[opensuse-kernel] [PATCH 0/7] Backported patches for support load key of module sign from db, dbx and MokList (MODSIGN)
Patch-mainline: Not yet, from Fedora 18 kernel Target: openSUSE 12.3 Test steps: + enable the following kernel configs: CONFIG_MODULE_SIG_FORCE=y CONFIG_MODULE_SIG_BLACKLIST=y CONFIG_MODULE_SIG_UEFI=y + build + make modules_install; make install When we do make modules_install, script will do the kernel modules sign. + copy vmlinuz binary to efi folder: # mv /boot/vmlinuz-3.0.53-default /boot/efi/vmlinuz-3.0.53-default.efi + boot kvm image with UEFI BIOS, enroll key to db, dbx + boot kvm image to SUSE, enroll key to MokList by mokutil + reboot system, go to UEFI shell + run vmlinuz-3.0.53-default.efi STUB kernel, the boot message should show: [ 0.157219] EFI: Loaded cert 'SUSE Lab: Taipei team signing key: 87a94553dfxxxxxxxxxxxxxxxxx453d07948cf93' linked to '.module_sign' [ 0.159674] EFI: Loaded cert 'SUSE Lab: Taipei team signing key: 87a94553dfxxxxxxxxxxxxxxxxx453d07948cf93' linked to '.modsign_blacklist' Backported 7 patches for load key of module sign from db, dbx and MokList (MODSIGN): 0001-modsign-Always-enforce-module-signing-in-a-Secure-Boot.patch 0002-Add-EFI-signature-data-types.patch 0003-Add-an-EFI-signature-blob-parser-and-key-loader.patch 0004-EFI-Add-in-kernel-variable-to-determine-if-Secure-Boot-is-enabled.patch 0005-MODSIGN-Add-module-certificate-blacklist-keyring.patch 0006-MODSIGN-Import-certificates-from-UEFI-Secure-Boot-v3.patch 0007-Dont-soft-lockup-on-bad-EFI-signature-lists.patch -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
From: Josh Boyer <jwboyer@redhat.com> Git-commit: Not yet Patch-mainline: Not yet, from Fedora 18 kernel Target: openSUSE 12.3 If a machine is booted into a Secure Boot environment, we need to protect the trust model. This requires that all modules be signed with a key that is in the kernel's _modsign keyring. The checks for this are already done via the 'sig_enforce' module parameter. Make this visible within the kernel and force it to be true. Signed-off-by: Josh Boyer <jwboyer@redhat.com> Acked-by: Lee, Chun-Yi <jlee@suse.com> --- kernel/cred.c | 8 ++++++++ kernel/module.c | 4 ++-- 2 files changed, 10 insertions(+), 2 deletions(-) --- a/kernel/cred.c +++ b/kernel/cred.c @@ -623,11 +623,19 @@ void __init cred_init(void) 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); } +#ifdef CONFIG_MODULE_SIG +extern bool sig_enforce; +#endif + void __init secureboot_enable() { pr_info("Secure boot enabled\n"); cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL); cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); +#ifdef CONFIG_MODULE_SIG + /* Enable module signature enforcing */ + sig_enforce = true; +#endif } /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ --- a/kernel/module.c +++ b/kernel/module.c @@ -123,9 +123,9 @@ struct list_head *kdb_modules = &modules #ifdef CONFIG_MODULE_SIG #ifdef CONFIG_MODULE_SIG_FORCE -static bool sig_enforce = true; +bool sig_enforce = true; #else -static bool sig_enforce = false; +bool sig_enforce = false; static int param_set_bool_enable_only(const char *val, const struct kernel_param *kp) -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
From: Dave Howells <dhowells@redhat.com> Git-commit: Not yet Patch-mainline: Not yet, from Fedora 18 kernel Target: openSUSE 12.3 Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Lee, Chun-Yi <jlee@suse.com> --- include/linux/efi.h | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -312,6 +312,12 @@ typedef efi_status_t efi_query_capsule_c #define EFI_FILE_SYSTEM_GUID \ EFI_GUID( 0x964e5b22, 0x6459, 0x11d2, 0x8e, 0x39, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b ) +#define EFI_CERT_SHA256_GUID \ + EFI_GUID( 0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 ) + +#define EFI_CERT_X509_GUID \ + EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) + typedef struct { efi_guid_t guid; u64 table; @@ -447,6 +453,20 @@ typedef struct { #define EFI_INVALID_TABLE_ADDR (~0UL) +typedef struct { + efi_guid_t signature_owner; + u8 signature_data[]; +} efi_signature_data_t; + +typedef struct { + efi_guid_t signature_type; + u32 signature_list_size; + u32 signature_header_size; + u32 signature_size; + u8 signature_header[]; + /* efi_signature_data_t signatures[][] */ +} efi_signature_list_t; + /* * All runtime access to EFI goes through this structure: */ -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
