From 8e8de459e7ba7b89043686df7deea554dd7eecb9 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 7 Jan 2019 16:23:55 -0600 Subject: Forgot to remove dropped patches --- ...-EFI-signature-blob-parser-and-key-loader.patch | 176 --------------- ...Import-certificates-from-UEFI-Secure-Boot.patch | 246 --------------------- MODSIGN-Support-not-importing-certs-from-db.patch | 88 -------- 3 files changed, 510 deletions(-) delete mode 100644 Add-an-EFI-signature-blob-parser-and-key-loader.patch delete mode 100644 MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch delete mode 100644 MODSIGN-Support-not-importing-certs-from-db.patch diff --git a/Add-an-EFI-signature-blob-parser-and-key-loader.patch b/Add-an-EFI-signature-blob-parser-and-key-loader.patch deleted file mode 100644 index 276eb708d..000000000 --- a/Add-an-EFI-signature-blob-parser-and-key-loader.patch +++ /dev/null @@ -1,176 +0,0 @@ -From 73e105771858bf39aeabcbcd2f7b002c24ac4bb0 Mon Sep 17 00:00:00 2001 -From: Dave Howells -Date: Fri, 5 May 2017 08:21:58 +0100 -Subject: [PATCH] efi: Add an EFI signature blob parser - -Add a function to parse an EFI signature blob looking for elements of -interest. A list is made up of a series of sublists, where all the -elements in a sublist are of the same type, but sublists can be of -different types. - -For each sublist encountered, the function pointed to by the -get_handler_for_guid argument is called with the type specifier GUID and -returns either a pointer to a function to handle elements of that type or -NULL if the type is not of interest. - -If the sublist is of interest, each element is passed to the handler -function in turn. - -Signed-off-by: David Howells ---- - certs/Kconfig | 8 ++++ - certs/Makefile | 1 + - certs/efi_parser.c | 112 +++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 121 insertions(+) - create mode 100644 certs/efi_parser.c - -diff --git a/certs/Kconfig b/certs/Kconfig -index c94e93d8bccf..650ffcb8db79 100644 ---- a/certs/Kconfig -+++ b/certs/Kconfig -@@ -83,4 +83,12 @@ config SYSTEM_BLACKLIST_HASH_LIST - wrapper to incorporate the list into the kernel. Each should - be a string of hex digits. - -+config EFI_SIGNATURE_LIST_PARSER -+ bool "EFI signature list parser" -+ depends on EFI -+ select X509_CERTIFICATE_PARSER -+ help -+ This option provides support for parsing EFI signature lists for -+ X.509 certificates and turning them into keys. -+ - endmenu -diff --git a/certs/Makefile b/certs/Makefile -index 5d0999b9e21b..7e5e179ac685 100644 ---- a/certs/Makefile -+++ b/certs/Makefile -@@ -10,6 +10,7 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o - else - obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o - endif -+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o - - ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) - -diff --git a/certs/efi_parser.c b/certs/efi_parser.c -new file mode 100644 -index 000000000000..4e396f98f5c7 ---- /dev/null -+++ b/certs/efi_parser.c -@@ -0,0 +1,112 @@ -+/* EFI signature/key/certificate list parser -+ * -+ * Copyright (C) 2012, 2016 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) "EFI: "fmt -+#include -+#include -+#include -+#include -+ -+/** -+ * parse_efi_signature_list - Parse an EFI signature list for certificates -+ * @source: The source of the key -+ * @data: The data blob to parse -+ * @size: The size of the data blob -+ * @get_handler_for_guid: Get the handler func for the sig type (or NULL) -+ * -+ * Parse an EFI signature list looking for elements of interest. A list is -+ * made up of a series of sublists, where all the elements in a sublist are of -+ * the same type, but sublists can be of different types. -+ * -+ * For each sublist encountered, the @get_handler_for_guid function is called -+ * with the type specifier GUID and returns either a pointer to a function to -+ * handle elements of that type or NULL if the type is not of interest. -+ * -+ * If the sublist is of interest, each element is passed to the handler -+ * function in turn. -+ * -+ * Error EBADMSG is returned if the list doesn't parse correctly and 0 is -+ * returned if