[GIT PULL] Add EFI_CERT_X509_GUID support for dbx/mokx entries

David Howells dhowells at redhat.com
Tue Feb 23 17:44:30 UTC 2021


David Howells <dhowells at redhat.com> wrote:

> This set of patches from Eric Snowberg that add support for
> EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries
> cause matching certificates to be rejected).  These are currently ignored
> and only the hash entries are made use of.
> 
> These patches fix CVE-2020-26541.
> 
> To quote Eric:
> 
> 	This is the fifth patch series for adding support for
> 	EFI_CERT_X509_GUID entries [1].  It has been expanded to not only
> 	include dbx entries but also entries in the mokx.  Additionally my
> 	series to preload these certificate [2] has also been included.
> 
> 	This series is based on v5.11-rc4.
> 
> 	[1] https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/
> 	[2] https://lore.kernel.org/patchwork/cover/1315485/
> 
> Note that this is based on top of the collected minor fixes I sent you a
> preceding pull request for.  If you would rather this was not based on my
> keys-misc branch, but was instead based on your tree directly, I can rebase
> it.  Note that there would be very minor conflict between the two branches,
> but I think git merge should be able to handle it automatically.

Please drop this request for now.  It turns out there's a broken dependency
in there:

	https://lore.kernel.org/keyrings/20210217165058.1336155-1-eric.snowberg@oracle.com/

I'll look at folding that in, but I'm not sure Eric's solution is the right
one.  I suspect there needs to be something in Kconfig somewhere.

David



More information about the Linux-security-module-archive mailing list