[kernel/f20] Add patch to support not importing certs from db

Josh Boyer jwboyer at fedoraproject.org
Thu Oct 3 20:49:21 UTC 2013 

commit 3946c0ad1932d899ea8b81223f49b09731c7b7e2
Author: Josh Boyer <jwboyer at fedoraproject.org>
Date:   Thu Oct 3 16:44:55 2013 -0400

    Add patch to support not importing certs from db

 kernel.spec        |    1 +
 modsign-uefi.patch |  117 ++++++++++++++++++++++++++++++++++++++++++++-------
 2 files changed, 102 insertions(+), 16 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 28f253e..610b875 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -2373,6 +2373,7 @@ fi
 #                 ||     ||
 %changelog
 * Thu Oct 3 2013 Josh Boyer <jwboyer at fedoraproject.org>
+- Add patch to support not importing certs from db
 - CVE-2013-4387 ipv6: panic when UFO=On for an interface (rhbz 1011927 1015166)
 
 * Wed Oct 2 2013 Justin M. Forbes <jforbes at fedoraproject.org>
diff --git a/modsign-uefi.patch b/modsign-uefi.patch
index c705260..836d0d1 100644
--- a/modsign-uefi.patch
+++ b/modsign-uefi.patch
@@ -1,7 +1,7 @@
-From 725d7e7fb9ca1065102e640cf8af606169e63075 Mon Sep 17 00:00:00 2001
+From 0a5e59dd7a921f20d77b13aa4e01392086ddbd12 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells at redhat.com>
 Date: Tue, 23 Oct 2012 09:30:54 -0400
-Subject: [PATCH 1/4] Add EFI signature data types
+Subject: [PATCH 1/5] Add EFI signature data types
 
 Add the data types that are used for containing hashes, keys and certificates
 for cryptographic verification.
@@ -53,10 +53,10 @@ index eed2202..1da1b3c 100644
 1.8.3.1
 
 
-From f204253a34b477c5d68df711326a694b58e51c76 Mon Sep 17 00:00:00 2001
+From 8b75428a7e1813cd3bc225a959e63d67898e4808 Mon Sep 17 00:00:00 2001
 From: Dave Howells <dhowells at redhat.com>
 Date: Tue, 23 Oct 2012 09:36:28 -0400
-Subject: [PATCH 2/4] Add an EFI signature blob parser and key loader.
+Subject: [PATCH 2/5] Add an EFI signature blob parser and key loader.
 
 X.509 certificates are loaded into the specified keyring as asymmetric type
 keys.
@@ -233,10 +233,10 @@ index 1da1b3c..42a1d25 100644
 1.8.3.1
 
 
-From cebc8870a8f0b97b2585a07d9957ead0f21cdc8a Mon Sep 17 00:00:00 2001
+From 920108c0f9cc5854dd329a5dfc904e91d40a4b26 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer at fedoraproject.org>
 Date: Fri, 26 Oct 2012 12:36:24 -0400
-Subject: [PATCH 3/4] KEYS: Add a system blacklist keyring
+Subject: [PATCH 3/5] KEYS: Add a system blacklist keyring
 
 This adds an additional keyring that is used to store certificates that
 are blacklisted.  This keyring is searched first when loading signed modules
@@ -267,10 +267,10 @@ index 8dabc39..e466de1 100644
  
  #endif /* _KEYS_SYSTEM_KEYRING_H */
 diff --git a/init/Kconfig b/init/Kconfig
-index 9f3cfdc..547f617 100644
+index 0ff5407..ba76e57 100644
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1676,6 +1676,15 @@ config SYSTEM_TRUSTED_KEYRING
+@@ -1680,6 +1680,15 @@ config SYSTEM_TRUSTED_KEYRING
  
  	  Keys in this keyring are used by module signature checking.
  
@@ -285,7 +285,7 @@ index 9f3cfdc..547f617 100644
 +
  menuconfig MODULES
  	bool "Enable loadable module support"
- 	help
+ 	option modules
 diff --git a/kernel/module_signing.c b/kernel/module_signing.c
 index 0b6b870..0a29b40 100644
 --- a/kernel/module_signing.c
@@ -310,7 +310,7 @@ index 0b6b870..0a29b40 100644
  			     &key_type_asymmetric, id);
  	if (IS_ERR(key))
 diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c
-index 4ca7072..b19cc6e 100644
+index 564dd93..389b50d 100644
 --- a/kernel/system_keyring.c
 +++ b/kernel/system_keyring.c
 @@ -20,6 +20,9 @@
@@ -348,10 +348,10 @@ index 4ca7072..b19cc6e 100644
 1.8.3.1
 
