[PATCH v4] certs: Add EFI_CERT_X509_GUID support for dbx entries
Jarkko Sakkinen
jarkko.sakkinen at linux.intel.com
Wed Sep 16 18:09:08 UTC 2020
On Tue, Sep 15, 2020 at 08:49:27PM -0400, Eric Snowberg wrote:
> The Secure Boot Forbidden Signature Database, dbx, contains a list of now
> revoked signatures and keys previously approved to boot with UEFI Secure
> Boot enabled. The dbx is capable of containing any number of
> EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID
> entries.
>
> Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are
> skipped.
>
> Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID
> is found, it is added as an asymmetrical key to the .blacklist keyring.
> Anytime the .platform keyring is used, the keys in the .blacklist keyring
> are referenced, if a matching key is found, the key will be rejected.
>
> Signed-off-by: Eric Snowberg <eric.snowberg at oracle.com>
Looks good to me.
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen at linux.intel.com>
/Jarkko
More information about the Linux-security-module-archive
mailing list