certs: Add EFI_CERT_X509_GUID support for dbx entries
This fixes CVE-2020-26541. The Secure Boot Forbidden Signature Database, dbx, contains a list of now revoked signatures and keys previously approved to boot with UEFI Secure Boot enabled. The dbx is capable of containing any number of EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID entries. Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are skipped. Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID is found, it is added as an asymmetrical key to the .blacklist keyring. Anytime the .platform keyring is used, the keys in the .blacklist keyring are referenced, if a matching key is found, the key will be rejected. [DH: Made the following changes: - Added to have a config option to enable the facility. This allows a Kconfig solution to make sure that pkcs7_validate_trust() is enabled.[1][2] - Moved the functions out from the middle of the blacklist functions. - Added ker...
Showing
- certs/Kconfig 9 additions, 0 deletionscerts/Kconfig
- certs/blacklist.c 43 additions, 0 deletionscerts/blacklist.c
- certs/blacklist.h 2 additions, 0 deletionscerts/blacklist.h
- certs/system_keyring.c 6 additions, 0 deletionscerts/system_keyring.c
- include/keys/system_keyring.h 15 additions, 0 deletionsinclude/keys/system_keyring.h
- security/integrity/platform_certs/keyring_handler.c 11 additions, 0 deletionssecurity/integrity/platform_certs/keyring_handler.c
Please register or sign in to comment