| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 10 Feb 2021 15:13:50 +0000
From: David Howells <dhowells@...hat.com>
To: torvalds@...ux-foundation.org
cc: dhowells@...hat.com, Jarkko Sakkinen <jarkko@...nel.org>,
Eric Snowberg <eric.snowberg@...cle.com>,
Mickaël Salaün <mic@...ux.microsoft.com>,
keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: [GIT PULL] Add EFI_CERT_X509_GUID support for dbx/mokx entries
Hi Linus,
This set of patches from Eric Snowberg that add support for
EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries
cause matching certificates to be rejected). These are currently ignored
and only the hash entries are made use of.
These patches fix CVE-2020-26541.
To quote Eric:
This is the fifth patch series for adding support for
EFI_CERT_X509_GUID entries [1]. It has been expanded to not only
include dbx entries but also entries in the mokx. Additionally my
series to preload these certificate [2] has also been included.
This series is based on v5.11-rc4.
[1] https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/
[2] https://lore.kernel.org/patchwork/cover/1315485/
Note that this is based on top of the collected minor fixes I sent you a
preceding pull request for. If you would rather this was not based on my
keys-misc branch, but was instead based on your tree directly, I can rebase
it. Note that there would be very minor conflict between the two branches,
but I think git merge should be able to handle it automatically.
David
---
The following changes since commit 8f0bfc25c907f38e7f9dc498e8f43000d77327ef:
watch_queue: rectify kernel-doc for init_watch() (2021-01-26 11:16:34 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git tags/keys-cve-2020-26541
for you to fetch changes up to 0b641da796d30d00f3b055e7a94ce9426107428a:
integrity: Load mokx variables into the blacklist keyring (2021-02-03 15:39:04 +0000)
----------------------------------------------------------------
Fix CVE-2020-26541
----------------------------------------------------------------
Eric Snowberg (4):
certs: Add EFI_CERT_X509_GUID support for dbx entries
certs: Move load_system_certificate_list to a common function
certs: Add ability to preload revocation certs
integrity: Load mokx variables into the blacklist keyring
certs/Kconfig | 8 ++++
certs/Makefile | 20 ++++++--
certs/blacklist.c | 49 +++++++++++++++++++
certs/blacklist.h | 12 +++++
certs/common.c | 56 ++++++++++++++++++++++
certs/common.h | 9 ++++
certs/revocation_certificates.S | 21 ++++++++
certs/system_keyring.c | 55 ++++-----------------
include/keys/system_keyring.h | 11 +++++
scripts/Makefile | 1 +
.../integrity/platform_certs/keyring_handler.c | 11 +++++
security/integrity/platform_certs/load_uefi.c | 20 +++++++-
12 files changed, 222 insertions(+), 51 deletions(-)
create mode 100644 certs/common.c
create mode 100644 certs/common.h
create mode 100644 certs/revocation_certificates.S
Powered by blists - more mailing lists