Ubuntu
linux package

Merge ~xnox/ubuntu/+source/linux/+git/bionic:revocation-keys into ~ubuntu-kernel/ubuntu/+source/linux/+git/bionic:master-next

Git
lp:~xnox/ubuntu/+source/linux/+git/bionic
revocation-keys
Merge into master-next

Proposed by Dimitri John Ledkov on 2021-11-30

Status:	Needs review
Proposed branch:	~xnox/ubuntu/+source/linux/+git/bionic:revocation-keys
Merge into:	~ubuntu-kernel/ubuntu/+source/linux/+git/bionic:master-next
Diff against target:	1208 lines (+824/-65) 22 files modified arch/x86/kernel/setup.c (+1/-0) certs/.gitignore (+1/-0) certs/Kconfig (+17/-0) certs/Makefile (+18/-3) certs/blacklist.c (+67/-0) certs/blacklist.h (+2/-0) certs/common.c (+58/-0) certs/common.h (+9/-0) certs/load_uefi.c (+95/-14) certs/revocation_certificates.S (+21/-0) certs/system_keyring.c (+10/-47) debian.master/config/annotations (+1/-0) debian.master/config/config.common.ubuntu (+2/-0) debian/revoked-certs/canonical-uefi-2012-all.pem (+86/-0) debian/rules (+13/-1) drivers/firmware/efi/Makefile (+1/-0) drivers/firmware/efi/arm-init.c (+1/-0) drivers/firmware/efi/efi.c (+9/-0) drivers/firmware/efi/mokvar-table.c (+362/-0) include/keys/system_keyring.h (+15/-0) include/linux/efi.h (+34/-0) scripts/Makefile (+1/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Ubuntu Kernel Repositories		2021-11-30	Pending
Review via email: mp+412577@code.launchpad.net

Commit message

Support builtin revoked certificates and mokvar-table

Same story as before, backport support for builtin revoked
certificates, add support loading revoked certificates from
mokvar-table.

Some of the patches had to be adjusted during backport. For example,
instead of patching security/integrity/platform_certs/load_uefi.c
which does not exist in v4.15 kernel certs/load_uefi.c is. Some error
handling is done differently as well. For example, EFI status not
found is not handled when loading keys from variables.

This series doesn't have any reverts, as the lockdown patchset is
mostly older without any major reorgs that didn't make upstream. It is
slightly larger than focal's one as support for EFI_CERT_X509_GUID did
not land via linux-stable updates.

After this patch is applied, the RT boot testing & kernel built-in
final check will catch any kernels that do not have
CONFIG_SYSTEM_REVOCATION_KEYS set. In bionic, this may trip up raspi2,
snapdgaron, kvm flavours as they in theory can support UEFI, but are
not signed and may not enable all the lockdown and keyring
features. These flavours may need reverting 70de61082d ("UBUNTU:
[Packaging] Add system trusted and revocation keys final check") as
was done in Focal. Or enable all the keyrings and builtin revocation
keys.

Unmerged commits

750558e... by Dimitri John Ledkov on 2021-06-15

UBUNTU: [Config] Configure CONFIG_SYSTEM_REVOCATION_KEYS with revoked keys

BugLink: https://bugs.launchpad.net/bugs/1932029
Signed-off-by: Dimitri John Ledkov <email address hidden>
Signed-off-by: Andrea Righi <email address hidden>
(cherry picked from commit 741f622c4dbc162b82f8c9045f9c6c6446f57eb5)
(xnox: cherry-pick is from impish:linux)
Signed-off-by: Dimitri John Ledkov <email address hidden>

b0d255c... by Dimitri John Ledkov on 2021-06-15

UBUNTU: [Packaging] Revoke 2012 UEFI signing certificate as built-in

BugLink: https://bugs.launchpad.net/bugs/1932029
Signed-off-by: Dimitri John Ledkov <email address hidden>
Signed-off-by: Andrea Righi <email address hidden>
(cherry picked from commit 3f72ce72f0b51b6da2638cdded93bb32b9dad2ec)
(xnox: cherry-pick is from impish:linux)
Signed-off-by: Dimitri John Ledkov <email address hidden>

8d7c952... by Dimitri John Ledkov on 2021-06-15

UBUNTU: [Packaging] build canonical-revoked-certs.pem from branch/arch certs

BugLink: https://bugs.launchpad.net/bugs/1932029
Signed-off-by: Dimitri John Ledkov <email address hidden>
Signed-off-by: Andrea Righi <email address hidden>
(cherry picked from commit 3e44f229eef829ee3044651975512569824c4e5f)
(xnox: cherry-pick is from impish:linux)
Signed-off-by: Dimitri John Ledkov <email address hidden>

3b9b048... by Tim Gardner on 2016-03-15

UBUNTU: SAUCE: Dump stack when X.509 certificates cannot be loaded

BugLink: https://bugs.launchpad.net/bugs/1932029

Signed-off-by: Tim Gardner <email address hidden>
(cherry picked from commit b5b4085dc5547a01593cd79dbf51bd9108f84e9f)
(xnox: cherry-pick is from impish:linux SAUCE)
Signed-off-by: Dimitri John Ledkov <email address hidden>

4dab349... by Dimitri John Ledkov on 2021-05-18

UBUNTU: SAUCE: integrity: add informational messages when revoking certs

integrity_load_cert() prints messages of the source and cert details
when adding certs as trusted. Mirror those messages in
uefi_revocation_list_x509() when adding certs as revoked.

Sample dmesg with this change:

    integrity: Platform Keyring initialized
    integrity: Loading X.509 certificate: UEFI:db
    integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
    integrity: Revoking X.509 certificate: UEFI:MokListXRT (MOKvar table)
    blacklist: Revoked X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
    integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63'

BugLink: https://bugs.launchpad.net/bugs/1928679
Signed-off-by: Dimitri John Ledkov <email address hidden>
Acked-by: Krzysztof Kozlowski <email address hidden>
Signed-off-by: Seth Forshee <email address hidden>
(cherry picked from commit ba9fb788f89cb81c5ed836db2355a7a3b0f8c248)
(xnox: cherry-pick is from impish:linux SAUCE)
Signed-off-by: Dimitri John Ledkov <email address hidden>

1a3d39e... by Dimitri John Ledkov on 2021-05-18

UBUNTU: SAUCE: integrity: Load mokx certs from the EFI MOK config table

Refactor load_moklist_certs() to load either MokListRT into db, or
MokListXRT into dbx. Call load_moklist_certs() twice - first to load
mokx certs into dbx, then mok certs into db.

This thus now attempts to load mokx certs via the EFI MOKvar config
table first, and if that fails, via the EFI variable. Previously mokx
certs were only loaded via the EFI variable. Which fails when
MokListXRT is large. Instead of large MokListXRT variable, only
MokListXRT{1,2,3} are available which are not loaded. This is the case
with Ubuntu's 15.4 based shim. This patch is required to address
CVE-2020-26541 when certificates are revoked via MokListXRT.

Fixes: ebd9c2ae369a ("integrity: Load mokx variables into the blacklist keyring")
BugLink: https://bugs.launchpad.net/bugs/1928679
Signed-off-by: Dimitri John Ledkov <email address hidden>
Acked-by: Krzysztof Kozlowski <email address hidden>
Signed-off-by: Seth Forshee <email address hidden>
(cherry picked from commit a9e3aae16235d6af12509a64f1337da4485ccbae)
(xnox: cherry-pick is from impish:linux SAUCE)
Signed-off-by: Dimitri John Ledkov <email address hidden>

5db8878... by Linus Torvalds <email address hidden> on 2021-04-26

certs: add 'x509_revocation_list' to gitignore

BugLink: https://bugs.launchpad.net/bugs/1932029

Commit d1f044103dad ("certs: Add ability to preload revocation certs")
created a new generated file for revocation certs, but didn't tell git
to ignore it. Thus causing unnecessary "git status" noise after a
kernel build with CONFIG_SYSTEM_REVOCATION_LIST enabled.

Add the proper gitignore magic.