From: Dave Howells <dhowells@redhat.com> Git-commit: Not yet Patch-mainline: Not yet, from Fedora 18 kernel Target: openSUSE 12.3 Joey Lee: Add description of keyring to messages when key linked to keyring. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Lee, Chun-Yi <jlee@suse.com> --- crypto/asymmetric_keys/Kconfig | 7 ++ crypto/asymmetric_keys/Makefile | 1 crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++ include/linux/efi.h | 4 + 4 files changed, 120 insertions(+) create mode 100644 crypto/asymmetric_keys/efi_parser.c --- a/crypto/asymmetric_keys/Kconfig +++ b/crypto/asymmetric_keys/Kconfig @@ -35,4 +35,11 @@ config X509_CERTIFICATE_PARSER data and provides the ability to instantiate a crypto key from a public key packet found inside the certificate. +config EFI_SIGNATURE_LIST_PARSER + bool "EFI signature list parser" + select X509_CERTIFICATE_PARSER + help + This option provides support for parsing EFI signature lists for + X.509 certificates and turning them into keys. + endif # ASYMMETRIC_KEY_TYPE --- a/crypto/asymmetric_keys/Makefile +++ b/crypto/asymmetric_keys/Makefile @@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o s obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o +obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o # # X.509 Certificate handling --- /dev/null +++ b/crypto/asymmetric_keys/efi_parser.c @@ -0,0 +1,108 @@ +/* EFI signature/key/certificate list parser + * + * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. + * Written by David Howells (dhowells@redhat.com) + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#define pr_fmt(fmt) "EFI: "fmt +#include <linux/module.h> +#include <linux/printk.h> +#include <linux/err.h> +#include <linux/efi.h> +#include <keys/asymmetric-type.h> + +static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID; + +/** + * parse_efi_signature_list - Parse an EFI signature list for certificates + * @data: The data blob to parse + * @size: The size of the data blob + * @keyring: The keyring to add extracted keys to + */ +int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring) +{ + unsigned offs = 0; + size_t lsize, esize, hsize, elsize; + + pr_devel("-->%s(,%zu)\n", __func__, size); + + while (size > 0) { + efi_signature_list_t list; + const efi_signature_data_t *elem; + key_ref_t key; + + if (size < sizeof(list)) + return -EBADMSG; + + memcpy(&list, data, sizeof(list)); + pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n", + offs, + list.signature_type.b, list.signature_list_size, + list.signature_header_size, list.signature_size); + + lsize = list.signature_list_size; + hsize = list.signature_header_size; + esize = list.signature_size; + elsize = lsize - sizeof(list) - hsize; + + if (lsize > size) { + pr_devel("<--%s() = -EBADMSG [overrun @%x]\n", + __func__, offs); + return -EBADMSG; + } + if (lsize < sizeof(list) || + lsize - sizeof(list) < hsize || + esize < sizeof(*elem) || + elsize < esize || + elsize % esize != 0) { + pr_devel("- bad size combo @%x\n", offs); + continue; + } + + if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) { + data += lsize; + size -= lsize; + offs += lsize; + continue; + } + + data += sizeof(list) + hsize; + size -= sizeof(list) + hsize; + offs += sizeof(list) + hsize; + + for (; elsize > 0; elsize -= esize) { + elem = data; + + pr_devel("ELEM[%04x]\n", offs); + + key = key_create_or_update( + make_key_ref(keyring, 1), + "asymmetric", + NULL, + &elem->signature_data, + esize - sizeof(*elem), + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW, + KEY_ALLOC_NOT_IN_QUOTA); + + if (IS_ERR(key)) + pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", + PTR_ERR(key)); + else + pr_notice("Loaded cert '%s' linked to '%s'\n", + key_ref_to_ptr(key)->description, + keyring->description); + + data += esize; + size -= esize; + offs += esize; + } + } + + return 0; +} --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -540,6 +540,10 @@ extern int efi_set_rtc_mmss(unsigned lon extern void efi_reserve_boot_services(void); extern struct efi_memory_map memmap; +struct key; +extern int __init parse_efi_signature_list(const void *data, size_t size, + struct key *keyring); + /** * efi_range_is_wc - check the WC bit on an address range * @start: starting kvirt address -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
