www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Josh Boyer <jwboyer at fedoraproject.org>
	Fri, 26 Oct 2012 16:36:24 +0000 (12:36 -0400)
committer	Santosh Shilimkar <santosh.shilimkar@oracle.com>
	Mon, 10 Aug 2015 16:24:05 +0000 (09:24 -0700)
commit	7592aeaeb91372db794c782a2af931d2828594eb
tree	2c1be7d8f223e81a363a95a6e18a65752ffe4ddf	tree
parent	d8ea8e79433bd8215493e225a9d29350cfb113e5	commit \| diff

MODSIGN: Import certificates from UEFI Secure Boot

Orabug: 21539498

Secure Boot stores a list of allowed certificates in the 'db' variable.
This imports those certificates into the module signing keyring.  This
allows for a third party signing certificate to be used in conjunction
with signed modules.  By importing the public certificate into the 'db'
variable, a user can allow a module signed with that certificate to
load.  The shim UEFI bootloader has a similar certificate list stored
in the 'MokListRT' variable.  We import those as well.

In the opposite case, Secure Boot maintains a list of disallowed
certificates in the 'dbx' variable.  We load those certificates into
the newly introduced module blacklist keyring and forbid any module
signed with those from loading.

Signed-off-by: Josh Boyer <jwboyer at fedoraproject.org>
Signed-off-by: Guangyu Sun <guangyu.sun@oracle.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>

include/linux/efi.h		diff \| blob \| history
init/Kconfig		diff \| blob \| history
kernel/Makefile		diff \| blob \| history
kernel/modsign_uefi.c	[new file with mode: 0644]	blob
kernel/module_signing.c		diff \| blob \| history