From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
Josh Boyer <jwboyer@fedoraproject.org>,
linux-integrity@vger.kernel.org
Cc: linux-efi@vger.kernel.org, mpe@ellerman.id.au,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
dhowells@redhat.com, seth.forshee@canonical.com,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
ebiederm@xmission.com, jforbes@redhat.com, vgoyal@redhat.com
Subject: Re: [PATCH 5/7] efi: Import certificates from UEFI Secure Boot
Date: Wed, 28 Nov 2018 10:46:28 -0500 [thread overview]
Message-ID: <1543419988.3902.216.camel@linux.ibm.com> (raw)
In-Reply-To: <20181125151500.8298-6-nayna@linux.ibm.com>
On Sun, 2018-11-25 at 20:44 +0530, Nayna Jain wrote:
> From: Josh Boyer <jwboyer@fedoraproject.org>
>
> New Patch Description:
> ======================
>
> Secure Boot stores a list of allowed certificates in the 'db' variable.
> This patch imports those certificates into the platform keyring. The shim
> UEFI bootloader has a similar certificate list stored in the 'MokListRT'
> variable. We import those as well.
>
> Secure Boot also maintains a list of disallowed certificates in the 'dbx'
> variable. We load those certificates into the system blacklist keyring
> and forbid any kernel signed with those from loading.
>
> Original Patch Description:
> ============================
>
> Secure Boot stores a list of allowed certificates in the 'db' variable.
> This imports those certificates into the system trusted keyring. This
> allows for a third party signing certificate to be used in conjunction
> with signed modules. By importing the public certificate into the 'db'
> variable, a user can allow a module signed with that certificate to
> load. The shim UEFI bootloader has a similar certificate list stored
> in the 'MokListRT' variable. We import those as well.
>
> Secure Boot also maintains a list of disallowed certificates in the 'dbx'
> variable. We load those certificates into the newly introduced system
> blacklist keyring and forbid any module signed with those from loading and
> forbid the use within the kernel of any key with a matching hash.
>
> This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
There are quite a few checkpatch.pl warnings that need to be
addressed, including the missing SPDX license.
Mimi
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
Josh Boyer <jwboyer@fedoraproject.org>,
linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
jforbes@redhat.com, seth.forshee@canonical.com,
kexec@lists.infradead.org, keyrings@vger.kernel.org,
vgoyal@redhat.com, ebiederm@xmission.com, mpe@ellerman.id.au
Subject: Re: [PATCH 5/7] efi: Import certificates from UEFI Secure Boot
Date: Wed, 28 Nov 2018 15:46:28 +0000 [thread overview]
Message-ID: <1543419988.3902.216.camel@linux.ibm.com> (raw)
In-Reply-To: <20181125151500.8298-6-nayna@linux.ibm.com>
On Sun, 2018-11-25 at 20:44 +0530, Nayna Jain wrote:
> From: Josh Boyer <jwboyer@fedoraproject.org>
>
> New Patch Description:
> ===========
>
> Secure Boot stores a list of allowed certificates in the 'db' variable.
> This patch imports those certificates into the platform keyring. The shim
> UEFI bootloader has a similar certificate list stored in the 'MokListRT'
> variable. We import those as well.
>
> Secure Boot also maintains a list of disallowed certificates in the 'dbx'
> variable. We load those certificates into the system blacklist keyring
> and forbid any kernel signed with those from loading.
>
> Original Patch Description:
> ==============
>
> Secure Boot stores a list of allowed certificates in the 'db' variable.
> This imports those certificates into the system trusted keyring. This
> allows for a third party signing certificate to be used in conjunction
> with signed modules. By importing the public certificate into the 'db'
> variable, a user can allow a module signed with that certificate to
> load. The shim UEFI bootloader has a similar certificate list stored
> in the 'MokListRT' variable. We import those as well.
>
> Secure Boot also maintains a list of disallowed certificates in the 'dbx'
> variable. We load those certificates into the newly introduced system
> blacklist keyring and forbid any module signed with those from loading and
> forbid the use within the kernel of any key with a matching hash.