From: Josh Boyer <jwboyer@redhat.com> Git-commit: Not yet Patch-mainline: Not yet, from Fedora 18 kernel Target: openSUSE 12.3 There are a few cases where in-kernel functions may need to know if Secure Boot is enabled. The added capability check cannot be used as the kernel can't drop it's own capabilites, so we add a global variable similar to efi_enabled so they can determine if Secure Boot is enabled. Signed-off-by: Josh Boyer <jwboyer@redhat.com> Acked-by: Lee, Chun-Yi <jlee@suse.com> --- arch/x86/kernel/setup.c | 6 +++++- arch/x86/platform/efi/efi.c | 2 ++ include/linux/efi.h | 3 +++ 3 files changed, 10 insertions(+), 1 deletion(-) --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c @@ -964,8 +964,12 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); - if (boot_params.secure_boot) + if (boot_params.secure_boot) { secureboot_enable(); +#ifdef CONFIG_EFI + secure_boot_enabled = 1; +#endif + } /* * Parse the ACPI tables for possible boot-time SMP configuration. --- a/arch/x86/platform/efi/efi.c +++ b/arch/x86/platform/efi/efi.c @@ -54,6 +54,8 @@ int efi_enabled; EXPORT_SYMBOL(efi_enabled); +int secure_boot_enabled; + struct efi __read_mostly efi = { .mps = EFI_INVALID_TABLE_ADDR, .acpi = EFI_INVALID_TABLE_ADDR, --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -577,11 +577,14 @@ extern int __init efi_setup_pcdp_console # ifdef CONFIG_X86 extern int efi_enabled; extern bool efi_64bit; + extern int secure_boot_enabled; # else # define efi_enabled 1 +# define secure_boot_enabled 0 # endif #else # define efi_enabled 0 +# define secure_boot_enabled 0 #endif /* -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
From: Josh Boyer <jwboyer@redhat.com> Git-commit: Not yet Patch-mainline: Not yet, from Fedora 18 kernel Target: openSUSE 12.3 This adds an additional keyring that is used to store certificates that are blacklisted. This keyring is searched first when loading signed modules and if the module's certificate is found, it will refuse to load. This is useful in cases where third party certificates are used for module signing. Signed-off-by: Josh Boyer <jwboyer@redhat.com> Acked-by: Lee, Chun-Yi <jlee@suse.com> --- init/Kconfig | 8 ++++++++ kernel/modsign_pubkey.c | 17 +++++++++++++++++ kernel/module-internal.h | 3 +++ kernel/module_signing.c | 14 +++++++++++++- 4 files changed, 41 insertions(+), 1 deletion(-) --- a/init/Kconfig +++ b/init/Kconfig @@ -1641,6 +1641,14 @@ config MODULE_SIG_FORCE Reject unsigned modules or signed modules for which we don't have a key. Without this, such modules will simply taint the kernel. +config MODULE_SIG_BLACKLIST + bool "Support for blacklisting module signature certificates" + depends on MODULE_SIG + help + This adds support for keeping a blacklist of certificates that + should not pass module signature verification. If a module is + signed with something in this keyring, the load will be rejected. + choice prompt "Which hash algorithm should modules be signed with?" depends on MODULE_SIG --- a/kernel/modsign_pubkey.c +++ b/kernel/modsign_pubkey.c @@ -17,6 +17,9 @@ #include "module-internal.h" struct key *modsign_keyring; +#ifdef CONFIG_MODULE_SIG_BLACKLIST +struct key *modsign_blacklist; +#endif extern __initdata const u8 modsign_certificate_list[]; extern __initdata const u8 modsign_certificate_list_end[]; @@ -40,6 +43,20 @@ static __init int module_verify_init(voi if (key_instantiate_and_link(modsign_keyring, NULL, 0, NULL, NULL) < 0) panic("Can't instantiate module signing keyring\n"); +#ifdef CONFIG_MODULE_SIG_BLACKLIST + modsign_blacklist = key_alloc(&key_type_keyring, ".modsign_blacklist", + KUIDT_INIT(0), KGIDT_INIT(0), + current_cred(), + (KEY_POS_ALL & ~KEY_POS_SETATTR) | + KEY_USR_VIEW | KEY_USR_READ, + KEY_ALLOC_NOT_IN_QUOTA); + if (IS_ERR(modsign_blacklist)) + panic("Can't allocate module signing blacklist keyring\n"); + + if (key_instantiate_and_link(modsign_blacklist, NULL, 0, NULL, NULL) < 0) + panic("Can't instantiate module signing blacklist keyring\n"); +#endif + return 0; } --- a/kernel/module-internal.h +++ b/kernel/module-internal.h @@ -10,5 +10,8 @@ */ extern struct key *modsign_keyring; +#ifdef CONFIG_MODULE_SIG_BLACKLIST +extern struct key *modsign_blacklist; +#endif extern int mod_verify_sig(const void *mod, unsigned long *_modlen); --- a/kernel/module_signing.c +++ b/kernel/module_signing.c @@ -133,7 +133,7 @@ static int mod_extract_mpi_array(struct static struct key *request_asymmetric_key(const char *signer, size_t signer_len, const u8 *key_id, size_t key_id_len) { - key_ref_t key; + key_ref_t key, blacklist; size_t i; char *id, *q; @@ -158,6 +158,18 @@ static struct key *request_asymmetric_ke pr_debug("Look up: \"%s\"\n", id); +#ifdef CONFIG_MODULE_SIG_BLACKLIST + blacklist = keyring_search(make_key_ref(modsign_blacklist, 1), + &key_type_asymmetric, id); + if (!IS_ERR(blacklist)) { + /* module is signed with a cert in the blacklist. reject */ + pr_err("Module key '%s' is in blacklist\n", id); + key_ref_put(blacklist); + kfree(id); + return ERR_PTR(-EKEYREJECTED); + } +#endif + key = keyring_search(make_key_ref(modsign_keyring, 1), &key_type_asymmetric, id); if (IS_ERR(key)) -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
From: Josh Boyer <jwboyer@redhat.com> Git-commit: Not yet Patch-mainline: Not yet, from Fedora 18 kernel Target: openSUSE 12.3 Secure Boot stores a list of allowed certificates in the 'db' variable. This imports those certificates into the module signing keyring. This allows for a third party signing certificate to be used in conjunction with signed modules. By importing the public certificate into the 'db' variable, a user can allow a module signed with that certificate to load. The shim UEFI bootloader has a similar certificate list stored in the 'MokListRT' variable. We import those as well. In the opposite case, Secure Boot maintains a list of disallowed certificates in the 'dbx' variable. We load those certificates into the newly introduced module blacklist keyring and forbid any module signed with those from loading. Signed-off-by: Josh Boyer <jwboyer@redhat.com> Acked-by: Lee, Chun-Yi <jlee@suse.com> --- include/linux/efi.h | 6 +++ init/Kconfig | 9 +++++ kernel/Makefile | 3 + kernel/modsign_uefi.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 108 insertions(+) create mode 100644 kernel/modsign_uefi.c --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -318,6 +318,12 @@ typedef efi_status_t efi_query_capsule_c #define EFI_CERT_X509_GUID \ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) +#define EFI_IMAGE_SECURITY_DATABASE_GUID \ + EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f ) + +#define EFI_SHIM_LOCK_GUID \ + EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 ) + typedef struct { efi_guid_t guid; u64 table; --- a/init/Kconfig +++ b/init/Kconfig @@ -1649,6 +1649,15 @@ config MODULE_SIG_BLACKLIST should not pass module signature verification. If a module is signed with something in this keyring, the load will be rejected. +config MODULE_SIG_UEFI + bool "Allow modules signed with certs stored in UEFI" + depends on MODULE_SIG && MODULE_SIG_BLACKLIST && EFI + select EFI_SIGNATURE_LIST_PARSER + help + This will import certificates stored in UEFI and allow modules + signed with those to be loaded. It will also disallow loading + of modules stored in the UEFI dbx variable. + choice prompt "Which hash algorithm should modules be signed with?" depends on MODULE_SIG --- a/kernel/Makefile +++ b/kernel/Makefile @@ -55,6 +55,7 @@ obj-$(CONFIG_PROVE_LOCKING) += spinlock. obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_MODULES) += module.o obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o modsign_certificate.o +obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o