2 vuotta sitten · d2b7164629
--- a/pkg/debian/kernel/0001-Revert-integrity-Only-use-machine-keyring-when-uefi_.patch
+++ b/pkg/debian/kernel/0001-Revert-integrity-Only-use-machine-keyring-when-uefi_.patch
@@ -0,0 +1,102 @@
 
				+From 5b4a9bf506709048bdc7e34dfd45d77d12204088 Mon Sep 17 00:00:00 2001
			
 
				+From: Maximilian Luz <luzmaximilian@gmail.com>
			
 
				+Date: Fri, 26 Aug 2022 21:24:36 +0200
			
 
				+Subject: [PATCH] Revert "integrity: Only use machine keyring when
			
 
				+ uefi_check_trust_mok_keys is true"
			
 
				+
			
 
				+This reverts commit 3d6ae1a5d0c2019d274284859f556dcb64aa98a7.
			
 
				+
			
 
				+MokListTrustedRT doesn't seem to be set by the Shim version used by
			
 
				+Ubuntu and Debian. Therefore, these systems don't trust the MOK keys on
			
 
				+newer kernels. While pre-5.19 kernels silently disregard the untrusted
			
 
				+keys and (without signature enforcement enabled) still load external
			
 
				+modules (tainting the kernel), on 5.19 kernels, this breaks module
			
 
				+loading. Therefore, revert this change.
			
 
				+
			
 
				+See https://github.com/linux-surface/linux-surface/issues/906.
			
 
				+---
			
 
				+ security/integrity/digsig.c                      |  2 +-
			
 
				+ security/integrity/integrity.h                   |  5 -----
			
 
				+ .../integrity/platform_certs/keyring_handler.c   |  2 +-
			
 
				+ .../integrity/platform_certs/machine_keyring.c   | 16 ----------------
			
 
				+ 4 files changed, 2 insertions(+), 23 deletions(-)
			
 
				+
			
 
				+diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
			
 
				+index 8a82a6c7f48a..c0c2fd0a6c71 100644
			
 
				+--- a/security/integrity/digsig.c
			
 
				++++ b/security/integrity/digsig.c
			
 
				+@@ -113,7 +113,7 @@ static int __init __integrity_init_keyring(const unsigned int id,
			
 
				+ 	} else {
			
 
				+ 		if (id == INTEGRITY_KEYRING_PLATFORM)
			
 
				+ 			set_platform_trusted_keys(keyring[id]);
			
 
				+-		if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist())
			
 
				++		if (id == INTEGRITY_KEYRING_MACHINE)
			
 
				+ 			set_machine_trusted_keys(keyring[id]);
			
 
				+ 		if (id == INTEGRITY_KEYRING_IMA)
			
 
				+ 			load_module_cert(keyring[id]);
			
 
				+diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h
			
 
				+index 7167a6e99bdc..1dbb494c86c0 100644
			
 
				+--- a/security/integrity/integrity.h
			
 
				++++ b/security/integrity/integrity.h
			
 
				+@@ -320,14 +320,9 @@ static inline void __init add_to_platform_keyring(const char *source,
			
 
				+ 
			
 
				+ #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
			
 
				+ void __init add_to_machine_keyring(const char *source, const void *data, size_t len);
			
 
				+-bool __init trust_moklist(void);
			
 
				+ #else
			
 
				+ static inline void __init add_to_machine_keyring(const char *source,
			
 
				+ 						  const void *data, size_t len)
			
 
				+ {
			
 
				+ }
			
 
				+-static inline bool __init trust_moklist(void)
			
 
				+-{
			
 
				+-	return false;
			
 
				+-}
			
 
				+ #endif
			
 
				+diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
			
 
				+index 8a1124e4d769..b22e0125a483 100644
			
 
				+--- a/security/integrity/platform_certs/keyring_handler.c
			
 
				++++ b/security/integrity/platform_certs/keyring_handler.c
			
 
				+@@ -61,7 +61,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type)
			
 
				+ __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type)
			
 
				+ {
			
 
				+ 	if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) {
			
 
				+-		if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist())
			
 
				++		if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
			
 
				+ 			return add_to_machine_keyring;
			
 
				+ 		else
			
 
				+ 			return add_to_platform_keyring;
			
 
				+diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c
			
 
				+index 7aaed7950b6e..09fd8f20c756 100644
			
 
				+--- a/security/integrity/platform_certs/machine_keyring.c
			
 
				++++ b/security/integrity/platform_certs/machine_keyring.c
			
 
				+@@ -8,8 +8,6 @@
			
 
				+ #include <linux/efi.h>
			
 
				+ #include "../integrity.h"
			
 
				+ 
			
 
				+-static bool trust_mok;
			
 
				+-
			
 
				+ static __init int machine_keyring_init(void)
			
 
				+ {
			
 
				+ 	int rc;
			
 
				+@@ -61,17 +59,3 @@ static __init bool uefi_check_trust_mok_keys(void)
			
 
				+ 
			
 
				+ 	return false;
			
 
				+ }
			
 
				+-
			
 
				+-bool __init trust_moklist(void)
			
 
				+-{
			
 
				+-	static bool initialized;
			
 
				+-
			
 
				+-	if (!initialized) {
			
 
				+-		initialized = true;
			
 
				+-
			
 
				+-		if (uefi_check_trust_mok_keys())
			
 
				+-			trust_mok = true;
			
 
				+-	}
			
 
				+-
			
 
				+-	return trust_mok;
			
 
				+-}
			
 
				+-- 
			
 
				+2.37.2
			
 
				+