Signed-off-by: Linus Torvalds <email address hidden>
(cherry picked from commit 81f202315856edb75a371f3376aa3a47543c16f0)
Signed-off-by: Dimitri John Ledkov <email address hidden>

52ad86c... by Eric Snowberg <email address hidden> on 2021-01-22

certs: Add ability to preload revocation certs

BugLink: https://bugs.launchpad.net/bugs/1932029

Add a new Kconfig option called SYSTEM_REVOCATION_KEYS. If set,
this option should be the filename of a PEM-formated file containing
X.509 certificates to be included in the default blacklist keyring.

DH Changes:
- Make the new Kconfig option depend on SYSTEM_REVOCATION_LIST.
- Fix SYSTEM_REVOCATION_KEYS=n, but CONFIG_SYSTEM_REVOCATION_LIST=y[1][2].
- Use CONFIG_SYSTEM_REVOCATION_LIST for extract-cert[3].
- Use CONFIG_SYSTEM_REVOCATION_LIST for revocation_certificates.o[3].

Signed-off-by: Eric Snowberg <email address hidden>
Acked-by: Jarkko Sakkinen <email address hidden>
Signed-off-by: David Howells <email address hidden>
cc: Randy Dunlap <email address hidden>
cc: <email address hidden>
Link: https://<email address hidden>/ [1]
Link: https://<email address hidden>/ [2]
Link: https://<email address hidden>/ [3]
Link: https://<email address hidden>/
Link: https://<email address hidden>/ # v5
Link: https://<email address hidden>/
Link: https://<email address hidden>/ # v2
Link: https://<email address hidden>/ # v3
(cherry picked from commit d1f044103dad70c1cec0a8f3abdf00834fec8b98)
Signed-off-by: Dimitri John Ledkov <email address hidden>

849f596... by Lenny Szubowicz <email address hidden> on 2020-09-05

integrity: Load certs from the EFI MOK config table

BugLink: https://bugs.launchpad.net/bugs/1932029

Because of system-specific EFI firmware limitations, EFI volatile
variables may not be capable of holding the required contents of
the Machine Owner Key (MOK) certificate store when the certificate
list grows above some size. Therefore, an EFI boot loader may pass
the MOK certs via a EFI configuration table created specifically for
this purpose to avoid this firmware limitation.

An EFI configuration table is a much more primitive mechanism
compared to EFI variables and is well suited for one-way passage
of static information from a pre-OS environment to the kernel.

This patch adds the support to load certs from the MokListRT
entry in the MOK variable configuration table, if it's present.
The pre-existing support to load certs from the MokListRT EFI
variable remains and is used if the EFI MOK configuration table
isn't present or can't be successfully used.

Signed-off-by: Lenny Szubowicz <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Ard Biesheuvel <email address hidden>
(cherry picked from commit 726bd8965a5f112d9601f7ce68effa1e46e02bf2)
Signed-off-by: Dimitri John Ledkov <email address hidden>

ba184a1... by Lenny Szubowicz <email address hidden> on 2020-09-05

integrity: Move import of MokListRT certs to a separate routine

BugLink: https://bugs.launchpad.net/bugs/1932029

Move the loading of certs from the UEFI MokListRT into a separate
routine to facilitate additional MokList functionality.

There is no visible functional change as a result of this patch.
Although the UEFI dbx certs are now loaded before the MokList certs,
they are loaded onto different key rings. So the order of the keys
on their respective key rings is the same.

Signed-off-by: Lenny Szubowicz <email address hidden>
Reviewed-by: Mimi Zohar <email address hidden>
Link: https://<email address hidden>
Signed-off-by: Ard Biesheuvel <email address hidden>
(cherry picked from commit 38a1f03aa24094b4a8de846700cb6cb21cc06468)
Signed-off-by: Dimitri John Ledkov <email address hidden>

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Dimitri John Ledkov

Guru Prasath

Ubuntu Kernel Repositories

to status/vote changes:

 diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
 index 02b5b81..179c63d 100644
 --- a/arch/x86/kernel/setup.c
 +++ b/arch/x86/kernel/setup.c
@@ -1108,6 +1108,7 @@ void __init setup_arch(char **cmdline_p)
  		efi_fake_memmap();
  		efi_find_mirror();
  		efi_esrt_init();
++		efi_mokvar_table_init();
  		/*
  		 * The EFI specification says that boot service code won't be
 diff --git a/certs/.gitignore b/certs/.gitignore
 index f51aea4..6ce8116 100644
 --- a/certs/.gitignore
 +++ b/certs/.gitignore
@@ -2,3 +2,4 @@
  # Generated files
+ #
  x509_certificate_list
++x509_revocation_list
 diff --git a/certs/Kconfig b/certs/Kconfig
 index 9e3ca57..3575c4f 100644
 --- a/certs/Kconfig
 +++ b/certs/Kconfig
@@ -107,4 +107,21 @@ config LOAD_UEFI_KEYS
  	  mode, modules signed with UEFI-stored keys will be permitted to be
  	  loaded and keys that match the blacklist will be rejected.
++config SYSTEM_REVOCATION_LIST
++	bool "Provide system-wide ring of revocation certificates"
++	depends on SYSTEM_BLACKLIST_KEYRING
++	depends on PKCS7_MESSAGE_PARSER=y
++	help
++	  If set, this allows revocation certificates to be stored in the
++	  blacklist keyring and implements a hook whereby a PKCS#7 message can
++	  be checked to see if it matches such a certificate.
++
++config SYSTEM_REVOCATION_KEYS
++	string "X.509 certificates to be preloaded into the system blacklist keyring"
++	depends on SYSTEM_REVOCATION_LIST
++	help
++	  If set, this option should be the filename of a PEM-formatted file
++	  containing X.509 certificates to be included in the default blacklist
++	  keyring.
++
  endmenu
 diff --git a/certs/Makefile b/certs/Makefile
 index ba3b209..0e43070 100644
 --- a/certs/Makefile
 +++ b/certs/Makefile
@@ -3,8 +3,9 @@
  # Makefile for the linux kernel signature checking certificates.
+ #
--obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o
--obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o
++obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o common.o
++obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o
++obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o
  ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"")
  obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o
  else
@@ -34,7 +35,7 @@ $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREF
  	$(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS))
  endif # CONFIG_SYSTEM_TRUSTED_KEYRING
--clean-files := x509_certificate_list .x509.list
++clean-files := x509_certificate_list .x509.list x509_revocation_list
  ifeq ($(CONFIG_MODULE_SIG),y)
  ###############################################################################
@@ -117,3 +118,17 @@ targets += signing_key.x509
  $(obj)/signing_key.x509: scripts/extract-cert $(X509_DEP) FORCE
  	$(call if_changed,extract_certs,$(MODULE_SIG_KEY_SRCPREFIX)$(CONFIG_MODULE_SIG_KEY))
  endif # CONFIG_MODULE_SIG
++
++ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y)
++
++$(eval $(call config_filename,SYSTEM_REVOCATION_KEYS))
++
++$(obj)/revocation_certificates.o: $(obj)/x509_revocation_list
++
++quiet_cmd_extract_certs  = EXTRACT_CERTS   $(patsubst "%",%,$(2))
++      cmd_extract_certs  = scripts/extract-cert $(2) $@
++
++targets += x509_revocation_list
++$(obj)/x509_revocation_list: scripts/extract-cert $(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(SYSTEM_REVOCATION_KEYS_FILENAME) FORCE
++	$(call if_changed,extract_certs,$(SYSTEM_REVOCATION_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_REVOCATION_KEYS))
++endif
 diff --git a/certs/blacklist.c b/certs/blacklist.c
 index e9f3f81..a97d50b 100644
 --- a/certs/blacklist.c
 +++ b/certs/blacklist.c
@@ -20,9 +20,15 @@
  #include <linux/seq_file.h>
  #include <keys/system_keyring.h>
  #include "blacklist.h"
++#include "common.h"
  static struct key *blacklist_keyring;
++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
++extern __initconst const u8 revocation_certificate_list[];
++extern __initconst const unsigned long revocation_certificate_list_size;
++#endif
++
  /*
   * The description must be a type prefix, a colon and then an even number of
   * hex digits.  The hash is kept in the description.
@@ -139,6 +145,52 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
+ }
  EXPORT_SYMBOL_GPL(is_hash_blacklisted);
++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
++/**
++ * add_key_to_revocation_list - Add a revocation certificate to the blacklist
++ * @data: The data blob containing the certificate
++ * @size: The size of data blob
++ */
++int add_key_to_revocation_list(const char *data, size_t size)
++{
++	key_ref_t key;
++
++	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
++				   "asymmetric",
++				   NULL,
++				   data,
++				   size,
++				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
++				   KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
++
++	if (IS_ERR(key)) {
++		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
++		return PTR_ERR(key);
++	} else {
++		pr_notice("Revoked X.509 cert '%s'\n",
++			  key_ref_to_ptr(key)->description);
++	}
++
++	return 0;
++}
++
++/**
++ * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
++ * @pkcs7: The PKCS#7 message to check
++ */
++int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
++{
++	int ret;
++
++	ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
++
++	if (ret == 0)
++		return -EKEYREJECTED;
++
++	return -ENOKEY;
++}
++#endif
++
  /*
   * Initialise the blacklist
   */
@@ -172,3 +224,18 @@ static int __init blacklist_init(void)
   * Must be initialised before we try and load the keys into the keyring.
   */
  device_initcall(blacklist_init);
++
++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
++/*
++ * Load the compiled-in list of revocation X.509 certificates.
++ */
++static __init int load_revocation_certificate_list(void)
++{
++	if (revocation_certificate_list_size)
++		pr_notice("Loading compiled-in revocation X.509 certificates\n");
++
++	return load_certificate_list(revocation_certificate_list, revocation_certificate_list_size,
++				     blacklist_keyring);
++}
++late_initcall(load_revocation_certificate_list);
++#endif
 diff --git a/certs/blacklist.h b/certs/blacklist.h
 index 150d82d..d4f9fac 100644
 --- a/certs/blacklist.h
 +++ b/certs/blacklist.h
@@ -1,3 +1,5 @@
  #include <linux/kernel.h>
++#include <linux/errno.h>
++#include <crypto/pkcs7.h>
  extern const char __initdata *const blacklist_hashes[];
 diff --git a/certs/common.c b/certs/common.c
 new file mode 100644
 index 0000000..23af4fc
 --- /dev/null
 +++ b/certs/common.c
@@ -0,0 +1,58 @@
++// SPDX-License-Identifier: GPL-2.0-or-later
++
++#include <linux/kernel.h>
++#include <linux/key.h>
++#include "common.h"
++
++int load_certificate_list(const u8 cert_list[],
++			  const unsigned long list_size,
++			  const struct key *keyring)
++{
++	key_ref_t key;
++	const u8 *p, *end;
++	size_t plen;
++
++	p = cert_list;
++	end = p + list_size;
++	while (p < end) {
++		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
++		 * than 256 bytes in size.
++		 */
++		if (end - p < 4)
++			goto dodgy_cert;
++		if (p[0] != 0x30 &&
