -+ pr_err("Couldn't parse db signatures: %d\n", rc); -+ kfree(db); -+ } -+ -+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize); -+ if (!mok) { -+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); -+ } else { -+ rc = parse_efi_signature_list("UEFI:MokListRT", -+ mok, moksize, get_handler_for_db); -+ if (rc) -+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc); -+ kfree(mok); -+ } -+ -+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); -+ if (!dbx) { -+ pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); -+ } else { -+ rc = parse_efi_signature_list("UEFI:dbx", -+ dbx, dbxsize, -+ get_handler_for_dbx); -+ if (rc) -+ pr_err("Couldn't parse dbx signatures: %d\n", rc); -+ kfree(dbx); -+ } -+ -+ return rc; -+} -+late_initcall(load_uefi_certs); --- -2.9.3 - diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch deleted file mode 100644 index 13fecd2f2..000000000 --- a/MODSIGN-Support-not-importing-certs-from-db.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 9f1958a0cc911e1f79b2733ee5029dbd819ff328 Mon Sep 17 00:00:00 2001 -From: Josh Boyer <jwboyer@fedoraproject.org> -Date: Fri, 5 May 2017 08:21:59 +0100 -Subject: [PATCH 4/4] MODSIGN: Allow the "db" UEFI variable to be suppressed - -If a user tells shim to not use the certs/hashes in the UEFI db variable -for verification purposes, shim will set a UEFI variable called -MokIgnoreDB. Have the uefi import code look for this and ignore the db -variable if it is found. - -Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org> -Signed-off-by: David Howells <dhowells@redhat.com> ---- - certs/load_uefi.c | 44 ++++++++++++++++++++++++++++++++++---------- - 1 file changed, 34 insertions(+), 10 deletions(-) - -diff --git a/certs/load_uefi.c b/certs/load_uefi.c -index b44e464..3d88459 100644 ---- a/certs/load_uefi.c -+++ b/certs/load_uefi.c -@@ -13,6 +13,26 @@ static __initdata efi_guid_t efi_cert_x509_sha256_guid = EFI_CERT_X509_SHA256_GU - static __initdata efi_guid_t efi_cert_sha256_guid = EFI_CERT_SHA256_GUID; - - /* -+ * Look to see if a UEFI variable called MokIgnoreDB exists and return true if -+ * it does. -+ * -+ * This UEFI variable is set by the shim if a user tells the shim to not use -+ * the certs/hashes in the UEFI db variable for verification purposes. If it -+ * is set, we should ignore the db variable also and the true return indicates -+ * this. -+ */ -+static __init bool uefi_check_ignore_db(void) -+{ -+ efi_status_t status; -+ unsigned int db = 0; -+ unsigned long size = sizeof(db); -+ efi_guid_t guid = EFI_SHIM_LOCK_GUID; -+ -+ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); -+ return status == EFI_SUCCESS; -+} -+ -+/* - * Get a certificate list blob from the named EFI variable. - */ - static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, -@@ -113,7 +133,9 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty - } - - /* -- * Load the certs contained in the UEFI databases -+ * Load the certs contained in the UEFI databases into the secondary trusted -+ * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist -+ * keyring. - */ - static int __init load_uefi_certs(void) - { -@@ -129,15 +151,17 @@ static int __init load_uefi_certs(void) - /* Get db, MokListRT, and dbx. They might not