path: root/security/integrity/platform_certs/keyring_handler.c
diff options
authorEric Snowberg <>2021-01-22 13:10:51 -0500
committerDavid Howells <>2021-03-11 16:31:28 +0000
commit56c5812623f95313f6a46fbf0beee7fa17c68bbf (patch)
tree563b2242fb6013a9a277102e9874354de0c27cb4 /security/integrity/platform_certs/keyring_handler.c
parent8f0bfc25c907f38e7f9dc498e8f43000d77327ef (diff)
certs: Add EFI_CERT_X509_GUID support for dbx entries
This fixes CVE-2020-26541. The Secure Boot Forbidden Signature Database, dbx, contains a list of now revoked signatures and keys previously approved to boot with UEFI Secure Boot enabled. The dbx is capable of containing any number of EFI_CERT_X509_SHA256_GUID, EFI_CERT_SHA256_GUID, and EFI_CERT_X509_GUID entries. Currently when EFI_CERT_X509_GUID are contained in the dbx, the entries are skipped. Add support for EFI_CERT_X509_GUID dbx entries. When a EFI_CERT_X509_GUID is found, it is added as an asymmetrical key to the .blacklist keyring. Anytime the .platform keyring is used, the keys in the .blacklist keyring are referenced, if a matching key is found, the key will be rejected. [DH: Made the following changes: - Added to have a config option to enable the facility. This allows a Kconfig solution to make sure that pkcs7_validate_trust() is enabled.[1][2] - Moved the functions out from the middle of the blacklist functions. - Added kerneldoc comments.] Signed-off-by: Eric Snowberg <> Signed-off-by: David Howells <> Reviewed-by: Jarkko Sakkinen <> cc: Randy Dunlap <> cc: Mickaël Salaün <> cc: Arnd Bergmann <> cc: Link: # rfc Link: # v2 Link: # v3 Link: # v4 Link: # v5 Link: Link: # v2 Link: # v3 Link: [1] Link: [2]
Diffstat (limited to 'security/integrity/platform_certs/keyring_handler.c')
1 files changed, 11 insertions, 0 deletions
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
index c5ba695c10e3..5604bd57c990 100644
--- a/security/integrity/platform_certs/keyring_handler.c
+++ b/security/integrity/platform_certs/keyring_handler.c
@@ -56,6 +56,15 @@ static __init void uefi_blacklist_binary(const char *source,
+ * Add an X509 cert to the revocation list.
+ */
+static __init void uefi_revocation_list_x509(const char *source,
+ const void *data, size_t len)
+ add_key_to_revocation_list(data, len);
* Return the appropriate handler for particular signature list types found in
* the UEFI db and MokListRT tables.
@@ -76,5 +85,7 @@ __init efi_element_handler_t get_handler_for_dbx(const efi_guid_t *sig_type)
return uefi_blacklist_x509_tbs;
if (efi_guidcmp(*sig_type, efi_cert_sha256_guid) == 0)
return uefi_blacklist_binary;
+ if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0)
+ return uefi_revocation_list_x509;
return 0;