]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit
projects / mirror_ubuntu-jammy-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 452fabf) | patch
UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table
authorDimitri John Ledkov <dimitri.ledkov@canonical.com>
Tue, 18 May 2021 09:56:41 +0000 (10:56 +0100)
committerAndrea Righi <andrea.righi@canonical.com>
Tue, 7 Dec 2021 06:32:02 +0000 (07:32 +0100)
commit0db545033fb8ca2b2012db98fd2c4cee8a5e1a38
tree13f578823c2e7fdc8d04d610644b88cc1dade7fbtree
parent452fabf89f2e5f563bb69544132277dbce39b463commit | diff
UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table

Refactor load_moklist_certs() to load either MokListRT into db, or
MokListXRT into dbx. Call load_moklist_certs() twice - first to load
mokx certs into dbx, then mok certs into db.

This thus now attempts to load mokx certs via the EFI MOKvar config
table first, and if that fails, via the EFI variable. Previously mokx
certs were only loaded via the EFI variable. Which fails when
MokListXRT is large. Instead of large MokListXRT variable, only
MokListXRT{1,2,3} are available which are not loaded. This is the case
with Ubuntu's 15.4 based shim. This patch is required to address
CVE-2020-26541 when certificates are revoked via MokListXRT.

Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring")
BugLink: https://bugs.launchpad.net/bugs/1928679
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
security/integrity/platform_certs/load_uefi.c diff | blob | blame | history
Ubuntu Jammy Linux kernel mirror