obj-$(CONFIG_KALLSYMS) += kallsyms.o obj-$(CONFIG_STACK_UNWIND) += unwind.o obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o @@ -114,6 +115,8 @@ obj-$(CONFIG_JUMP_LABEL) += jump_label.o $(obj)/configs.o: $(obj)/config_data.h +$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar + # config_data.h contains the same information as ikconfig.h but gzipped. # Info from config_data can be extracted from /proc/config* targets += config_data.gz --- /dev/null +++ b/kernel/modsign_uefi.c @@ -0,0 +1,90 @@ +#include <linux/kernel.h> +#include <linux/sched.h> +#include <linux/cred.h> +#include <linux/err.h> +#include <linux/efi.h> +#include <keys/asymmetric-type.h> +#include "module-internal.h" + +static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) +{ + efi_status_t status; + unsigned long lsize = 4; + unsigned long tmpdb[4]; + void *db = NULL; + + status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); + if (status != EFI_BUFFER_TOO_SMALL) { + pr_err("Couldn't get size: 0x%lx\n", status); + return NULL; + } + + db = kmalloc(lsize, GFP_KERNEL); + if (!db) { + pr_err("Couldn't allocate memory for uefi cert list\n"); + goto out; + } + + status = efi.get_variable(name, guid, NULL, &lsize, db); + if (status != EFI_SUCCESS) { + kfree(db); + db = NULL; + pr_err("Error reading db var: 0x%lx\n", status); + } +out: + *size = lsize; + return db; +} + +/* + * * Load the certs contained in the UEFI databases + * */ +static int __init load_uefi_certs(void) +{ + efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *db = NULL, *dbx = NULL, *mok = NULL; + unsigned long dbsize = 0, dbxsize = 0, moksize = 0; + int rc = 0; + + /* Check if SB is enabled and just return if not */ + if (!secure_boot_enabled) + return 0; + + /* Get db, MokListRT, and dbx. They might not exist, so it isn't + * an error if we can't get them. + */ + db = get_cert_list(L"db", &secure_var, &dbsize); + if (!db) { + pr_err("MODSIGN: Couldn't get UEFI db list\n"); + } else { + rc = parse_efi_signature_list(db, dbsize, modsign_keyring); + if (rc) + pr_err("Couldn't parse db signatures: %d\n", rc); + kfree(db); + } + + mok = get_cert_list(L"MokListRT", &mok_var, &moksize); + if (!mok) { + pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); + } else { + rc = parse_efi_signature_list(mok, moksize, modsign_keyring); + if (rc) + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); + kfree(mok); + } + + dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); + if (!dbx) { + pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); + } else { + rc = parse_efi_signature_list(dbx, dbxsize, + modsign_blacklist); + if (rc) + pr_err("Couldn't parse dbx signatures: %d\n", rc); + kfree(dbx); + } + + return rc; +} +late_initcall(load_uefi_certs); -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
From: Josh Boyer <jwboyer@redhat.com> Git-commit: Not yet Patch-mainline: Not yet, from Fedora 18 kernel Target: openSUSE 12.3 If a signature list is read from an UEFI variable and that contains bogus data, we can go into an infinite loop in efi_parse_signature_list. Notably, if one of the entries in the list has a signature_size that is larger than the actual signature size, it will fail the elsize < esize test. Simply continuing in the loop without modifying the data or size variables just leads to the same list entry being parsed repeatedly. Since the data is bogus, but we can't tell which value is actually incorrect, we need to stop parsing the list. Just return -EBADMSG instead. Signed-off-by: Josh Boyer <jwboyer@redhat.com> Acked-by: Lee, Chun-Yi <jlee@suse.com> --- crypto/asymmetric_keys/efi_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/crypto/asymmetric_keys/efi_parser.c +++ b/crypto/asymmetric_keys/efi_parser.c @@ -61,7 +61,7 @@ int __init parse_efi_signature_list(cons elsize < esize || elsize % esize != 0) { pr_devel("- bad size combo @%x\n", offs); - continue; + return -EBADMSG; } if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) { -- To unsubscribe, e-mail: opensuse-kernel+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-kernel+owner@opensuse.org
participants (1)
-
Lee, Chun-Yi