git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit

author	Josh Boyer <jwboyer@fedoraproject.org>
	Fri, 5 May 2017 07:21:59 +0000 (08:21 +0100)
committer	Seth Forshee <seth.forshee@canonical.com>
	Tue, 5 Sep 2017 12:34:09 +0000 (07:34 -0500)
commit	5ba45d1500a7e8e8b297ba55d7a947297b50e0af
tree	c13b82f6f431d0a92de4ba97c837c879d9860d11	tree
parent	608fcadc764a7ffe4e6cc9228c3f744d9bb353bc	commit \| diff

UBUNTU: SAUCE: (efi-lockdown) MODSIGN: Import certificates from UEFI Secure Boot

Secure Boot stores a list of allowed certificates in the 'db' variable.
This imports those certificates into the system trusted keyring.  This
allows for a third party signing certificate to be used in conjunction
with signed modules.  By importing the public certificate into the 'db'
variable, a user can allow a module signed with that certificate to
load.  The shim UEFI bootloader has a similar certificate list stored
in the 'MokListRT' variable.  We import those as well.

Secure Boot also maintains a list of disallowed certificates in the 'dbx'
variable.  We load those certificates into the newly introduced system
blacklist keyring and forbid any module signed with those from loading and
forbid the use within the kernel of any key with a matching hash.

This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.

Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
Signed-off-by: David Howells <dhowells@redhat.com>
(cherry picked from commit dc5fd3fc2faf24eed23ed8317f2315fb49ff6382
git://git.kernel.org/pub/scm/linux/kernel/git/jwboyer/fedora.git)
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>

certs/Kconfig		diff \| blob \| blame \| history
certs/Makefile		diff \| blob \| blame \| history
certs/load_uefi.c	[new file with mode: 0644]	blob