the list was parsed correctly. No error can be returned from -+ * the @get_handler_for_guid function or the element handler function it -+ * returns. -+ */ -+int __init parse_efi_signature_list( -+ const char *source, -+ const void *data, size_t size, -+ efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *)) -+{ -+ efi_element_handler_t handler; -+ unsigned offs = 0; -+ -+ pr_devel("-->%s(,%zu)\n", __func__, size); -+ -+ while (size > 0) { -+ const efi_signature_data_t *elem; -+ efi_signature_list_t list; -+ size_t lsize, esize, hsize, elsize; -+ -+ if (size < sizeof(list)) -+ return -EBADMSG; -+ -+ memcpy(&list, data, sizeof(list)); -+ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n", -+ offs, -+ list.signature_type.b, list.signature_list_size, -+ list.signature_header_size, list.signature_size); -+ -+ lsize = list.signature_list_size; -+ hsize = list.signature_header_size; -+ esize = list.signature_size; -+ elsize = lsize - sizeof(list) - hsize; -+ -+ if (lsize > size) { -+ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n", -+ __func__, offs); -+ return -EBADMSG; -+ } -+ -+ if (lsize < sizeof(list) || -+ lsize - sizeof(list) < hsize || -+ esize < sizeof(*elem) || -+ elsize < esize || -+ elsize % esize != 0) { -+ pr_devel("- bad size combo @%x\n", offs); -+ return -EBADMSG; -+ } -+ -+ handler = get_handler_for_guid(&list.signature_type); -+ if (!handler) { -+ data += lsize; -+ size -= lsize; -+ offs += lsize; -+ continue; -+ } -+ -+ data += sizeof(list) + hsize; -+ size -= sizeof(list) + hsize; -+ offs += sizeof(list) + hsize; -+ -+ for (; elsize > 0; elsize -= esize) { -+ elem = data; -+ -+ pr_devel("ELEM[%04x]\n", offs); -+ handler(source, -+ &elem->signature_data, -+ esize - sizeof(*elem)); -+ -+ data += esize; -+ size -= esize; -+ offs += esize; -+ } -+ } -+ -+ return 0; -+} --- -2.20.1 - diff --git a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch b/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch deleted file mode 100644 index 08195ff4e..000000000 --- a/MODSIGN-Import-certificates-from-UEFI-Secure-Boot.patch +++ /dev/null @@ -1,246 +0,0 @@ -From 90dc66270b02981b19a085c6a9184e3452b7b3e8 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Fri, 5 May 2017 08:21:59 +0100 -Subject: [PATCH 3/4] MODSIGN: Import certificates from UEFI Secure Boot - -Secure Boot stores a list of allowed certificates in the 'db' variable. -This imports those certificates into the system trusted keyring. This -allows for a third party signing certificate to be used in conjunction -with signed modules. By importing the public certificate into the 'db' -variable, a user can allow a module signed with that certificate to -load. The shim UEFI bootloader has a similar certificate list stored -in the 'MokListRT' variable. We import those as well. - -Secure Boot also maintains a list of disallowed certificates in the 'dbx' -variable. We load those certificates into the newly introduced system -blacklist keyring and forbid any module signed with those from loading and -forbid the use within the kernel of any key with a matching hash. - -This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS. - -Signed-off-by: Josh Boyer -Signed-off-by: David Howells ---- - certs/Kconfig | 16 ++++++ - certs/Makefile | 4 ++ - certs/load_uefi.c | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 188 insertions(+) - create mode 100644 certs/load_uefi.c - -diff --git a/certs/Kconfig b/certs/Kconfig -index 630ae09..edf9f75 100644 ---- a/certs/Kconfig -+++ b/certs/Kconfig -@@ -90,4 +90,20 @@ config EFI_SIGNATURE_LIST_PARSER - This option provides support for parsing EFI signature lists for - X.509 certificates and turning them into keys. - -+config LOAD_UEFI_KEYS -+ bool "Load certs and blacklist from UEFI db for module checking" -+ depends on SYSTEM_BLACKLIST_KEYRING -+ depends on SECONDARY_TRUSTED_KEYRING -+ depends on EFI -+ depends on EFI_SIGNATURE_LIST_PARSER -+ help -+ If the kernel is booted in secure boot mode, this option will cause -+ the kernel to load the certificates from the UEFI db and MokListRT -+ into the secondary trusted keyring. It will