>
> This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
There are quite a few checkpatch.pl warnings that need to be
addressed, including the missing SPDX license.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
Josh Boyer <jwboyer@fedoraproject.org>,
linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
linux-kernel@vger.kernel.org, dhowells@redhat.com,
jforbes@redhat.com, seth.forshee@canonical.com,
kexec@lists.infradead.org, keyrings@vger.kernel.org,
vgoyal@redhat.com, ebiederm@xmission.com, mpe@ellerman.id.au
Subject: Re: [PATCH 5/7] efi: Import certificates from UEFI Secure Boot
Date: Wed, 28 Nov 2018 10:46:28 -0500 [thread overview]
Message-ID: <1543419988.3902.216.camel@linux.ibm.com> (raw)
In-Reply-To: <20181125151500.8298-6-nayna@linux.ibm.com>
On Sun, 2018-11-25 at 20:44 +0530, Nayna Jain wrote:
> From: Josh Boyer <jwboyer@fedoraproject.org>
>
> New Patch Description:
> ======================
>
> Secure Boot stores a list of allowed certificates in the 'db' variable.
> This patch imports those certificates into the platform keyring. The shim
> UEFI bootloader has a similar certificate list stored in the 'MokListRT'
> variable. We import those as well.
>
> Secure Boot also maintains a list of disallowed certificates in the 'dbx'
> variable. We load those certificates into the system blacklist keyring
> and forbid any kernel signed with those from loading.
>
> Original Patch Description:
> ============================
>
> Secure Boot stores a list of allowed certificates in the 'db' variable.
> This imports those certificates into the system trusted keyring. This
> allows for a third party signing certificate to be used in conjunction
> with signed modules. By importing the public certificate into the 'db'
> variable, a user can allow a module signed with that certificate to
> load. The shim UEFI bootloader has a similar certificate list stored
> in the 'MokListRT' variable. We import those as well.
>
> Secure Boot also maintains a list of disallowed certificates in the 'dbx'
> variable. We load those certificates into the newly introduced system
> blacklist keyring and forbid any module signed with those from loading and
> forbid the use within the kernel of any key with a matching hash.
>
> This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS.
There are quite a few checkpatch.pl warnings that need to be
addressed, including the missing SPDX license.
Mimi
next prev parent reply other threads:[~2018-11-28 15:47 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-25 15:14 [PATCH 0/7] add platform/firmware keys support for kernel verification by IMA Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-25 15:14 ` [PATCH 1/7] integrity: Define a trusted platform keyring Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-25 15:14 ` [PATCH 2/7] integrity: Load certs to the " Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-25 15:14 ` [PATCH 3/7] efi: Add EFI signature data types Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-25 15:14 ` [PATCH 4/7] efi: Add an EFI signature blob parser Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-28 15:52 ` Mimi Zohar
2018-11-28 15:52 ` Mimi Zohar
2018-11-28 15:52 ` Mimi Zohar
2018-11-25 15:14 ` [PATCH 5/7] efi: Import certificates from UEFI Secure Boot Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-28 15:46 ` Mimi Zohar [this message]
2018-11-28 15:46 ` Mimi Zohar
2018-11-28 15:46 ` Mimi Zohar
2018-11-25 15:14 ` [PATCH 6/7] efi: Allow the "db" UEFI variable to be suppressed Nayna Jain
2018-11-25 15:26 ` Nayna Jain
2018-11-25 15:14 ` Nayna Jain
2018-11-25 15:15 ` [PATCH 7/7] ima: Support platform keyring for kernel appraisal Nayna Jain
2018-11-25 15:27 ` Nayna Jain
2018-11-25 15:15 ` Nayna Jain
2018-12-06 23:09 ` Serge E. Hallyn
2018-12-06 23:09 ` Serge E. Hallyn
2018-12-06 23:09 ` Serge E. Hallyn
2018-11-28 16:45 ` [PATCH 0/7] add platform/firmware keys support for kernel verification by IMA Mimi Zohar
2018-11-28 16:45 ` Mimi Zohar
2018-11-28 16:45 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1543419988.3902.216.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=ebiederm@xmission.com \
--cc=jforbes@redhat.com \
--cc=jwboyer@fedoraproject.org \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=seth.forshee@canonical.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.