++		    p[1] != 0x82)
++			goto dodgy_cert;
++		plen = (p[2] << 8) | p[3];
++		plen += 4;
++		if (plen > end - p)
++			goto dodgy_cert;
++
++		key = key_create_or_update(make_key_ref(keyring, 1),
++					   "asymmetric",
++					   NULL,
++					   p,
++					   plen,
++					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
++					   KEY_USR_VIEW | KEY_USR_READ),
++					   KEY_ALLOC_NOT_IN_QUOTA |
++					   KEY_ALLOC_BUILT_IN |
++					   KEY_ALLOC_BYPASS_RESTRICTION);
++		if (IS_ERR(key)) {
++			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
++			       PTR_ERR(key));
++			WARN_ON_ONCE(1);
++		} else {
++			pr_notice("Loaded X.509 cert '%s'\n",
++				  key_ref_to_ptr(key)->description);
++			key_ref_put(key);
++		}
++		p += plen;
++	}
++
++	return 0;
++
++dodgy_cert:
++	pr_err("Problem parsing in-kernel X.509 certificate list\n");
++	return 0;
++}
 diff --git a/certs/common.h b/certs/common.h
 new file mode 100644
 index 0000000..abdb579
 --- /dev/null
 +++ b/certs/common.h
@@ -0,0 +1,9 @@
++/* SPDX-License-Identifier: GPL-2.0-or-later */
++
++#ifndef _CERT_COMMON_H
++#define _CERT_COMMON_H
++
++int load_certificate_list(const u8 cert_list[], const unsigned long list_size,
++			  const struct key *keyring);
++
++#endif
 diff --git a/certs/load_uefi.c b/certs/load_uefi.c
 index 3d88459..9783e59 100644
 --- a/certs/load_uefi.c
 +++ b/certs/load_uefi.c
@@ -109,6 +109,16 @@ static __init void uefi_blacklist_binary(const char *source,
+ }
  /*
++ * Add an X509 cert to the revocation list.
++ */
++static __init void uefi_revocation_list_x509(const char *source,
++					     const void *data, size_t len)
++{
++	pr_info("Revoking X.509 certificate: %s\n", source);
++	add_key_to_revocation_list(data, len);
++}
++
++/*
   * Return the appropriate handler for particular signature list types found in
   * the UEFI db and MokListRT tables.
   */
@@ -129,10 +139,83 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty
  		return uefi_blacklist_x509_tbs;
  	if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
  		return uefi_blacklist_binary;
++	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
++		return uefi_revocation_list_x509;
++	return 0;
++}
++
++/*
++ * load_moklist_certs() - Load Mok(X)List certs
++ * @load_db: Load MokListRT into db when true; MokListXRT into dbx when false
++ *
++ * Load the certs contained in the UEFI MokList(X)RT database into the
++ * platform trusted/denied keyring.
++ *
++ * This routine checks the EFI MOK config table first. If and only if
++ * that fails, this routine uses the MokList(X)RT ordinary UEFI variable.
++ *
++ * Return:	Status
++ */
++static int __init load_moklist_certs(const bool load_db)
++{
++	struct efi_mokvar_table_entry *mokvar_entry;
++	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
++	void *mok;
++	unsigned long moksize;
++	int rc;
++	const char *mokvar_name = "MokListRT";
++	/* Should be const, but get_cert_list() doesn't have it as const yet */
++	efi_char16_t *efivar_name = L"MokListRT";
++	const char *parse_mokvar_name = "UEFI:MokListRT (MOKvar table)";
++	const char *parse_efivar_name = "UEFI:MokListRT";
++	efi_element_handler_t (*get_handler_for_guid)(const efi_guid_t *) = get_handler_for_db;
++
++	if (!load_db) {
++		mokvar_name = "MokListXRT";
++		efivar_name = L"MokListXRT";
++		parse_mokvar_name = "UEFI:MokListXRT (MOKvar table)";
++		parse_efivar_name = "UEFI:MokListXRT";
++		get_handler_for_guid = get_handler_for_dbx;
++	}
++
++	/* First try to load certs from the EFI MOKvar config table.
++	 * It's not an error if the MOKvar config table doesn't exist
++	 * or the MokListRT entry is not found in it.
++	 */
++	mokvar_entry = efi_mokvar_entry_find(mokvar_name);
++	if (mokvar_entry) {
++		rc = parse_efi_signature_list(parse_mokvar_name,
++					      mokvar_entry->data,
++					      mokvar_entry->data_size,
++					      get_handler_for_guid);
++		/* All done if that worked. */
++		if (!rc)
++			return rc;
++
++		pr_err("Couldn't parse %s signatures from EFI MOKvar config table: %d\n",
++		       mokvar_name, rc);
++	}
++
++	/* Get MokListRT. It might not exist, so it isn't an error
++	 * if we can't get it.
++	 */
++	mok = get_cert_list(efivar_name, &mok_var, &moksize);
++	if (mok) {
++		rc = parse_efi_signature_list(parse_efivar_name,
++					      mok, moksize, get_handler_for_guid);
++		kfree(mok);
++		if (rc)
++			pr_err("Couldn't parse %s signatures: %d\n", mokvar_name, rc);
++		return rc;
++	} else
++		pr_info("Couldn't get UEFI %s\n", mokvar_name);
  	return 0;
+ }
  /*
++ * load_uefi_certs() - Load certs from UEFI sources
++ *
++ *
   * Load the certs contained in the UEFI databases into the secondary trusted
   * keyring and the UEFI blacklisted X.509 cert SHA256 hashes into the blacklist
   * keyring.
@@ -140,9 +223,8 @@ static __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_ty
  static int __init load_uefi_certs(void)
+ {
  	efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID;
--	efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
--	void *db = NULL, *dbx = NULL, *mok = NULL;
--	unsigned long dbsize = 0, dbxsize = 0, moksize = 0;
++	void *db = NULL, *dbx = NULL;
++	unsigned long dbsize = 0, dbxsize = 0;
  	int rc = 0;
  	if (!efi.get_variable)
@@ -164,17 +246,6 @@ static int __init load_uefi_certs(void)
+ 		}
+ 	}
--	mok = get_cert_list(L"MokListRT", &mok_var, &moksize);
--	if (!mok) {
--		pr_info("MODSIGN: Couldn't get UEFI MokListRT\n");
--	} else {
--		rc = parse_efi_signature_list("UEFI:MokListRT",
--					      mok, moksize, get_handler_for_db);
--		if (rc)
--			pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
--		kfree(mok);
--	}
--
  	dbx = get_cert_list(L"dbx", &secure_var, &dbxsize);
  	if (!dbx) {
  		pr_info("MODSIGN: Couldn't get UEFI dbx list\n");
@@ -187,6 +258,16 @@ static int __init load_uefi_certs(void)
  		kfree(dbx);
+ 	}
++	/* Load the MokListXRT certs */
++	rc = load_moklist_certs(false);
++	if (rc)
++		pr_err("Couldn't parse mokx signatures: %d\n", rc);
++
++	/* Load the MokListRT certs */
++	rc = load_moklist_certs(true);
++	if (rc)
++		pr_err("Couldn't parse mok signatures: %d\n", rc);
++
  	return rc;
+ }
  late_initcall(load_uefi_certs);
 diff --git a/certs/revocation_certificates.S b/certs/revocation_certificates.S
 new file mode 100644
 index 0000000..f21aae8
 --- /dev/null
 +++ b/certs/revocation_certificates.S
@@ -0,0 +1,21 @@
++/* SPDX-License-Identifier: GPL-2.0 */
++#include <linux/export.h>
++#include <linux/init.h>
++
++	__INITRODATA
++
++	.align 8
++	.globl revocation_certificate_list
++revocation_certificate_list:
++__revocation_list_start:
++	.incbin "certs/x509_revocation_list"
++__revocation_list_end:
++
++	.align 8
++	.globl revocation_certificate_list_size
++revocation_certificate_list_size:
++#ifdef CONFIG_64BIT
++	.quad __revocation_list_end - __revocation_list_start
++#else
++	.long __revocation_list_end - __revocation_list_start
++#endif
 diff --git a/certs/system_keyring.c b/certs/system_keyring.c
 index 3821699..83f6472 100644
 --- a/certs/system_keyring.c
 +++ b/certs/system_keyring.c
@@ -19,6 +19,7 @@
