[PATCH v2 0/2] MODSIGN: Support MOKx
Lee, Chun-Yi
joeyli.kernel at gmail.com
Tue Feb 4 16:41:05 UTC 2014
It's base on the kernel patches of Fedora 20.
This patch set add the support to MODSIGN mechanism for revoke kernel
module by hash or public key. As MokListRT, EFI bootloader(e.g. shim)
should maintain the MokListXRT container the format the same with dbx.
The patches will check the hash of kernel module before load it.
I doesn't add the module hash blacklist support to dbx because
UEFI BIOS of Intel DQ57TM, my development board, doesn't allow set hash
of non-efi file to dbx.
v2:
+ Use the digest generated by mod_make_digest() to avoid computing the hash twice.
+ Also check the hash of whole module file is not in the module hash blacklist.
+ Change the statements of information log.
+ The hash type need the same with CONFIG_MODULE_SIG_HASH.
+ Handle the return value of func()
+ Move the logic of parsing EFI signature database to parse_efi_signature_db() for
collecting certificates and hashes.
+ Still parsing hashes when signature parsing fail on MOKx.
Lee, Chun-Yi (2):
MODSIGN: check hash of kernel module in blacklist
MODSIGN: load hash blacklist of modules from MOKx
crypto/asymmetric_keys/efi_parser.c | 80 +++++++++++++++++++----------
include/linux/efi.h | 16 ++++++
kernel/modsign_uefi.c | 97 ++++++++++++++++++++++++++++++++++-
kernel/module-internal.h | 13 +++++
kernel/module_signing.c | 86 ++++++++++++++++++++++++++++++-
5 files changed, 261 insertions(+), 31 deletions(-)
More information about the kernel
mailing list