It's base on the kernel patches of Fedora 20. This patch set add the support to MODSIGN mechanism for revoke kernel module by hash or public key. As MokListRT, EFI bootloader(e.g. shim) should maintain the MokListXRT container the format the same with dbx. The patches will check the hash of kernel module before load it. I doesn't add the module hash blacklist support to dbx because UEFI BIOS of Intel DQ57TM, my development board, doesn't allow set hash of non-efi file to dbx. v2: + Use the digest generated by mod_make_digest() to avoid computing the hash twice. + Also check the hash of whole module file is not in the module hash blacklist. + Change the statements of information log. + The hash type need the same with CONFIG_MODULE_SIG_HASH. + Handle the return value of func() + Move the logic of parsing EFI signature database to parse_efi_signature_db() for collecting certificates and hashes. + Still parsing hashes when signature parsing fail on MOKx. Lee, Chun-Yi (2): MODSIGN: check hash of kernel module in blacklist MODSIGN: load hash blacklist of modules from MOKx crypto/asymmetric_keys/efi_parser.c | 80 +++++++++++++++++++---------- include/linux/efi.h | 16 ++++++ kernel/modsign_uefi.c | 97 ++++++++++++++++++++++++++++++++++- kernel/module-internal.h | 13 +++++ kernel/module_signing.c | 86 ++++++++++++++++++++++++++++++- 5 files changed, 261 insertions(+), 31 deletions(-) _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