  #include <keys/asymmetric-type.h>
  #include <keys/system_keyring.h>
  #include <crypto/pkcs7.h>
++#include "common.h"
  #include "internal.h"
  static struct key *builtin_trusted_keys;
@@ -138,55 +139,10 @@ device_initcall(system_trusted_keyring_init);
   */
  static __init int load_system_certificate_list(void)
+ {
--	key_ref_t key;
--	const u8 *p, *end;
--	size_t plen;
--
  	pr_notice("Loading compiled-in X.509 certificates\n");
--	p = system_certificate_list;
--	end = p + system_certificate_list_size;
--	while (p < end) {
--		/* Each cert begins with an ASN.1 SEQUENCE tag and must be more
--		 * than 256 bytes in size.
--		 */
--		if (end - p < 4)
--			goto dodgy_cert;
--		if (p[0] != 0x30 &&
--		    p[1] != 0x82)
--			goto dodgy_cert;
--		plen = (p[2] << 8) | p[3];
--		plen += 4;
--		if (plen > end - p)
--			goto dodgy_cert;
--
--		key = key_create_or_update(make_key_ref(builtin_trusted_keys, 1),
--					   "asymmetric",
--					   NULL,
--					   p,
--					   plen,
--					   ((KEY_POS_ALL & ~KEY_POS_SETATTR) |
--					   KEY_USR_VIEW | KEY_USR_READ),
--					   KEY_ALLOC_NOT_IN_QUOTA |
--					   KEY_ALLOC_BUILT_IN |
--					   KEY_ALLOC_BYPASS_RESTRICTION);
--		if (IS_ERR(key)) {
--			pr_err("Problem loading in-kernel X.509 certificate (%ld)\n",
--			       PTR_ERR(key));
--			WARN_ON_ONCE(1);
--		} else {
--			pr_notice("Loaded X.509 cert '%s'\n",
--				  key_ref_to_ptr(key)->description);
--			key_ref_put(key);
--		}
--		p += plen;
--	}
--
--	return 0;
--
--dodgy_cert:
--	pr_err("Problem parsing in-kernel X.509 certificate list\n");
--	return 0;
++	return load_certificate_list(system_certificate_list, system_certificate_list_size,
++				     builtin_trusted_keys);
+ }
  late_initcall(load_system_certificate_list);
@@ -240,6 +196,13 @@ int verify_pkcs7_signature(const void *data, size_t len,
  		trusted_keys = builtin_trusted_keys;
  #endif
+ 	}
++
++	ret = is_key_on_revocation_list(pkcs7);
++	if (ret != -ENOKEY) {
++		pr_devel("PKCS#7 key is on revocation list\n");
++		goto error;
++	}
++
  	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
  	if (ret < 0) {
  		if (ret == -ENOKEY)
 diff --git a/debian.master/config/annotations b/debian.master/config/annotations
 index 8275667..ea24044 100644
 --- a/debian.master/config/annotations
 +++ b/debian.master/config/annotations
@@ -502,6 +502,7 @@ CONFIG_SYSTEM_TRUSTED_KEYRING                   policy<{'amd64': 'y', 'arm64': '
  CONFIG_SYSTEM_TRUSTED_KEYS                      policy<{'amd64': '"debian/canonical-certs.pem"', 'arm64': '"debian/canonical-certs.pem"', 'armhf': '"debian/canonical-certs.pem"', 'i386': '"debian/canonical-certs.pem"', 'ppc64el': '"debian/canonical-certs.pem"', 's390x': '"debian/canonical-certs.pem"'}>
  CONFIG_SYSTEM_EXTRA_CERTIFICATE                 policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
  CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE            policy<{'amd64': '4096', 'arm64': '4096', 'armhf': '4096', 'i386': '4096', 'ppc64el': '4096', 's390x': '4096'}>
++CONFIG_SYSTEM_REVOCATION_KEYS                   policy<{'amd64': '"debian/canonical-revoked-certs.pem"', 'arm64': '"debian/canonical-revoked-certs.pem"', 'armhf': '"debian/canonical-revoked-certs.pem"', 'ppc64el': '"debian/canonical-revoked-certs.pem"', 's390x': '"debian/canonical-revoked-certs.pem"'}>
  CONFIG_SECONDARY_TRUSTED_KEYRING                policy<{'amd64': 'y', 'arm64': 'y', 'armhf': 'y', 'i386': 'y', 'ppc64el': 'y', 's390x': 'y'}>
  # Menu: Cryptographic API >> Hardware crypto devices
 diff --git a/debian.master/config/config.common.ubuntu b/debian.master/config/config.common.ubuntu
 index fba5bed..57190d6 100644
 --- a/debian.master/config/config.common.ubuntu
 +++ b/debian.master/config/config.common.ubuntu
@@ -9018,6 +9018,8 @@ CONFIG_SYSTEM_BLACKLIST_KEYRING=y
  CONFIG_SYSTEM_DATA_VERIFICATION=y
  CONFIG_SYSTEM_EXTRA_CERTIFICATE=y
  CONFIG_SYSTEM_EXTRA_CERTIFICATE_SIZE=4096
++CONFIG_SYSTEM_REVOCATION_KEYS="debian/canonical-revoked-certs.pem"
++CONFIG_SYSTEM_REVOCATION_LIST=y
  CONFIG_SYSTEM_TRUSTED_KEYRING=y
  CONFIG_SYSTEM_TRUSTED_KEYS="debian/canonical-certs.pem"
  CONFIG_SYSVIPC=y
 diff --git a/debian/revoked-certs/canonical-uefi-2012-all.pem b/debian/revoked-certs/canonical-uefi-2012-all.pem
 new file mode 100644
 index 0000000..06c116e
 --- /dev/null
 +++ b/debian/revoked-certs/canonical-uefi-2012-all.pem
@@ -0,0 +1,86 @@
++Certificate:
++    Data:
++        Version: 3 (0x2)
++        Serial Number: 1 (0x1)
++        Signature Algorithm: sha256WithRSAEncryption
++        Issuer: C = GB, ST = Isle of Man, L = Douglas, O = Canonical Ltd., CN = Canonical Ltd. Master Certificate Authority
++        Validity
++            Not Before: Apr 12 11:39:08 2012 GMT
++            Not After : Apr 11 11:39:08 2042 GMT
++        Subject: C = GB, ST = Isle of Man, O = Canonical Ltd., OU = Secure Boot, CN = Canonical Ltd. Secure Boot Signing
++        Subject Public Key Info:
++            Public Key Algorithm: rsaEncryption
++                RSA Public-Key: (2048 bit)
++                Modulus:
++                    00:c9:5f:9b:62:8f:0b:b0:64:82:ac:be:c9:e2:62:
++                    e3:4b:d2:9f:1e:8a:d5:61:1a:2b:5d:38:f4:b7:ce:
++                    b9:9a:b8:43:b8:43:97:77:ab:4f:7f:0c:70:46:0b:
++                    fc:7f:6d:c6:6d:ea:80:5e:01:d2:b7:66:1e:87:de:
++                    0d:6d:d0:41:97:a8:a5:af:0c:63:4f:f7:7c:c2:52:
++                    cc:a0:31:a9:bb:89:5d:99:1e:46:6f:55:73:b9:76:
++                    69:ec:d7:c1:fc:21:d6:c6:07:e7:4f:bd:22:de:e4:
++                    a8:5b:2d:db:95:34:19:97:d6:28:4b:21:4c:ca:bb:
++                    1d:79:a6:17:7f:5a:f9:67:e6:5c:78:45:3d:10:6d:
++                    b0:17:59:26:11:c5:57:e3:7f:4e:82:ba:f6:2c:4e:
++                    c8:37:4d:ff:85:15:84:47:e0:ed:3b:7c:7f:bc:af:
++                    e9:01:05:a7:0c:6f:c3:e9:8d:a3:ce:be:a6:e3:cd:
++                    3c:b5:58:2c:9e:c2:03:1c:60:22:37:39:ff:41:02:
++                    c1:29:a4:65:51:ff:33:34:aa:42:15:f9:95:78:fc:
++                    2d:f5:da:8a:85:7c:82:9d:fb:37:2c:6b:a5:a8:df:
++                    7c:55:0b:80:2e:3c:b0:63:e1:cd:38:48:89:e8:14:
++                    06:0b:82:bc:fd:d4:07:68:1b:0f:3e:d9:15:dd:94:
++                    11:1b
++                Exponent: 65537 (0x10001)
++        X509v3 extensions:
++            X509v3 Basic Constraints: critical
++                CA:FALSE
++            X509v3 Extended Key Usage:
++                Code Signing, 1.3.6.1.4.1.311.10.3.6
++            Netscape Comment:
++                OpenSSL Generated Certificate
++            X509v3 Subject Key Identifier:
++                61:48:2A:A2:83:0D:0A:B2:AD:5A:F1:0B:72:50:DA:90:33:DD:CE:F0
++            X509v3 Authority Key Identifier:
++                keyid:AD:91:99:0B:C2:2A:B1:F5:17:04:8C:23:B6:65:5A:26:8E:34:5A:63
++
++    Signature Algorithm: sha256WithRSAEncryption
++         8f:8a:a1:06:1f:29:b7:0a:4a:d5:c5:fd:81:ab:25:ea:c0:7d:
++         e2:fc:6a:96:a0:79:93:67:ee:05:0e:25:12:25:e4:5a:f6:aa:
++         1a:f1:12:f3:05:8d:87:5e:f1:5a:5c:cb:8d:23:73:65:1d:15:
++         b9:de:22:6b:d6:49:67:c9:a3:c6:d7:62:4e:5c:b5:f9:03:83:
