[GIT PULL] Add EFI_CERT_X509_GUID support for dbx/mokx entries
David Howells
dhowells at redhat.com
Tue Feb 23 17:44:30 UTC 2021
David Howells <dhowells at redhat.com> wrote:
> This set of patches from Eric Snowberg that add support for
> EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries
> cause matching certificates to be rejected). These are currently ignored
> and only the hash entries are made use of.
>
> These patches fix CVE-2020-26541.
>
> To quote Eric:
>
> This is the fifth patch series for adding support for
> EFI_CERT_X509_GUID entries [1]. It has been expanded to not only
> include dbx entries but also entries in the mokx. Additionally my
> series to preload these certificate [2] has also been included.
>
> This series is based on v5.11-rc4.
>
> [1] https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/
> [2] https://lore.kernel.org/patchwork/cover/1315485/
>
> Note that this is based on top of the collected minor fixes I sent you a
> preceding pull request for. If you would rather this was not based on my
> keys-misc branch, but was instead based on your tree directly, I can rebase
> it. Note that there would be very minor conflict between the two branches,
> but I think git merge should be able to handle it automatically.
Please drop this request for now. It turns out there's a broken dependency
in there:
https://lore.kernel.org/keyrings/20210217165058.1336155-1-eric.snowberg@oracle.com/
I'll look at folding that in, but I'm not sure Eric's solution is the right
one. I suspect there needs to be something in Kconfig somewhere.
David
More information about the Linux-security-module-archive
mailing list