On Sun, 2018-11-25 at 20:44 +0530, Nayna Jain wrote: > From: Josh Boyer <jwboyer@xxxxxxxxxxxxxxxxx> > > New Patch Description: > ====================== > > Secure Boot stores a list of allowed certificates in the 'db' variable. > This patch imports those certificates into the platform keyring. The shim > UEFI bootloader has a similar certificate list stored in the 'MokListRT' > variable. We import those as well. > > Secure Boot also maintains a list of disallowed certificates in the 'dbx' > variable. We load those certificates into the system blacklist keyring > and forbid any kernel signed with those from loading. > > Original Patch Description: > ============================ > > Secure Boot stores a list of allowed certificates in the 'db' variable. > This imports those certificates into the system trusted keyring. This > allows for a third party signing certificate to be used in conjunction > with signed modules. By importing the public certificate into the 'db' > variable, a user can allow a module signed with that certificate to > load. The shim UEFI bootloader has a similar certificate list stored > in the 'MokListRT' variable. We import those as well. > > Secure Boot also maintains a list of disallowed certificates in the 'dbx' > variable. We load those certificates into the newly introduced system > blacklist keyring and forbid any module signed with those from loading and > forbid the use within the kernel of any key with a matching hash. > > This facility is enabled by setting CONFIG_LOAD_UEFI_KEYS. There are quite a few checkpatch.pl warnings that need to be addressed, including the missing SPDX license. Mimi