++         40:81:dc:87:9c:3c:3f:1c:0d:51:9f:94:65:0a:84:48:67:e4:
++         a2:f8:a6:4a:f0:e7:cd:cd:bd:94:e3:09:d2:5d:2d:16:1b:05:
++         15:0b:cb:44:b4:3e:61:42:22:c4:2a:5c:4e:c5:1d:a3:e2:e0:
++         52:b2:eb:f4:8b:2b:dc:38:39:5d:fb:88:a1:56:65:5f:2b:4f:
++         26:ff:06:78:10:12:eb:8c:5d:32:e3:c6:45:af:25:9b:a0:ff:
++         8e:ef:47:09:a3:e9:8b:37:92:92:69:76:7e:34:3b:92:05:67:
++         4e:b0:25:ed:bc:5e:5f:8f:b4:d6:ca:40:ff:e4:e2:31:23:0c:
++         85:25:ae:0c:55:01:ec:e5:47:5e:df:5b:bc:14:33:e3:c6:f5:
++         18:b6:d9:f7:dd:b3:b4:a1:31:d3:5a:5c:5d:7d:3e:bf:0a:e4:
++         e4:e8:b4:59:7d:3b:b4:8c:a3:1b:b5:20:a3:b9:3e:84:6f:8c:
++         21:00:c3:39
++-----BEGIN CERTIFICATE-----
++MIIEIDCCAwigAwIBAgIBATANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMCR0Ix
++FDASBgNVBAgMC0lzbGUgb2YgTWFuMRAwDgYDVQQHDAdEb3VnbGFzMRcwFQYDVQQK
++DA5DYW5vbmljYWwgTHRkLjE0MDIGA1UEAwwrQ2Fub25pY2FsIEx0ZC4gTWFzdGVy
++IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMjA0MTIxMTM5MDhaFw00MjA0MTEx
++MTM5MDhaMH8xCzAJBgNVBAYTAkdCMRQwEgYDVQQIDAtJc2xlIG9mIE1hbjEXMBUG
++A1UECgwOQ2Fub25pY2FsIEx0ZC4xFDASBgNVBAsMC1NlY3VyZSBCb290MSswKQYD
++VQQDDCJDYW5vbmljYWwgTHRkLiBTZWN1cmUgQm9vdCBTaWduaW5nMIIBIjANBgkq
++hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyV+bYo8LsGSCrL7J4mLjS9KfHorVYRor
++XTj0t865mrhDuEOXd6tPfwxwRgv8f23GbeqAXgHSt2Yeh94NbdBBl6ilrwxjT/d8
++wlLMoDGpu4ldmR5Gb1VzuXZp7NfB/CHWxgfnT70i3uSoWy3blTQZl9YoSyFMyrsd
++eaYXf1r5Z+ZceEU9EG2wF1kmEcVX439Ogrr2LE7IN03/hRWER+DtO3x/vK/pAQWn
++DG/D6Y2jzr6m4808tVgsnsIDHGAiNzn/QQLBKaRlUf8zNKpCFfmVePwt9dqKhXyC
++nfs3LGulqN98VQuALjywY+HNOEiJ6BQGC4K8/dQHaBsPPtkV3ZQRGwIDAQABo4Gg
++MIGdMAwGA1UdEwEB/wQCMAAwHwYDVR0lBBgwFgYIKwYBBQUHAwMGCisGAQQBgjcK
++AwYwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRl
++MB0GA1UdDgQWBBRhSCqigw0Ksq1a8QtyUNqQM93O8DAfBgNVHSMEGDAWgBStkZkL
++wiqx9RcEjCO2ZVomjjRaYzANBgkqhkiG9w0BAQsFAAOCAQEAj4qhBh8ptwpK1cX9
++gasl6sB94vxqlqB5k2fuBQ4lEiXkWvaqGvES8wWNh17xWlzLjSNzZR0Vud4ia9ZJ
++Z8mjxtdiTly1+QODQIHch5w8PxwNUZ+UZQqESGfkovimSvDnzc29lOMJ0l0tFhsF
++FQvLRLQ+YUIixCpcTsUdo+LgUrLr9Isr3Dg5XfuIoVZlXytPJv8GeBAS64xdMuPG
++Ra8lm6D/ju9HCaPpizeSkml2fjQ7kgVnTrAl7bxeX4+01spA/+TiMSMMhSWuDFUB
++7OVHXt9bvBQz48b1GLbZ992ztKEx01pcXX0+vwrk5Oi0WX07tIyjG7Ugo7k+hG+M
++IQDDOQ==
++-----END CERTIFICATE-----
 diff --git a/debian/rules b/debian/rules
 index 73c0ee1..ca87ccf 100755
 --- a/debian/rules
 +++ b/debian/rules
@@ -126,7 +126,7 @@ binary: binary-indep binary-arch
  build: build-arch build-indep
--clean: debian/control debian/canonical-certs.pem
++clean: debian/control debian/canonical-certs.pem debian/canonical-revoked-certs.pem
  	dh_testdir
  	dh_testroot
  	dh_clean
@@ -222,3 +222,15 @@ debian/canonical-certs.pem: $(wildcard $(DROOT)/certs/*-all.pem) $(wildcard $(DR
  			fi;							\
  		done;								\
  	done >"$@"
++
++debian/canonical-revoked-certs.pem: $(wildcard $(DROOT)/revoked-certs/*-all.pem) $(wildcard $(DROOT)/revoked-certs/*-$(arch).pem) $(wildcard $(DEBIAN)/revoked-certs/*-all.pem) $(wildcard $(DEBIAN)/revoked-certs/*-$(arch).pem)
++	for cert in $(sort $(notdir $^));					\
++	do									\
++		for dir in $(DEBIAN) $(DROOT);					\
++		do								\
++			if [ -f "$$dir/revoked-certs/$$cert" ]; then		\
++				cat "$$dir/revoked-certs/$$cert";		\
++				break;						\
++			fi;							\
++		done;								\
++	done >"$@"
 diff --git a/drivers/firmware/efi/Makefile b/drivers/firmware/efi/Makefile
 index f40f25c..2e52a34 100644
 --- a/drivers/firmware/efi/Makefile
 +++ b/drivers/firmware/efi/Makefile
@@ -26,6 +26,7 @@ obj-$(CONFIG_EFI_TEST)			+= test/
  obj-$(CONFIG_EFI_DEV_PATH_PARSER)	+= dev-path-parser.o
  obj-$(CONFIG_EFI)			+= secureboot.o
  obj-$(CONFIG_APPLE_PROPERTIES)		+= apple-properties.o
++obj-$(CONFIG_LOAD_UEFI_KEYS)		+= mokvar-table.o
  arm-obj-$(CONFIG_EFI)			:= arm-init.o arm-runtime.o
  obj-$(CONFIG_ARM)			+= $(arm-obj-y)
 diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c
 index 312f9f3..cd61e25 100644
 --- a/drivers/firmware/efi/arm-init.c
 +++ b/drivers/firmware/efi/arm-init.c
@@ -259,6 +259,7 @@ void __init efi_init(void)
  	reserve_regions();
  	efi_esrt_init();
++	efi_mokvar_table_init();
  	memblock_reserve(params.mmap & PAGE_MASK,
  			 PAGE_ALIGN(params.mmap_size +
 diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
 index 9bf9e27..50cc4a6 100644
 --- a/drivers/firmware/efi/efi.c
 +++ b/drivers/firmware/efi/efi.c
@@ -52,6 +52,9 @@ struct efi __read_mostly efi = {
  	.properties_table	= EFI_INVALID_TABLE_ADDR,
  	.mem_attr_table		= EFI_INVALID_TABLE_ADDR,
  	.rng_seed		= EFI_INVALID_TABLE_ADDR,
++#ifdef CONFIG_LOAD_UEFI_KEYS
++	.mokvar_table		= EFI_INVALID_TABLE_ADDR,
++#endif
  };
  EXPORT_SYMBOL(efi);
@@ -72,6 +75,9 @@ static unsigned long *efi_tables[] = {
  	&efi.esrt,
  	&efi.properties_table,
  	&efi.mem_attr_table,
++#ifdef CONFIG_LOAD_UEFI_KEYS
++	&efi.mokvar_table,
++#endif
  };
  static bool disable_runtime;
@@ -472,6 +478,9 @@ static __initdata efi_config_table_type_t common_tables[] = {
  	{EFI_PROPERTIES_TABLE_GUID, "PROP", &efi.properties_table},
  	{EFI_MEMORY_ATTRIBUTES_TABLE_GUID, "MEMATTR", &efi.mem_attr_table},
  	{LINUX_EFI_RANDOM_SEED_TABLE_GUID, "RNG", &efi.rng_seed},
++#ifdef CONFIG_LOAD_UEFI_KEYS
++	{LINUX_EFI_MOK_VARIABLE_TABLE_GUID, "MOKvar", &efi.mokvar_table},
++#endif
  	{NULL_GUID, NULL, NULL},
  };
 diff --git a/drivers/firmware/efi/mokvar-table.c b/drivers/firmware/efi/mokvar-table.c
 new file mode 100644
 index 0000000..38722d2
 --- /dev/null
 +++ b/drivers/firmware/efi/mokvar-table.c
@@ -0,0 +1,362 @@
++// SPDX-License-Identifier: GPL-2.0
++/*
++ * mokvar-table.c
++ *
++ * Copyright (c) 2020 Red Hat
++ * Author: Lenny Szubowicz <lszubowi@redhat.com>
++ *
++ * This module contains the kernel support for the Linux EFI Machine
++ * Owner Key (MOK) variable configuration table, which is identified by
++ * the LINUX_EFI_MOK_VARIABLE_TABLE_GUID.
++ *
++ * This EFI configuration table provides a more robust alternative to
++ * EFI volatile variables by which an EFI boot loader can pass the
++ * contents of the Machine Owner Key (MOK) certificate stores to the
++ * kernel during boot. If both the EFI MOK config table and corresponding
++ * EFI MOK variables are present, the table should be considered as
++ * more authoritative.
++ *
++ * This module includes code that validates and maps the EFI MOK table,
++ * if it's presence was detected very early in boot.
++ *
++ * Kernel interface routines are provided to walk through all the
++ * entries in the MOK config table or to search for a specific named
++ * entry.
++ *
++ * The contents of the individual named MOK config table entries are
++ * made available to user space via read-only sysfs binary files under:
++ *
++ * /sys/firmware/efi/mok-variables/
++ *
++ */
++#define pr_fmt(fmt) "mokvar: " fmt
++
++#include <linux/capability.h>
++#include <linux/efi.h>
++#include <linux/init.h>
++#include <linux/io.h>
++#include <linux/kernel.h>
++#include <linux/kobject.h>
++#include <linux/list.h>
++#include <linux/slab.h>
++
++#include <asm/early_ioremap.h>
++
++/*
++ * The LINUX_EFI_MOK_VARIABLE_TABLE_GUID config table is a packed