also load any X.509 -+ SHA256 hashes in the dbx list into the blacklist. -+ -+ The effect of this is that, if the kernel is booted in secure boot -+ mode, modules signed with UEFI-stored keys will be permitted to be -+ loaded and keys that match the blacklist will be rejected. -+ - endmenu -diff --git a/certs/Makefile b/certs/Makefile -index 738151a..a5e057a 100644 ---- a/certs/Makefile -+++ b/certs/Makefile -@@ -11,6 +11,10 @@ obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o - endif - obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o - -+obj-$(CONFIG_LOAD_UEFI_KEYS) += load_uefi.o -+$(obj)/load_uefi.o: KBUILD_CFLAGS += -fshort-wchar -+ -+ - ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) - - $(eval $(call config_filename,SYSTEM_TRUSTED_KEYS)) -diff --git a/certs/load_uefi.c b/certs/load_uefi.c -new file mode 100644 -index 0000000..b44e464 ---- /dev/null -+++ b/certs/load_uefi.c -@@ -0,0 +1,168 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "internal.h" -+ -+static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID; -+static __initdata efi_guid_t efi_cert_x509_sha256_guid = EFI_CERT_X509_SHA256_GUID; -+static __initdata efi_guid_t efi_cert_sha256_guid = EFI_CERT_SHA256_GUID; -+ -+/* -+ * Get a certificate list blob from the named EFI variable. -+ */ -+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, -+ unsigned long *size) -+{ -+ efi_status_t status; -+ unsigned long lsize = 4; -+ unsigned long tmpdb[4]; -+ void *db; -+ -+ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); -+ if (status != EFI_BUFFER_TOO_SMALL) { -+ pr_err("Couldn't get size: 0x%lx\n", status); -+ return NULL; -+ } -+ -+ db = kmalloc(lsize, GFP_KERNEL); -+ if (!db) { -+ pr_err("Couldn't allocate memory for uefi cert list\n"); -+ return NULL; -+ } -+ -+ status = efi.get_variable(name, guid, NULL, &lsize, db); -+ if (status != EFI_SUCCESS) { -+ kfree(db); -+ pr_err("Error reading db var: 0x%lx\n", status); -+ return NULL; -+ } -+ -+ *size = lsize; -+ return db; -+} -+ -+/* -+ * Blacklist an X509 TBS hash. -+ */ -+static __init void uefi_blacklist_x509_tbs(const char *source, -+ const void *data, size_t len) -+{ -+ char *hash, *p; -+ -+ hash = kmalloc(4 + len * 2 + 1, GFP_KERNEL); -+ if (!hash) -+ return; -+ p = memcpy(hash, "tbs:", 4); -+ p += 4; -+ bin2hex(p, data, len); -+ p += len * 2; -+ *p = 0; -+ -+ mark_hash_blacklisted(hash); -+ kfree(hash); -+} -+ -+/* -+ * Blacklist the hash of an executable. -+ */ -+static __init void uefi_blacklist_binary(const char *source, -+ const void *data, size_t len) -+{ -+ char *hash, *p; -+ -+ hash = kmalloc(4 + len * 2 + 1, GFP_KERNEL); -+ if (!hash) -+ return; -+ p = memcpy(hash, "bin:", 4); -+ p += 4; -+ bin2hex(p, data, len); -+ p += len * 2; -+ *p = 0; -+ -+ mark_hash_blacklisted(hash); -+ kfree(hash); -+} -+ -+/* -+ * Return the appropriate handler for particular signature list types found in -+ * the UEFI db and MokListRT tables. -+ */ -+static __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) -+{ -+ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) -+ return add_trusted_secondary_key; -+ return 0; -+} -+ -+/* -+ * Return the appropriate handler for particular signature list types found in -+ * the UEFI dbx and MokListXRT tables. -+ */ -+static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type) -+{ -+ if (efi_guidcmp(*sig_type, efi_cert_x509_sha256_guid) == 0) -+ return uefi_blacklist_x509_tbs; -+ if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0) -+ return uefi_blacklist_binary; -+ return 0; -+} -+ -+/* -+ * Load the certs contained in the UEFI databases -+ */ -+static int __init load_uefi_certs(void) -+{ -+ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; -+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; -+ void *db = NULL, *dbx = NULL, *mok = NULL; -+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0; -+ int rc = 0; -+ -+ if (!efi.get_variable) -+ return false; -+ -+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't -+ * an error if we can't get them. -+ */ -+ db = get_cert_list(L"db", &secure_var, &dbsize); -+ if (!db) { -+ pr_err("MODSIGN: