mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/include
History
Eric Snowberg 56c5812623 certs: Add EFI_CERT_X509_GUID support for dbx entries 
This fixes CVE-2020-26541.

The Secure Boot Forbidden Signature Database, dbx, contains a list of now
revoked signatures and keys previously approved to boot with UEFI Secure
Boot enabled.  The dbx is capable of containing any number of
EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID
entries.

Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are
skipped.

Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID
is found, it is added as an asymmetrical key to the .blacklist keyring.
Anytime the .platform keyring is used, the keys in the .blacklist keyring
are referenced, if a matching key is found, the key will be rejected.

[DH: Made the following changes:
 - Added to have a config option to enable the facility.  This allows a
   Kconfig solution to make sure that pkcs7_validate_trust() is
   enabled.[1][2]
 - Moved the functions out from the middle of the blacklist functions.
 - Added kerneldoc comments.]

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
cc: Randy Dunlap <rdunlap@infradead.org>
cc: Mickaël Salaün <mic@digikod.net>
cc: Arnd Bergmann <arnd@kernel.org>
cc: keyrings@vger.kernel.org
Link: https://lore.kernel.org/r/20200901165143.10295-1-eric.snowberg@oracle.com/ # rfc
Link: https://lore.kernel.org/r/20200909172736.73003-1-eric.snowberg@oracle.com/ # v2
Link: https://lore.kernel.org/r/20200911182230.62266-1-eric.snowberg@oracle.com/ # v3
Link: https://lore.kernel.org/r/20200916004927.64276-1-eric.snowberg@oracle.com/ # v4
Link: https://lore.kernel.org/r/20210122181054.32635-2-eric.snowberg@oracle.com/ # v5
Link: https://lore.kernel.org/r/161428672051.677100.11064981943343605138.stgit@warthog.procyon.org.uk/
Link: https://lore.kernel.org/r/161433310942.902181.4901864302675874242.stgit@warthog.procyon.org.uk/ # v2
Link: https://lore.kernel.org/r/161529605075.163428.14625520893961300757.stgit@warthog.procyon.org.uk/ # v3
Link: https://lore.kernel.org/r/bc2c24e3-ed68-2521-0bf4-a1f6be4a895d@infradead.org/ [1]
Link: https://lore.kernel.org/r/20210225125638.1841436-1-arnd@kernel.org/ [2]
 		2021-03-11 16:31:28 +00:00
..
acpi More power management updates for 5.11-rc1 2020-12-22 14:12:10 -08:00
asm-generic arm64: make atomic helpers __always_inline 2021-01-13 15:09:06 +00:00
clocksource
crypto crypto: public_key: Remove redundant header file from public_key.h 2021-01-21 16:16:10 +00:00
drm drm-misc-next for 5.11: 2020-12-15 10:21:48 +01:00
dt-bindings The core framework got some nice improvements this time around. We gained the 2020-12-21 10:39:37 -08:00
keys certs: Add EFI_CERT_X509_GUID support for dbx entries 2021-03-11 16:31:28 +00:00
kunit
kvm KVM: arm64: Replace KVM_ARM_PMU with HW_PERF_EVENTS 2021-01-04 16:50:16 +00:00
linux certs: Fix blacklist flag type confusion 2021-01-21 16:16:10 +00:00
math-emu
media
memory
misc
net Networking fixes for 5.11-rc3, including fixes from netfilter, wireless 2021-01-05 12:38:56 -08:00
pcmcia
ras
rdma RDMA 5.11 pull request 2020-12-16 13:42:26 -08:00
scsi SCSI misc on 20201216 2020-12-16 13:34:31 -08:00
soc include/soc: remove headers for EZChip NPS 2021-01-05 12:59:41 -08:00
sound ASoC: Updates for v5.11 2020-12-14 15:57:14 +01:00
target
trace Merge branch 'kvm-master' into kvm-next 2021-01-07 18:06:52 -05:00
uapi block-5.11-2021-01-10 2021-01-10 12:53:08 -08:00
vdso
video
xen xen: Fix event channel callback via INTX/GSI 2021-01-13 16:12:00 +01:00