path: root/certs/system_keyring.c
diff options
authorEric Snowberg <>2021-01-22 13:10:51 -0500
committerDavid Howells <>2021-03-11 16:31:28 +0000
commit56c5812623f95313f6a46fbf0beee7fa17c68bbf (patch)
tree563b2242fb6013a9a277102e9874354de0c27cb4 /certs/system_keyring.c
parent8f0bfc25c907f38e7f9dc498e8f43000d77327ef (diff)
certs: Add EFI_CERT_X509_GUID support for dbx entries
This fixes CVE-2020-26541. The Secure Boot Forbidden Signature Database, dbx, contains a list of now revoked signatures and keys previously approved to boot with UEFI Secure Boot enabled. The dbx is capable of containing any number of EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID entries. Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are skipped. Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID is found, it is added as an asymmetrical key to the .blacklist keyring. Anytime the .platform keyring is used, the keys in the .blacklist keyring are referenced, if a matching key is found, the key will be rejected. [DH: Made the following changes: - Added to have a config option to enable the facility. This allows a Kconfig solution to make sure that pkcs7_validate_trust() is enabled.[1][2] - Moved the functions out from the middle of the blacklist functions. - Added kerneldoc comments.] Signed-off-by: Eric Snowberg <> Signed-off-by: David Howells <> Reviewed-by: Jarkko Sakkinen <> cc: Randy Dunlap <> cc: Mickaël Salaün <> cc: Arnd Bergmann <> cc: Link: # rfc Link: # v2 Link: # v3 Link: # v4 Link: # v5 Link: Link: # v2 Link: # v3 Link: [1] Link: [2]
Diffstat (limited to 'certs/system_keyring.c')
1 files changed, 6 insertions, 0 deletions
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 4b693da488f1..ed98754d5795 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -242,6 +242,12 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
pr_devel("PKCS#7 platform keyring is not available\n");
goto error;
+ ret = is_key_on_revocation_list(pkcs7);
+ if (ret != -ENOKEY) {
+ pr_devel("PKCS#7 platform key is on revocation list\n");
+ goto error;
+ }
ret = pkcs7_validate_trust(pkcs7, trusted_keys);
if (ret < 0) {