Couldn't get UEFI db list\n"); -+ } else { -+ rc = parse_efi_signature_list("UEFI:db", -+ db, dbsize, get_handler_for_db); -+ if (rc) -+ pr_err("Couldn't parse db signatures: %d\n", rc); -+ kfree(db); -+ } -+ -+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize); -+ if (!mok) { -+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); -+ } else { -+ rc = parse_efi_signature_list("UEFI:MokListRT", -+ mok, moksize, get_handler_for_db); -+ if (rc) -+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc); -+ kfree(mok); -+ } -+ -+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); -+ if (!dbx) { -+ pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); -+ } else { -+ rc = parse_efi_signature_list("UEFI:dbx", -+ dbx, dbxsize, -+ get_handler_for_dbx); -+ if (rc) -+ pr_err("Couldn't parse dbx signatures: %d\n", rc); -+ kfree(dbx); -+ } -+ -+ return rc; -+} -+late_initcall(load_uefi_certs); --- -2.9.3 - diff --git a/MODSIGN-Support-not-importing-certs-from-db.patch b/MODSIGN-Support-not-importing-certs-from-db.patch deleted file mode 100644 index 13fecd2f2..000000000 --- a/MODSIGN-Support-not-importing-certs-from-db.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 9f1958a0cc911e1f79b2733ee5029dbd819ff328 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Fri, 5 May 2017 08:21:59 +0100 -Subject: [PATCH 4/4] MODSIGN: Allow the "db" UEFI variable to be suppressed - -If a user tells shim to not use the certs/hashes in the UEFI db variable -for verification purposes, shim will set a UEFI variable called -MokIgnoreDB. Have the uefi import code look for this and ignore the db -variable if it is found. - -Signed-off-by: Josh Boyer -Signed-off-by: David Howells ---- - certs/load_uefi.c | 44 ++++++++++++++++++++++++++++++++++---------- - 1 file changed, 34 insertions(+), 10 deletions(-) - -diff --git a/certs/load_uefi.c b/certs/load_uefi.c -index b44e464..3d88459 100644 ---- a/certs/load_uefi.c -+++ b/certs/load_uefi.c -@@ -13,6 +13,26 @@ static __initdata efi_guid_t efi_cert_x509_sha256_guid = EFI_CERT_X509_SHA256_GU - static __initdata efi_guid_t efi_cert_sha256_guid = EFI_CERT_SHA256_GUID; - - /* -+ * Look to see if a UEFI variable called MokIgnoreDB exists and return true if -+ * it does. -+ * -+ * This UEFI variable is set by the shim if a user tells the shim to not use -+ * the certs/hashes in the UEFI db variable for verification purposes. If it -+ * is set, we should ignore the db variable also and the true return indicates -+ * this. -+ */ -+static __init bool uefi_check_ignore_db(void) -+{ -+ efi_status_t status; -+ unsigned int db = 0; -+ unsigned long size = sizeof(db); -+ efi_guid_t guid = EFI_SHIM_LOCK_GUID; -+ -+ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); -+ return status == EFI_SUCCESS; -+} -+ -+/* - * Get a certificate list blob from the named EFI variable. - */ - static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, -@@ -113,7 +133,9 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty - } - - /* -- * Load the certs contained in the UEFI databases -+ * Load the certs contained in the UEFI databases into the secondary trusted -+ * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist -+ * keyring. - */ - static int __init load_uefi_certs(void) - { -@@ -129,15 +151,17 @@ static int __init load_uefi_certs(void) - /* Get db, MokListRT, and dbx. They might not exist, so it isn't - * an error if we can't get them. - */ -- db = get_cert_list(L"db", &secure_var, &dbsize); -- if (!db) { -- pr_err("MODSIGN: Couldn't get UEFI db list\n"); -- } else { -- rc = parse_efi_signature_list("UEFI:db", -- db, dbsize, get_handler_for_db); -- if (rc) -- pr_err("Couldn't parse db signatures: %d\n", rc); -- kfree(db); -+ if (!uefi_check_ignore_db()) { -+ db = get_cert_list(L"db", &secure_var, &dbsize); -+ if (!db) { -+ pr_err("MODSIGN: Couldn't get UEFI db list\n"); -+ } else { -+ rc = parse_efi_signature_list("UEFI:db", -+ db, dbsize, get_handler_for_db); -+ if (rc) -+ pr_err("Couldn't parse db signatures: %d\n", rc); -+ kfree(db); -+ } - } - - mok = get_cert_list(L"MokListRT", &mok_var, &moksize); --- -2.9.3 - -- cgit