rpms/kernel
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update a few secure boot patches

Browse source
This commit is contained in:
Laura Abbott 2016-07-27 14:42:01 -07:00
commit 72eed1ed89
3 changed files with 90 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

20
MODSIGN-Support-not-importing-certs-from-db.patch
View file

@ -1,7 +1,7 @@
From d7c9efa4ab647d6ccb617f2504e79a398d56f7d4 Mon Sep 17 00:00:00 2001
From 7ce860189df19a38176c1510f4e5615bf35495c1 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@fedoraproject.org>
Date: Thu, 3 Oct 2013 10:14:23 -0400
Subject: [PATCH 19/20] MODSIGN: Support not importing certs from db
Subject: [PATCH 2/2] MODSIGN: Support not importing certs from db
If a user tells shim to not use the certs/hashes in the UEFI db variable
for verification purposes, shim will set a UEFI variable called MokIgnoreDB.
@ -14,7 +14,7 @@ Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c
index 94b0eb38a284..ae28b974d49a 100644
index 03f601a0052c..321c79a3b282 100644
--- a/kernel/modsign_uefi.c
+++ b/kernel/modsign_uefi.c
@@ -8,6 +8,23 @@
@ -41,16 +41,18 @@ index 94b0eb38a284..ae28b974d49a 100644
static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size)
{
efi_status_t status;
@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void)
@@ -47,7 +64,7 @@ static int __init load_uefi_certs(void)
efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
void *db = NULL, *dbx = NULL, *mok = NULL;
unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
- int rc = 0;
+ int ignore_db, rc = 0;
struct key *keyring = NULL;
/* Check if SB is enabled and just return if not */
if (!efi_enabled(EFI_SECURE_BOOT))
return 0;
@@ -60,17 +77,22 @@ static int __init load_uefi_certs(void)
return -EINVAL;
}
+ /* See if the user has setup Ignore DB mode */
+ ignore_db = check_ignore_db();
@ -62,7 +64,7 @@ index 94b0eb38a284..ae28b974d49a 100644
- if (!db) {
- pr_err("MODSIGN: Couldn't get UEFI db list\n");
- } else {
- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
- rc = parse_efi_signature_list(db, dbsize, keyring);
- if (rc)
- pr_err("Couldn't parse db signatures: %d\n", rc);
- kfree(db);
@ -71,7 +73,7 @@ index 94b0eb38a284..ae28b974d49a 100644
+ if (!db) {
+ pr_err("MODSIGN: Couldn't get UEFI db list\n");
+ } else {
+ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring);
+ rc = parse_efi_signature_list(db, dbsize, keyring);
+ if (rc)
+ pr_err("Couldn't parse db signatures: %d\n", rc);
+ kfree(db);
@ -80,5 +82,5 @@ index 94b0eb38a284..ae28b974d49a 100644
mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
--
2.4.3
2.5.5