e20b90e4f8
[ Upstream commit 56c5812623f95313f6a46fbf0beee7fa17c68bbf ] This fixes CVE-2020-26541. The Secure Boot Forbidden Signature Database, dbx, contains a list of now revoked signatures and keys previously approved to boot with UEFI Secure Boot enabled. The dbx is capable of containing any number of EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID entries. Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are skipped. Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID is found, it is added as an asymmetrical key to the .blacklist keyring. Anytime the .platform keyring is used, the keys in the .blacklist keyring are referenced, if a matching key is found, the key will be rejected. [DH: Made the following changes: - Added to have a config option to enable the facility. This allows a Kconfig solution to make sure that pkcs7_validate_trust() is enabled.[1][2] - Moved the functions out from the middle of the blacklist functions. - Added kerneldoc comments.] Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> Signed-off-by: David Howells <dhowells@redhat.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> cc: Randy Dunlap <rdunlap@infradead.org> cc: Mickaël Salaün <mic@digikod.net> cc: Arnd Bergmann <arnd@kernel.org> cc: keyrings@vger.kernel.org Link: https://lore.kernel.org/r/20200901165143.10295-1-eric.snowberg@oracle.com/ # rfc Link: https://lore.kernel.org/r/20200909172736.73003-1-eric.snowberg@oracle.com/ # v2 Link: https://lore.kernel.org/r/20200911182230.62266-1-eric.snowberg@oracle.com/ # v3 Link: https://lore.kernel.org/r/20200916004927.64276-1-eric.snowberg@oracle.com/ # v4 Link: https://lore.kernel.org/r/20210122181054.32635-2-eric.snowberg@oracle.com/ # v5 Link: https://lore.kernel.org/r/161428672051.677100.11064981943343605138.stgit@warthog.procyon.org.uk/ Link: https://lore.kernel.org/r/161433310942.902181.4901864302675874242.stgit@warthog.procyon.org.uk/ # v2 Link: https://lore.kernel.org/r/161529605075.163428.14625520893961300757.stgit@warthog.procyon.org.uk/ # v3 Link: https://lore.kernel.org/r/bc2c24e3-ed68-2521-0bf4-a1f6be4a895d@infradead.org/ [1] Link: https://lore.kernel.org/r/20210225125638.1841436-1-arnd@kernel.org/ [2] Signed-off-by: Sasha Levin <sashal@kernel.org>
96 lines
3.8 KiB
Plaintext
96 lines
3.8 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0
|
|
menu "Certificates for signature checking"
|
|
|
|
config MODULE_SIG_KEY
|
|
string "File name or PKCS#11 URI of module signing key"
|
|
default "certs/signing_key.pem"
|
|
depends on MODULE_SIG
|
|
help
|
|
Provide the file name of a private key/certificate in PEM format,
|
|
or a PKCS#11 URI according to RFC7512. The file should contain, or
|
|
the URI should identify, both the certificate and its corresponding
|
|
private key.
|
|
|
|
If this option is unchanged from its default "certs/signing_key.pem",
|
|
then the kernel will automatically generate the private key and
|
|
certificate as described in Documentation/admin-guide/module-signing.rst
|
|
|
|
config SYSTEM_TRUSTED_KEYRING
|
|
bool "Provide system-wide ring of trusted keys"
|
|
depends on KEYS
|
|
depends on ASYMMETRIC_KEY_TYPE
|
|
help
|
|
Provide a system keyring to which trusted keys can be added. Keys in
|
|
the keyring are considered to be trusted. Keys may be added at will
|
|
by the kernel from compiled-in data and from hardware key stores, but
|
|
userspace may only add extra keys if those keys can be verified by
|
|
keys already in the keyring.
|
|
|
|
Keys in this keyring are used by module signature checking.
|
|
|
|
config SYSTEM_TRUSTED_KEYS
|
|
string "Additional X.509 keys for default system keyring"
|
|
depends on SYSTEM_TRUSTED_KEYRING
|
|
help
|
|
If set, this option should be the filename of a PEM-formatted file
|
|
containing trusted X.509 certificates to be included in the default
|
|
system keyring. Any certificate used for module signing is implicitly
|
|
also trusted.
|
|
|
|
NOTE: If you previously provided keys for the system keyring in the
|
|
form of DER-encoded *.x509 files in the top-level build directory,
|
|
those are no longer used. You will need to set this option instead.
|
|
|
|
config SYSTEM_EXTRA_CERTIFICATE
|
|
bool "Reserve area for inserting a certificate without recompiling"
|
|
depends on SYSTEM_TRUSTED_KEYRING
|
|
help
|
|
If set, space for an extra certificate will be reserved in the kernel
|
|
image. This allows introducing a trusted certificate to the default
|
|
system keyring without recompiling the kernel.
|
|
|
|
config SYSTEM_EXTRA_CERTIFICATE_SIZE
|
|
int "Number of bytes to reserve for the extra certificate"
|
|
depends on SYSTEM_EXTRA_CERTIFICATE
|
|
default 4096
|
|
help
|
|
This is the number of bytes reserved in the kernel image for a
|
|
certificate to be inserted.
|
|
|
|
config SECONDARY_TRUSTED_KEYRING
|
|
bool "Provide a keyring to which extra trustable keys may be added"
|
|
depends on SYSTEM_TRUSTED_KEYRING
|
|
help
|
|
If set, provide a keyring to which extra keys may be added, provided
|
|
those keys are not blacklisted and are vouched for by a key built
|
|
into the kernel or already in the secondary trusted keyring.
|
|
|
|
config SYSTEM_BLACKLIST_KEYRING
|
|
bool "Provide system-wide ring of blacklisted keys"
|
|
depends on KEYS
|
|
help
|
|
Provide a system keyring to which blacklisted keys can be added.
|
|
Keys in the keyring are considered entirely untrusted. Keys in this
|
|
keyring are used by the module signature checking to reject loading
|
|
of modules signed with a blacklisted key.
|
|
|
|
config SYSTEM_BLACKLIST_HASH_LIST
|
|
string "Hashes to be preloaded into the system blacklist keyring"
|
|
depends on SYSTEM_BLACKLIST_KEYRING
|
|
help
|
|
If set, this option should be the filename of a list of hashes in the
|
|
form "<hash>", "<hash>", ... . This will be included into a C
|
|
wrapper to incorporate the list into the kernel. Each <hash> should
|
|
be a string of hex digits.
|
|
|
|
config SYSTEM_REVOCATION_LIST
|
|
bool "Provide system-wide ring of revocation certificates"
|
|
depends on SYSTEM_BLACKLIST_KEYRING
|
|
depends on PKCS7_MESSAGE_PARSER=y
|
|
help
|
|
If set, this allows revocation certificates to be stored in the
|
|
blacklist keyring and implements a hook whereby a PKCS#7 message can
|
|
be checked to see if it matches such a certificate.
|
|
|
|
endmenu
|