lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3493921.1614102270@warthog.procyon.org.uk>
Date:   Tue, 23 Feb 2021 17:44:30 +0000
From:   David Howells <dhowells@...hat.com>
To:     torvalds@...ux-foundation.org
Cc:     dhowells@...hat.com, Jarkko Sakkinen <jarkko@...nel.org>,
        Eric Snowberg <eric.snowberg@...cle.com>,
        Mickaël Salaün <mic@...ux.microsoft.com>,
        keyrings@...r.kernel.org, linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [GIT PULL] Add EFI_CERT_X509_GUID support for dbx/mokx entries

David Howells <dhowells@...hat.com> wrote:

> This set of patches from Eric Snowberg that add support for
> EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries
> cause matching certificates to be rejected).  These are currently ignored
> and only the hash entries are made use of.
> 
> These patches fix CVE-2020-26541.
> 
> To quote Eric:
> 
> 	This is the fifth patch series for adding support for
> 	EFI_CERT_X509_GUID entries [1].  It has been expanded to not only
> 	include dbx entries but also entries in the mokx.  Additionally my
> 	series to preload these certificate [2] has also been included.
> 
> 	This series is based on v5.11-rc4.
> 
> 	[1] https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/
> 	[2] https://lore.kernel.org/patchwork/cover/1315485/
> 
> Note that this is based on top of the collected minor fixes I sent you a
> preceding pull request for.  If you would rather this was not based on my
> keys-misc branch, but was instead based on your tree directly, I can rebase
> it.  Note that there would be very minor conflict between the two branches,
> but I think git merge should be able to handle it automatically.

Please drop this request for now.  It turns out there's a broken dependency
in there:

	https://lore.kernel.org/keyrings/20210217165058.1336155-1-eric.snowberg@oracle.com/

I'll look at folding that in, but I'm not sure Eric's solution is the right
one.  I suspect there needs to be something in Kconfig somewhere.

David

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