David Howells <[email protected]> wrote:
> This set of patches from Eric Snowberg that add support for
> EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries
> cause matching certificates to be rejected). These are currently ignored
> and only the hash entries are made use of.
>
> These patches fix CVE-2020-26541.
>
> To quote Eric:
>
> This is the fifth patch series for adding support for
> EFI_CERT_X509_GUID entries [1]. It has been expanded to not only
> include dbx entries but also entries in the mokx. Additionally my
> series to preload these certificate [2] has also been included.
>
> This series is based on v5.11-rc4.
>
> [1]
> https://patchwork.kernel.org/project/linux-security-module/patch/[email protected]/
> [2] https://lore.kernel.org/patchwork/cover/1315485/
>
> Note that this is based on top of the collected minor fixes I sent you a
> preceding pull request for. If you would rather this was not based on my
> keys-misc branch, but was instead based on your tree directly, I can rebase
> it. Note that there would be very minor conflict between the two branches,
> but I think git merge should be able to handle it automatically.
Please drop this request for now. It turns out there's a broken dependency
in there:
https://lore.kernel.org/keyrings/[email protected]/
I'll look at folding that in, but I'm not sure Eric's solution is the right
one. I suspect there needs to be something in Kconfig somewhere.
David