exist, so it isn't - * an error if we can't get them. - */ -- db = get_cert_list(L"db", &secure_var, &dbsize); -- if (!db) { -- pr_err("MODSIGN: Couldn't get UEFI db list\n"); -- } else { -- rc = parse_efi_signature_list("UEFI:db", -- db, dbsize, get_handler_for_db); -- if (rc) -- pr_err("Couldn't parse db signatures: %d\n", rc); -- kfree(db); -+ if (!uefi_check_ignore_db()) { -+ db = get_cert_list(L"db", &secure_var, &dbsize); -+ if (!db) { -+ pr_err("MODSIGN: Couldn't get UEFI db list\n"); -+ } else { -+ rc = parse_efi_signature_list("UEFI:db", -+ db, dbsize, get_handler_for_db); -+ if (rc) -+ pr_err("Couldn't parse db signatures: %d\n", rc); -+ kfree(db); -+ } - } - - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); --- -2.9.3 - diff --git a/configs/fedora/generic/x86/CONFIG_INTEGRITY_PLATFORM_KEYRING b/configs/fedora/generic/x86/CONFIG_INTEGRITY_PLATFORM_KEYRING new file mode 100644 index 000000000..a7b1b167b --- /dev/null +++ b/configs/fedora/generic/x86/CONFIG_INTEGRITY_PLATFORM_KEYRING @@ -0,0 +1 @@ +CONFIG_INTEGRITY_PLATFORM_KEYRING=y @@ -1 +1 @@ -96d4f267e40f9509e8a66e2b39e8b95655617693 +7b55851367136b1efd84d98fea81ba57a98304cf diff --git a/kernel-i686-debug.config b/kernel-i686-debug.config index 76db5502b..8f5ba86bd 100644 --- a/kernel-i686-debug.config +++ b/kernel-i686-debug.config @@ -2335,7 +2335,7 @@ CONFIG_INT3406_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y -# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m diff --git a/kernel-i686.config b/kernel-i686.config index 0cb061eb4..1d65fe70d 100644 --- a/kernel-i686.config +++ b/kernel-i686.config @@ -2317,7 +2317,7 @@ CONFIG_INT3406_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y -# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m diff --git a/kernel-x86_64-debug.config b/kernel-x86_64-debug.config index 5c4802c19..874f87271 100644 --- a/kernel-x86_64-debug.config +++ b/kernel-x86_64-debug.config @@ -2380,7 +2380,7 @@ CONFIG_INT3406_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y -# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m diff --git a/kernel-x86_64.config b/kernel-x86_64.config index 42ea7e2cb..eccb4dc9e 100644 --- a/kernel-x86_64.config +++ b/kernel-x86_64.config @@ -2362,7 +2362,7 @@ CONFIG_INT3406_THERMAL=m CONFIG_INT340X_THERMAL=m CONFIG_INTEGRITY_ASYMMETRIC_KEYS=y CONFIG_INTEGRITY_AUDIT=y -# CONFIG_INTEGRITY_PLATFORM_KEYRING is not set +CONFIG_INTEGRITY_PLATFORM_KEYRING=y CONFIG_INTEGRITY_SIGNATURE=y CONFIG_INTEGRITY=y CONFIG_INTEL_ATOMISP2_PM=m diff --git a/kernel.spec b/kernel.spec index 7f7199cca..df8f37005 100644 --- a/kernel.spec +++ b/kernel.spec @@ -79,7 +79,7 @@ Summary: The Linux kernel # The rc snapshot level %global rcrev 1 # The git snapshot level -%define gitrev 0 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 5.