++ * sequence of struct efi_mokvar_table_entry, one for each named
++ * MOK variable. The sequence is terminated by an entry with a
++ * completely NULL name and 0 data size.
++ *
++ * efi_mokvar_table_size is set to the computed size of the
++ * MOK config table by efi_mokvar_table_init(). This will be
++ * non-zero if and only if the table if present and has been
++ * validated by efi_mokvar_table_init().
++ */
++static size_t efi_mokvar_table_size;
++
++/*
++ * efi_mokvar_table_va is the kernel virtual address at which the
++ * EFI MOK config table has been mapped by efi_mokvar_sysfs_init().
++ */
++static struct efi_mokvar_table_entry *efi_mokvar_table_va;
++
++/*
++ * Each /sys/firmware/efi/mok-variables/ sysfs file is represented by
++ * an instance of struct efi_mokvar_sysfs_attr on efi_mokvar_sysfs_list.
++ * bin_attr.private points to the associated EFI MOK config table entry.
++ *
++ * This list is created during boot and then remains unchanged.
++ * So no synchronization is currently required to walk the list.
++ */
++struct efi_mokvar_sysfs_attr {
++	struct bin_attribute bin_attr;
++	struct list_head node;
++};
++
++static LIST_HEAD(efi_mokvar_sysfs_list);
++static struct kobject *mokvar_kobj;
++
++/*
++ * efi_mokvar_table_init() - Early boot validation of EFI MOK config table
++ *
++ * If present, validate and compute the size of the EFI MOK variable
++ * configuration table. This table may be provided by an EFI boot loader
++ * as an alternative to ordinary EFI variables, due to platform-dependent
++ * limitations. The memory occupied by this table is marked as reserved.
++ *
++ * This routine must be called before efi_free_boot_services() in order
++ * to guarantee that it can mark the table as reserved.
++ *
++ * Implicit inputs:
++ * efi.mokvar_table:	Physical address of EFI MOK variable config table
++ *			or special value that indicates no such table.
++ *
++ * Implicit outputs:
++ * efi_mokvar_table_size: Computed size of EFI MOK variable config table.
++ *			The table is considered present and valid if this
++ *			is non-zero.
++ */
++void __init efi_mokvar_table_init(void)
++{
++	efi_memory_desc_t md;
++	void *va = NULL;
++	unsigned long cur_offset = 0;
++	unsigned long offset_limit;
++	unsigned long map_size = 0;
++	unsigned long map_size_needed = 0;
++	unsigned long size;
++	struct efi_mokvar_table_entry *mokvar_entry;
++	int err;
++
++	if (!efi_enabled(EFI_MEMMAP))
++		return;
++
++	if (efi.mokvar_table == EFI_INVALID_TABLE_ADDR)
++		return;
++	/*
++	 * The EFI MOK config table must fit within a single EFI memory
++	 * descriptor range.
++	 */
++	err = efi_mem_desc_lookup(efi.mokvar_table, &md);
++	if (err) {
++		pr_warn("EFI MOKvar config table is not within the EFI memory map\n");
++		return;
++	}
++
++	offset_limit = efi_mem_desc_end(&md) - efi.mokvar_table;
++
++	/*
++	 * Validate the MOK config table. Since there is no table header
++	 * from which we could get the total size of the MOK config table,
++	 * we compute the total size as we validate each variably sized
++	 * entry, remapping as necessary.
++	 */
++	err = -EINVAL;
++	while (cur_offset + sizeof(*mokvar_entry) <= offset_limit) {
++		mokvar_entry = va + cur_offset;
++		map_size_needed = cur_offset + sizeof(*mokvar_entry);
++		if (map_size_needed > map_size) {
++			if (va)
++				early_memunmap(va, map_size);
++			/*
++			 * Map a little more than the fixed size entry
++			 * header, anticipating some data. It's safe to
++			 * do so as long as we stay within current memory
++			 * descriptor.
++			 */
++			map_size = min(map_size_needed + 2*EFI_PAGE_SIZE,
++				       offset_limit);
++			va = early_memremap(efi.mokvar_table, map_size);
++			if (!va) {
++				pr_err("Failed to map EFI MOKvar config table pa=0x%lx, size=%lu.\n",
++				       efi.mokvar_table, map_size);
++				return;
++			}
++			mokvar_entry = va + cur_offset;
++		}
++
++		/* Check for last sentinel entry */
++		if (mokvar_entry->name[0] == '\0') {
++			if (mokvar_entry->data_size != 0)
++				break;
++			err = 0;
++			break;
++		}
++
++		/* Sanity check that the name is null terminated */
++		size = strnlen(mokvar_entry->name,
++			       sizeof(mokvar_entry->name));
++		if (size >= sizeof(mokvar_entry->name))
++			break;
++
++		/* Advance to the next entry */
++		cur_offset = map_size_needed + mokvar_entry->data_size;
++	}
++
++	if (va)
++		early_memunmap(va, map_size);
++	if (err) {
++		pr_err("EFI MOKvar config table is not valid\n");
++		return;
++	}
++
++	if (md.type == EFI_BOOT_SERVICES_DATA)
++		efi_mem_reserve(efi.mokvar_table, map_size_needed);
++
++	efi_mokvar_table_size = map_size_needed;
++}
++
++/*
++ * efi_mokvar_entry_next() - Get next entry in the EFI MOK config table
++ *
++ * mokvar_entry:	Pointer to current EFI MOK config table entry
++ *			or null. Null indicates get first entry.
++ *			Passed by reference. This is updated to the
++ *			same value as the return value.
++ *
++ * Returns:		Pointer to next EFI MOK config table entry
++ *			or null, if there are no more entries.
++ *			Same value is returned in the mokvar_entry
++ *			parameter.
++ *
++ * This routine depends on the EFI MOK config table being entirely
++ * mapped with it's starting virtual address in efi_mokvar_table_va.
++ */
++struct efi_mokvar_table_entry *efi_mokvar_entry_next(
++			struct efi_mokvar_table_entry **mokvar_entry)
++{
++	struct efi_mokvar_table_entry *mokvar_cur;
++	struct efi_mokvar_table_entry *mokvar_next;
++	size_t size_cur;
++
++	mokvar_cur = *mokvar_entry;
++	*mokvar_entry = NULL;
++
++	if (efi_mokvar_table_va == NULL)
++		return NULL;
++
++	if (mokvar_cur == NULL) {
++		mokvar_next = efi_mokvar_table_va;
++	} else {
++		if (mokvar_cur->name[0] == '\0')
++			return NULL;
++		size_cur = sizeof(*mokvar_cur) + mokvar_cur->data_size;
++		mokvar_next = (void *)mokvar_cur + size_cur;
++	}
++
++	if (mokvar_next->name[0] == '\0')
++		return NULL;
++
++	*mokvar_entry = mokvar_next;
++	return mokvar_next;
++}
++
++/*
++ * efi_mokvar_entry_find() - Find EFI MOK config entry by name
++ *
++ * name:	Name of the entry to look for.
++ *
++ * Returns:	Pointer to EFI MOK config table entry if found;
++ *		null otherwise.
++ *
++ * This routine depends on the EFI MOK config table being entirely
++ * mapped with it's starting virtual address in efi_mokvar_table_va.
++ */
++struct efi_mokvar_table_entry *efi_mokvar_entry_find(const char *name)
++{
++	struct efi_mokvar_table_entry *mokvar_entry = NULL;
++
++	while (efi_mokvar_entry_next(&mokvar_entry)) {
++		if (!strncmp(name, mokvar_entry->name,
++			     sizeof(mokvar_entry->name)))
++			return mokvar_entry;
++	}
++	return NULL;
++}
++
++/*
++ * efi_mokvar_sysfs_read() - sysfs binary file read routine
++ *
++ * Returns:	Count of bytes read.
++ *
++ * Copy EFI MOK config table entry data for this mokvar sysfs binary file
++ * to the supplied buffer, starting at the specified offset into mokvar table
++ * entry data, for the specified count bytes. The copy is limited by the
++ * amount of data in this mokvar config table entry.
++ */
++static ssize_t efi_mokvar_sysfs_read(struct file *file, struct kobject *kobj,
