Commit b0e22b47 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'keys-cve-2020-26541-v3' of...

Merge tag 'keys-cve-2020-26541-v3' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Pull x509 dbx/mokx UEFI support from David Howells:
 "Here's a set of patches from Eric Snowberg[1] that add support for
  EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such
  entries cause matching certificates to be rejected).

  These are currently ignored and only the hash entries are made use of.

  Additionally Eric included his patches to allow such certificates to
  be preloaded.

  These patches deal with CVE-2020-26541.

  To quote Eric:
       'This is the fifth patch series for adding support for
        EFI_CERT_X509_GUID entries [2]. It has been expanded to not only
        include dbx entries but also entries in the mokx. Additionally
        my series to preload these certificate [3] has also been
        included'"

Link: https://lore.kernel.org/r/20210122181054.32635-1-eric.snowberg@oracle.com [1]
Link: https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/ [2]
Link: https://lore.kernel.org/patchwork/cover/1315485/ [3]

* tag 'keys-cve-2020-26541-v3' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  integrity: Load mokx variables into the blacklist keyring
  certs: Add ability to preload revocation certs
  certs: Move load_system_certificate_list to a common function
  certs: Add EFI_CERT_X509_GUID support for dbx entries
parents 87f27e7b ebd9c2ae
Loading
Loading
Loading
Loading
+17 −0
Original line number Diff line number Diff line
@@ -83,4 +83,21 @@ config SYSTEM_BLACKLIST_HASH_LIST
	  wrapper to incorporate the list into the kernel.  Each <hash> should
	  be a string of hex digits.

config SYSTEM_REVOCATION_LIST
	bool "Provide system-wide ring of revocation certificates"
	depends on SYSTEM_BLACKLIST_KEYRING
	depends on PKCS7_MESSAGE_PARSER=y
	help
	  If set, this allows revocation certificates to be stored in the
	  blacklist keyring and implements a hook whereby a PKCS#7 message can
	  be checked to see if it matches such a certificate.

config SYSTEM_REVOCATION_KEYS
	string "X.509 certificates to be preloaded into the system blacklist keyring"
	depends on SYSTEM_REVOCATION_LIST
	help
	  If set, this option should be the filename of a PEM-formatted file
	  containing X.509 certificates to be included in the default blacklist
	  keyring.

endmenu
+18 −3
Original line number Diff line number Diff line
@@ -3,8 +3,9 @@
# Makefile for the linux kernel signature checking certificates.
#

obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o
obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o
ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"")
obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
else
@@ -29,7 +30,7 @@ $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREF
	$(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS))
endif # CONFIG_SYSTEM_TRUSTED_KEYRING

clean-files := x509_certificate_list .x509.list
clean-files := x509_certificate_list .x509.list x509_revocation_list

ifeq ($(CONFIG_MODULE_SIG),y)
###############################################################################
@@ -104,3 +105,17 @@ targets += signing_key.x509
$(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE
	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
endif # CONFIG_MODULE_SIG

ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y)

$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS))

$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list

quiet_cmd_extract_certs  = EXTRACT_CERTS   $(patsubst "%",%,$(2))
      cmd_extract_certs  = scripts/extract-cert $(2) $@

targets += x509_revocation_list
$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE
	$(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS))
endif
+64 −0
Original line number Diff line number Diff line
@@ -17,9 +17,15 @@
#include <linux/uidgid.h>
#include <keys/system_keyring.h>
#include "blacklist.h"
#include "common.h"

static struct key *blacklist_keyring;

#ifdef CONFIG_SYSTEM_REVOCATION_LIST
extern __initconst const u8 revocation_certificate_list[];
extern __initconst const unsigned long revocation_certificate_list_size;
#endif

/*
 * The description must be a type prefix, a colon and then an even number of
 * hex digits.  The hash is kept in the description.
@@ -145,6 +151,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len)
}
EXPORT_SYMBOL_GPL(is_binary_blacklisted);

#ifdef CONFIG_SYSTEM_REVOCATION_LIST
/**
 * add_key_to_revocation_list - Add a revocation certificate to the blacklist
 * @data: The data blob containing the certificate
 * @size: The size of data blob
 */
int add_key_to_revocation_list(const char *data, size_t size)
{
	key_ref_t key;

	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
				   "asymmetric",
				   NULL,
				   data,
				   size,
				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
				   KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);

	if (IS_ERR(key)) {
		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
		return PTR_ERR(key);
	}

	return 0;
}

/**
 * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
 * @pkcs7: The PKCS#7 message to check
 */
int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
{
	int ret;

	ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);

	if (ret == 0)
		return -EKEYREJECTED;

	return -ENOKEY;
}
#endif

/*
 * Initialise the blacklist
 */
@@ -177,3 +226,18 @@ static int __init blacklist_init(void)
 * Must be initialised before we try and load the keys into the keyring.
 */
device_initcall(blacklist_init);

#ifdef CONFIG_SYSTEM_REVOCATION_LIST
/*
 * Load the compiled-in list of revocation X.509 certificates.
 */
static __init int load_revocation_certificate_list(void)
{
	if (revocation_certificate_list_size)
		pr_notice("Loading compiled-in revocation X.509 certificates\n");

	return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size,
				     blacklist_keyring);
}
late_initcall(load_revocation_certificate_list);
#endif
+2 −0
Original line number Diff line number Diff line
#include <linux/kernel.h>
#include <linux/errno.h>
#include <crypto/pkcs7.h>

extern const char __initconst *const blacklist_hashes[];

certs/common.c

0 → 100644
+57 −0
Original line number Diff line number Diff line
// SPDX-License-Identifier: GPL-2.0-or-later

#include <linux/kernel.h>
#include <linux/key.h>
#include "common.h"

int load_certificate_list(const u8 cert_list[],
			  const unsigned long list_size,
			  const struct key *keyring)
{
	key_ref_t key;
	const u8 *p, *end;
	size_t plen;

	p = cert_list;
	end = p + list_size;
	while (p < end) {
		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
		 * than 256 bytes in size.
		 */
		if (end - p < 4)
			goto dodgy_cert;
		if (p[0] != 0x30 &&
		    p[1] != 0x82)
			goto dodgy_cert;
		plen = (p[2] << 8) | p[3];
		plen += 4;
		if (plen > end - p)
			goto dodgy_cert;

		key = key_create_or_update(make_key_ref(keyring, 1),
					   "asymmetric",
					   NULL,
					   p,
					   plen,
					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
					   KEY_USR_VIEW | KEY_USR_READ),
					   KEY_ALLOC_NOT_IN_QUOTA |
					   KEY_ALLOC_BUILT_IN |
					   KEY_ALLOC_BYPASS_RESTRICTION);
		if (IS_ERR(key)) {
			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
			       PTR_ERR(key));
		} else {
			pr_notice("Loaded X.509 cert '%s'\n",
				  key_ref_to_ptr(key)->description);
			key_ref_put(key);
		}
		p += plen;
	}

	return 0;

dodgy_cert:
	pr_err("Problem parsing in-kernel X.509 certificate list\n");
	return 0;
}
Loading