 
-From aa4f39ac51f8b9f589c13766e5e32a5b7794ed68 Mon Sep 17 00:00:00 2001
+From 69dca9998380c1931227a01205cdf23c34509753 Mon Sep 17 00:00:00 2001
 From: Josh Boyer <jwboyer at fedoraproject.org>
 Date: Fri, 26 Oct 2012 12:42:16 -0400
-Subject: [PATCH 4/4] MODSIGN: Import certificates from UEFI Secure Boot
+Subject: [PATCH 4/5] MODSIGN: Import certificates from UEFI Secure Boot
 
 Secure Boot stores a list of allowed certificates in the 'db' variable.
 This imports those certificates into the system trusted keyring.  This
@@ -393,10 +393,10 @@ index 42a1d25..d3e6036 100644
  	efi_guid_t guid;
  	u64 table;
 diff --git a/init/Kconfig b/init/Kconfig
-index 547f617..8e943bf 100644
+index ba76e57..b09cd98 100644
 --- a/init/Kconfig
 +++ b/init/Kconfig
-@@ -1794,6 +1794,15 @@ config MODULE_SIG_ALL
+@@ -1799,6 +1799,15 @@ config MODULE_SIG_ALL
  comment "Do not forget to sign required modules with scripts/sign-file"
  	depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL
  
@@ -413,10 +413,10 @@ index 547f617..8e943bf 100644
  	prompt "Which hash algorithm should modules be signed with?"
  	depends on MODULE_SIG
 diff --git a/kernel/Makefile b/kernel/Makefile
-index 1ff5e3b..f9b9998 100644
+index 6313698..cb35a89 100644
 --- a/kernel/Makefile
 +++ b/kernel/Makefile
-@@ -56,6 +56,7 @@ obj-$(CONFIG_UID16) += uid16.o
+@@ -57,6 +57,7 @@ obj-$(CONFIG_UID16) += uid16.o
  obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
  obj-$(CONFIG_MODULES) += module.o
  obj-$(CONFIG_MODULE_SIG) += module_signing.o
@@ -534,3 +534,88 @@ index 0000000..94b0eb3
 -- 
 1.8.3.1
 
+
+From c8e6d256ddfa2182d5b011a4ab70f8c5c9b2b590 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer at fedoraproject.org>
+Date: Thu, 3 Oct 2013 10:14:23 -0400
+Subject: [PATCH 5/5] MODSIGN: Support not importing certs from db
+
+If a user tells shim to not use the certs/hashes in the UEFI db variable
+for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
+Have the uefi import code look for this and not import things from the db
+variable.
+
+Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org>
+---
+ kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++---------
+ 1 file changed, 31 insertions(+), 9 deletions(-)
+
+diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
+index 94b0eb3..ae28b97 100644
+--- a/kernel/modsign_uefi.c
++++ b/kernel/modsign_uefi.c
+@@ -8,6 +8,23 @@
+ #include <keys/system_keyring.h>
+ #include "module-internal.h"
+ 
++static __init int check_ignore_db(void)
++{
++	efi_status_t status;
++	unsigned int db = 0;
++	unsigned long size = sizeof(db);
++	efi_guid_t guid = EFI_SHIM_LOCK_GUID;
++
++	/* Check and see if the MokIgnoreDB variable exists.  If that fails
++	 * then we don't ignore DB.  If it succeeds, we do.
++	 */
++	status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db);
++	if (status != EFI_SUCCESS)
++		return 0;
++
++	return 1;
++}
++
+ static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
+ {
+ 	efi_status_t status;
+@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
+ 	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
+ 	void *db = NULL, *dbx = NULL, *mok = NULL;
+ 	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
+-	int rc = 0;
++	int ignore_db, rc = 0;
+ 
+ 	/* Check if SB is enabled and just return if not */
+ 	if (!efi_enabled(EFI_SECURE_BOOT))
+ 		return 0;
+ 
++	/* See if the user has setup Ignore DB mode */
++	ignore_db = check_ignore_db();
++
+ 	/* Get db, MokListRT, and dbx.  They might not exist, so it isn't
+ 	 * an error if we can't get them.
+ 	 */
+-	db = get_cert_list(L"db", &secure_var, &dbsize);
+-	if (!db) {
+-		pr_err("MODSIGN: Couldn't get UEFI db list\n");
+-	} else {
+-		rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
+-		if (rc)
+-			pr_err("Couldn't parse db signatures: %d\n", rc);
+-		kfree(db);
++	if (!ignore_db) {
++		db = get_cert_list(L"db", &secure_var, &dbsize);
++		if (!db) {
++			pr_err("MODSIGN: Couldn't get UEFI db list\n");
++		} else {
++			rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
++			if (rc)
++				pr_err("Couldn't parse db signatures: %d\n", rc);
++			kfree(db);
++		}
+ 	}
+ 
+ 	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
+-- 
+1.8.3.1
+

More information about the scm-commits mailing list