++				 struct bin_attribute *bin_attr, char *buf,
++				 loff_t off, size_t count)
++{
++	struct efi_mokvar_table_entry *mokvar_entry = bin_attr->private;
++
++	if (!capable(CAP_SYS_ADMIN))
++		return 0;
++
++	if (off >= mokvar_entry->data_size)
++		return 0;
++	if (count >  mokvar_entry->data_size - off)
++		count = mokvar_entry->data_size - off;
++
++	memcpy(buf, mokvar_entry->data + off, count);
++	return count;
++}
++
++/*
++ * efi_mokvar_sysfs_init() - Map EFI MOK config table and create sysfs
++ *
++ * Map the EFI MOK variable config table for run-time use by the kernel
++ * and create the sysfs entries in /sys/firmware/efi/mok-variables/
++ *
++ * This routine just returns if a valid EFI MOK variable config table
++ * was not found earlier during boot.
++ *
++ * This routine must be called during a "middle" initcall phase, i.e.
++ * after efi_mokvar_table_init() but before UEFI certs are loaded
++ * during late init.
++ *
++ * Implicit inputs:
++ * efi.mokvar_table:	Physical address of EFI MOK variable config table
++ *			or special value that indicates no such table.
++ *
++ * efi_mokvar_table_size: Computed size of EFI MOK variable config table.
++ *			The table is considered present and valid if this
++ *			is non-zero.
++ *
++ * Implicit outputs:
++ * efi_mokvar_table_va:	Start virtual address of the EFI MOK config table.
++ */
++static int __init efi_mokvar_sysfs_init(void)
++{
++	void *config_va;
++	struct efi_mokvar_table_entry *mokvar_entry = NULL;
++	struct efi_mokvar_sysfs_attr *mokvar_sysfs = NULL;
++	int err = 0;
++
++	if (efi_mokvar_table_size == 0)
++		return -ENOENT;
++
++	config_va = memremap(efi.mokvar_table, efi_mokvar_table_size,
++			     MEMREMAP_WB);
++	if (!config_va) {
++		pr_err("Failed to map EFI MOKvar config table\n");
++		return -ENOMEM;
++	}
++	efi_mokvar_table_va = config_va;
++
++	mokvar_kobj = kobject_create_and_add("mok-variables", efi_kobj);
++	if (!mokvar_kobj) {
++		pr_err("Failed to create EFI mok-variables sysfs entry\n");
++		return -ENOMEM;
++	}
++
++	while (efi_mokvar_entry_next(&mokvar_entry)) {
++		mokvar_sysfs = kzalloc(sizeof(*mokvar_sysfs), GFP_KERNEL);
++		if (!mokvar_sysfs) {
++			err = -ENOMEM;
++			break;
++		}
++
++		sysfs_bin_attr_init(&mokvar_sysfs->bin_attr);
++		mokvar_sysfs->bin_attr.private = mokvar_entry;
++		mokvar_sysfs->bin_attr.attr.name = mokvar_entry->name;
++		mokvar_sysfs->bin_attr.attr.mode = 0400;
++		mokvar_sysfs->bin_attr.size = mokvar_entry->data_size;
++		mokvar_sysfs->bin_attr.read = efi_mokvar_sysfs_read;
++
++		err = sysfs_create_bin_file(mokvar_kobj,
++					   &mokvar_sysfs->bin_attr);
++		if (err)
++			break;
++
++		list_add_tail(&mokvar_sysfs->node, &efi_mokvar_sysfs_list);
++	}
++
++	if (err) {
++		pr_err("Failed to create some EFI mok-variables sysfs entries\n");
++		kfree(mokvar_sysfs);
++	}
++	return err;
++}
++device_initcall(efi_mokvar_sysfs_init);
 diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
 index 359c2f9..f961e88 100644
 --- a/include/keys/system_keyring.h
 +++ b/include/keys/system_keyring.h
@@ -35,6 +35,7 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
  #define restrict_link_by_builtin_and_secondary_trusted restrict_link_by_builtin_trusted
  #endif
++extern struct pkcs7_message *pkcs7;
  #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
  extern int mark_hash_blacklisted(const char *hash);
  extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
@@ -47,6 +48,20 @@ static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
+ }
  #endif
++#ifdef CONFIG_SYSTEM_REVOCATION_LIST
++extern int add_key_to_revocation_list(const char *data, size_t size);
++extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
++#else
++static inline int add_key_to_revocation_list(const char *data, size_t size)
++{
++	return 0;
++}
++static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
++{
++	return -ENOKEY;
++}
++#endif
++
  #ifdef CONFIG_IMA_BLACKLIST_KEYRING
  extern struct key *ima_blacklist_keyring;
 diff --git a/include/linux/efi.h b/include/linux/efi.h
 index 14590ff..a7192cd 100644
 --- a/include/linux/efi.h
 +++ b/include/linux/efi.h
@@ -641,6 +641,7 @@ void efi_native_runtime_setup(void);
  #define LINUX_EFI_ARM_SCREEN_INFO_TABLE_GUID	EFI_GUID(0xe03fc20a, 0x85dc, 0x406e,  0xb9, 0x0e, 0x4a, 0xb5, 0x02, 0x37, 0x1d, 0x95)
  #define LINUX_EFI_LOADER_ENTRY_GUID		EFI_GUID(0x4a67b082, 0x0a4c, 0x41cf,  0xb6, 0xc7, 0x44, 0x0b, 0x29, 0xbb, 0x8c, 0x4f)
  #define LINUX_EFI_RANDOM_SEED_TABLE_GUID	EFI_GUID(0x1ce1e5bc, 0x7ceb, 0x42f2,  0x81, 0xe5, 0x8a, 0xad, 0xf1, 0x80, 0xf5, 0x7b)
++#define LINUX_EFI_MOK_VARIABLE_TABLE_GUID	EFI_GUID(0xc451ed2b, 0x9694, 0x45d3,  0xba, 0xba, 0xed, 0x9f, 0x89, 0x88, 0xa3, 0x89)
  typedef struct {
  	efi_guid_t guid;
@@ -936,6 +937,7 @@ extern struct efi {
  	unsigned long properties_table;	/* properties table */
  	unsigned long mem_attr_table;	/* memory attributes table */
  	unsigned long rng_seed;		/* UEFI firmware random seed */
++	unsigned long mokvar_table;	/* MOK variable config table */
  	efi_get_time_t *get_time;
  	efi_set_time_t *set_time;
  	efi_get_wakeup_time_t *get_wakeup_time;
@@ -1650,4 +1652,36 @@ struct linux_efi_random_seed {
  	u8	bits[];
  };
++/*
++ * The LINUX_EFI_MOK_VARIABLE_TABLE_GUID config table can be provided
++ * to the kernel by an EFI boot loader. The table contains a packed
++ * sequence of these entries, one for each named MOK variable.
++ * The sequence is terminated by an entry with a completely NULL
++ * name and 0 data size.
++ */
++struct efi_mokvar_table_entry {
++	char name[256];
++	u64 data_size;
++	u8 data[];
++} __attribute((packed));
++
++#ifdef CONFIG_LOAD_UEFI_KEYS
++extern void __init efi_mokvar_table_init(void);
++extern struct efi_mokvar_table_entry *efi_mokvar_entry_next(
++			struct efi_mokvar_table_entry **mokvar_entry);
++extern struct efi_mokvar_table_entry *efi_mokvar_entry_find(const char *name);
++#else
++static inline void efi_mokvar_table_init(void) { }
++static inline struct efi_mokvar_table_entry *efi_mokvar_entry_next(
++			struct efi_mokvar_table_entry **mokvar_entry)
++{
++	return NULL;
++}
++static inline struct efi_mokvar_table_entry *efi_mokvar_entry_find(
++			const char *name)
++{
++	return NULL;
++}
++#endif
++
  #endif /* _LINUX_EFI_H */
 diff --git a/scripts/Makefile b/scripts/Makefile
 index fb82ada..47d0a97 100644
 --- a/scripts/Makefile
 +++ b/scripts/Makefile
@@ -22,6 +22,7 @@ hostprogs-$(CONFIG_ASN1)	 += asn1_compiler
  hostprogs-$(CONFIG_MODULE_SIG)	 += sign-file
  hostprogs-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert
  hostprogs-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert
++hostprogs-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert
  HOSTCFLAGS_sortextable.o = -I$(srctree)/tools/include
  HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include

Ubuntulinux package

Merge ~xnox/ubuntu/+source/linux/+git/bionic:revocation-keys into ~ubuntu-kernel/ubuntu/+source/linux/+git/bionic:master-next

Commit message

Description of the change

Unmerged commits

Preview Diff

Subscribers

Ubuntu
linux package