%{upstream_sublevel}.0 %endif @@ -132,7 +132,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 # Kernel headers are being split out into a separate package %if 0%{?fedora} @@ -561,12 +561,6 @@ Patch201: efi-lockdown.patch Patch202: KEYS-Allow-unrestricted-boot-time-addition-of-keys-t.patch -Patch204: Add-an-EFI-signature-blob-parser-and-key-loader.patch - -Patch205: MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch - -Patch206: MODSIGN-Support-not-importing-certs-from-db.patch - # bz 1497559 - Make kernel MODSIGN code not error on missing variables Patch207: 0001-Make-get_cert_list-not-complain-about-cert-lists-tha.patch Patch208: 0002-Add-efi_status_to_str-and-rework-efi_status_to_err.patch @@ -1898,6 +1892,15 @@ fi # # %changelog +* Tue Jan 08 2019 Laura Abbott <labbott@redhat.com> - 5.0.0-0.rc1.git1.1 +- Linux v5.0-rc1-2-g7b5585136713 + +* Tue Jan 08 2019 Laura Abbott <labbott@redhat.com> +- Reenable debugging options. + +* Mon Jan 07 2019 Justin M. Forbes <jforbes@fedoraproject.org> +- Updates for secure boot + * Mon Jan 07 2019 Laura Abbott <labbott@redhat.com> - 5.0.0-0.rc1.git0.1 - Linux v5.0-rc1 diff --git a/scripts/create_headers_tarball.sh b/scripts/create_headers_tarball.sh index 9d43548df..cb57db634 100755 --- a/scripts/create_headers_tarball.sh +++ b/scripts/create_headers_tarball.sh @@ -19,7 +19,7 @@ if [ ! -f $PKGLOC/kernel-headers.spec ]; then fi # Kernel version information taken from kernel.spec and change to prepared sources directory -MAJORVER='4' +MAJORVER='5' RELEASED=`grep "%global released_kernel" kernel.spec| cut -d ' ' -f 3` BASERELEASE=`cat kernel.spec | grep "%global baserelease" | cut -d ' ' -f 3` BASE=`grep "%define base_sublevel" kernel.spec| cut -d ' ' -f 3` @@ -27,8 +27,10 @@ STABLE=`grep "%define stable_update" kernel.spec| cut -d ' ' -f 3` RC=`grep "%global rcrev" kernel.spec| cut -d ' ' -f 3` GITREV=`grep "%define gitrev" kernel.spec| cut -d ' ' -f 3` if [ $RELEASED -eq 0 ]; then - cd kernel-$MAJORVER.$BASE.fc?? - NEWBASE=$(($BASE+1)) + #cd kernel-$MAJORVER.$BASE.fc?? + cd kernel-5.0-rc$RC.fc?? + #NEWBASE=$(($BASE+1)) + NEWBASE=0 KVER=$MAJORVER.$NEWBASE.0-0.rc$RC.git$GITREV.$BASERELEASE cd linux-$MAJORVER.$NEWBASE.0-0.rc$RC.git$GITREV.$BASERELEASE.fc*/ else diff --git a/scripts/generate-git-snapshot.sh b/scripts/generate-git-snapshot.sh index 242200ef6..2ad6a5f06 100755 --- a/scripts/generate-git-snapshot.sh +++ b/scripts/generate-git-snapshot.sh @@ -20,7 +20,7 @@ VER=$(grep patch sources | head -n1 | awk '{ print $2 }' | sed s/patch-// | sed if [ -z "$VER" ] ; then - VER=$(grep linux sources | head -1 | awk '{ print $2 }' | sed s/linux-// | sed s/.tar.xz// | sed s/[\(\)]//g) + VER=$(grep linux sources | head -1 | awk '{ print $2 }' | sed s/linux-// | sed s/.tar.gz// | sed s/[\(\)]//g) fi OLDGIT=$(grep gitrev kernel.spec | head -n1 | sed s/%define\ gitrev\ //) diff --git a/scripts/kernel-version.sh b/scripts/kernel-version.sh index e2ec93a5a..0de4c10d9 100644 --- a/scripts/kernel-version.sh +++ b/scripts/kernel-version.sh @@ -2,7 +2,7 @@ VER=$(grep patch sources | head -n1 | awk '{ print $2 }' | sed s/patch-// | sed if [ -z "$VER" ] ; then - VER=$(grep linux sources | head -1 | awk '{ print $2 }' | sed s/linux-// | sed s/.tar.xz// | tr -d "()") + VER=$(grep linux sources | head -1 | awk '{ print $2 }' | sed s/linux-// | sed s/.tar.gz// | tr -d "()") fi @@ -1 +1,2 @@ SHA512 (linux-5.0-rc1.tar.gz) = acad161b8cd164c2ee63f7bf937655b1618a357be3cf0afa90b987f4697005987bed1a911228d1f77a188f2c008041fe1ac7e5055797abcaf3d8b4a92aef8552 +SHA512 (patch-5.0-rc1-git1.xz) = 6eb757c4b3a249d4c0fbf5cef99f41ecf6c85ab02b41c0515916fc9955185a8d9efcd97d1e99f6fac6ef84c3899a61098b2789a8aceafb354e601313420a3c79 |