Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1313491imu; Wed, 28 Nov 2018 07:48:12 -0800 (PST) X-Google-Smtp-Source: AFSGD/XZEk2Ye1UrPKjqDCKqSyxOfkDxpzUmOZzOvNX8DK+9HRf2zdRVdxKjj109ATiuzKRu/JN5 X-Received: by 2002:a17:902:5066:: with SMTP id f35mr33564837plh.78.1543420092120; Wed, 28 Nov 2018 07:48:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543420092; cv=none; d=google.com; s=arc-20160816; b=EldkTDrb54OEWvYngwCQNnteWuu2faaRAB6WViIHz/SQwFyVriRKGQ0pUXr7DV35Vs Vhp6iJizBHiau7a0laOuKqyqKomIvKlhwbFpPFK18A4Jfx1qSDuyGioIKdGT49iwI1Rr mTnd3vtcTer4KV+XqP+rKwpIItAVuZ71chwiKoPWzR6ualZegkSpzNXjsRmO6O/cLCTU uA3dWd161CTH2y26MXWEdLeyxwsFbkmb23glIM3gToCiQAsL1V76C9ynLcB918QIWYXR wCPZNKioTVhOkVqzR/A/fXVEXZXU9YzNb9sZBGaEX3czQv1h+DvxTEr7Coccbak/vBJk xpjw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-transfer-encoding :mime-version:references:in-reply-to:date:cc:to:from:subject; bh=+B/K0QDIJE+HzX2+xFINSNyFYJGEbnfxeXOY/dBrzHM=; b=iQFqeUMe0ShxFk9O5ta38T2IY4VqQ2E8ygBgYAVLnxw7eYQ4SkDrilnuctiT4QFt3N AZqxs0+vzEGhsVLP8Fkc61p9OillLHK/AHUjKVxTQyP+QncqVm2FqA8CDkmdcwa6lzBX p7Ihdc5ULrxkkIXxRDuKoRqmynhoyt3Qz7GscJttf1AjPL13CHACy4xYRsbR/hTdC0wN FsVRLVS0W8av+Hh+hRKn6Y0JlyWdM7Hq8LazkwtXw6H0np2yXbNCkzQNarim5h1RVpTn 56m8LRQhoJDShf4An2kQAck7aUCGkIq5GVcknu3swtlpMVSnehOvWOdNffdfLO3Mfcqp oF4w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j24si7458937pgn.149.2018.11.28.07.47.44; Wed, 28 Nov 2018 07:48:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728858AbeK2Cs6 (ORCPT + 99 others); Wed, 28 Nov 2018 21:48:58 -0500 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:56086 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728821AbeK2Cs4 (ORCPT ); Wed, 28 Nov 2018 21:48:56 -0500 Received: from pps.filterd (m0098394.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wASFilhf008695 for ; Wed, 28 Nov 2018 10:46:50 -0500 Received: from e06smtp05.uk.ibm.com (e06smtp05.uk.ibm.com [195.75.94.101]) by mx0a-001b2d01.pphosted.com with ESMTP id 2p1vrg41ue-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 28 Nov 2018 10:46:49 -0500 Received: from localhost by e06smtp05.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 28 Nov 2018 15:46:46 -0000 Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194) by e06smtp05.uk.ibm.com (192.168.101.135) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 28 Nov 2018 15:46:41 -0000 Received: from d06av26.portsmouth.uk.ibm.com (d06av26.portsmouth.uk.ibm.com [9.149.105.62]) by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id wASFkeQK29294720 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 28 Nov 2018 15:46:40 GMT Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id C7250AE04D; Wed, 28 Nov 2018 15:46:40 +0000 (GMT) Received: from d06av26.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 20D1EAE051; Wed, 28 Nov 2018 15:46:39 +0000 (GMT) Received: from localhost.localdomain (unknown [9.80.103.235]) by d06av26.portsmouth.uk.ibm.com (Postfix) with ESMTP; Wed, 28 Nov 2018 15:46:38 +0000 (GMT) Subject: Re: [PATCH 5/7] efi: Import certificates from UEFI Secure Boot From: Mimi Zohar To: Nayna Jain , Josh Boyer , linux-integrity@vger.kernel.org Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, dhowells@redhat.com, jforbes@redhat.com, seth.forshee@canonical.com, kexec@lists.infradead.org, keyrings@vger.kernel.org, vgoyal@redhat.com, ebiederm@xmission.com, mpe@ellerman.id.au Date: Wed, 28 Nov 2018 10:46:28 -0500 In-Reply-To: <20181125151500.8298-6-nayna@linux.ibm.com> References: <20181125151500.8298-1-nayna@linux.ibm.com> <20181125151500.8298-6-nayna@linux.ibm.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit X-TM-AS-GCONF: 00 x-cbid: 18112815-0020-0000-0000-000002EF1678 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18112815-0021-0000-0000-0000213E712A Message-Id: <1543419988.3902.216.camel@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-11-28_08:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1811280138 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 2018-11-25 at 20:44 +0530, Nayna Jain wrote: > From: Josh Boyer > > New Patch Description: > ====================== > > Secure Boot stores a list of allowed certificates in the 'db' variable. > This patch imports those certificates into the platform keyring. The shim > UEFI bootloader has a similar certificate list stored in the 'MokListRT' > variable. We import those as well. > > Secure Boot also maintains a list of disallowed certificates in the 'dbx' > variable. We load those certificates into the system blacklist keyring > and forbid any kernel signed with those from loading. > > Original Patch Description: > ============================ > > Secure Boot stores a list of allowed certificates in the 'db' variable. > This imports those certificates into the system trusted keyring. This > allows for a third party signing certificate to be used in conjunction > with signed modules. By importing the public certificate into the 'db' > variable, a user can allow a module signed with that certificate to > load. The shim UEFI bootloader has a similar certificate list stored > in the 'MokListRT' variable. We import those as well. > > Secure Boot also maintains a list of disallowed certificates in the 'dbx' > variable. We load those certificates into the newly introduced system > blacklist keyring and forbid any module signed with those from loading and > forbid the use within the kernel of any key with a matching hash. > > This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS. There are quite a few checkpatch.pl warnings that need to be addressed, including the missing SPDX license. Mimi