Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp774821pxb; Wed, 13 Jan 2021 16:03:53 -0800 (PST) X-Google-Smtp-Source: ABdhPJyZbxH3dSoaqXqDwevneV5CY2WZaSk7MTFRj8enMSFDd20VAAN1us2UkUaH5Q//gWqrhe07 X-Received: by 2002:aa7:d999:: with SMTP id u25mr3675747eds.297.1610582633716; Wed, 13 Jan 2021 16:03:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610582633; cv=none; d=google.com; s=arc-20160816; b=SRcRFInsMZjeegPbDm/GiQdvLGzHPtld57I/3/yXrwzHZKmdkOTYXfgGS4sm/xMcBx zt4F4ONBZ27nFU6X1yLtFYLntt+cmkW+qunDV9LmjPadv+uXwXG5m59tFnzDYFbsGang KgVu6K7vIkSFWXgz+Sq+8FSiZFOqbnvGrvw9j1quOJOTD+jMh6tyoQF1fqqfznGCxPxv SerhtTWPLxmbibJd5EkC4TMcDgDeM5LT+/45Q75EKDeZREoL/ImIllP+KEhMthCh+Brj RlDtSrGr4VVYk8FvqflV3e4hp8olG3UzUd5TFd6XAeF2ZMWpa1+5g+f6zp7oBJ+dO71v KTyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id:dkim-signature:dkim-signature; bh=qQI0F9e3IDYcF/XP6enZHDWGTjW3mLGEIyg0tq8DY2g=; b=mZlPyAdVLt3KOQKeX8SRrKXjxbD/q9h659FeLN0nvoGrx+70z+TYVwJN4lzjx//iKS kxWXpsDzZJ8mYgQTG6cb6CrMxExbpUyJsYW90kgCCXkUQiNclVlNsuGbQjCrB7SO/S1W caB/DWXkF3lxhuULmEVA8ar9qXvHjakMUPDtkp0vgZB2vMz3i1pGnuIr+AXEPkl3Edqb V/XwSCa3HdHhj32Kg8dliuXESQTK1PJw89w9tTZO1pEyceTHrZud5d/G8HAhBXuIgNL+ lhzGG0323PZ7woUOvw4HtwCDdbYQBh6b9bc1Y/ZUAddCcLRJ6sfzbr/5qzolCrDCty6R sFug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=Fb1S1Sj1; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=jLQW+vdS; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id by20si678475ejc.59.2021.01.13.16.03.29; Wed, 13 Jan 2021 16:03:53 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=Fb1S1Sj1; dkim=pass header.i=@hansenpartnership.com header.s=20151216 header.b=jLQW+vdS; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729691AbhAMX7P (ORCPT + 99 others); Wed, 13 Jan 2021 18:59:15 -0500 Received: from bedivere.hansenpartnership.com ([96.44.175.130]:35902 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729673AbhAMX5X (ORCPT ); Wed, 13 Jan 2021 18:57:23 -0500 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 111BD1280967; Wed, 13 Jan 2021 15:56:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1610582202; bh=q5pGq2KcrqVHwr6DWLs6LIeKvtAYhp7bGGEZNqwZjhA=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=Fb1S1Sj1vVDOa8OxYc5R9qH8TRZd5VQvkWgxjsrU2sJEryQQQoDch3DyLYrfN281v bI5z3QYMnYVemMDu86I3X100EFxB1EAJVIUR02Xihe86r64x4MJeouFIyHw0ohSzrI bM/2Oynq3kvIyhuqzpAZaAGBidcDsJdJmUEJ8ULo= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8xhLw8ix8LKo; Wed, 13 Jan 2021 15:56:42 -0800 (PST) Received: from jarvis.int.hansenpartnership.com (unknown [IPv6:2601:600:8280:66d1::c447]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 1FEF31280965; Wed, 13 Jan 2021 15:56:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hansenpartnership.com; s=20151216; t=1610582201; bh=q5pGq2KcrqVHwr6DWLs6LIeKvtAYhp7bGGEZNqwZjhA=; h=Message-ID:Subject:From:To:Date:In-Reply-To:References:From; b=jLQW+vdSzE4xCQJ+JTZQykAi09eeeVzkgHVIoIp5SUG+44q2hoeTq6UkuWrtniITW PyjfWOXdnY1ftmGa9xni5xHmB/ud3y9NIDVsV6eUNwR+sHAjRklliGxjVtpwMufHWy QvPNy1NKP0phQ0OUpfhZxyd/wrjjusO+nnHRD4qQ= Message-ID: Subject: Re: [PATCH] certs: Add EFI_CERT_X509_GUID support for dbx entries From: James Bottomley To: David Howells , torvalds@linux-foundation.org Cc: jarkko@kernel.org, eric.snowberg@oracle.com, ard.biesheuvel@linaro.org, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org Date: Wed, 13 Jan 2021 15:56:39 -0800 In-Reply-To: <2660556.1610545213@warthog.procyon.org.uk> References: <2660556.1610545213@warthog.procyon.org.uk> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.34.4 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, 2021-01-13 at 13:40 +0000, David Howells wrote: > Hi Linus, > > Are you willing to take this between merge windows - or does it need > to wait for the next merge window? It's not technically a bug fix to > the kernel, but it does have a CVE attached to it. > > Note that I've also updated Jarkko's address in his Reviewed-by since > his Intel address no longer works. Sorry, late to the party. I suppose I lost the argument that we shouldn't really be trusting any certs from db when shim is in operation because they're all EFI binary signing ones and will usually simply be the microsoft certificate and possibly an OEM platform one and we're usually pivoting the root of trust to the certificates in the MokList. However, if we are going to do this, we should also be blacklisting the certificates in MokListX which the OS sees through MokListXRT. Since MokListX is an essential piece of our revocation infrastructure it should have been mentioned in the CVE but wasn't for some reason. James