b0e22b47f6
Pull x509 dbx/mokx UEFI support from David Howells:
"Here's a set of patches from Eric Snowberg[1] that add support for
EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such
entries cause matching certificates to be rejected).
These are currently ignored and only the hash entries are made use of.
Additionally Eric included his patches to allow such certificates to
be preloaded.
These patches deal with CVE-2020-26541.
To quote Eric:
'This is the fifth patch series for adding support for
EFI_CERT_X509_GUID entries [2]. It has been expanded to not only
include dbx entries but also entries in the mokx. Additionally
my series to preload these certificate [3] has also been
included'"
Link: https://lore.kernel.org/r/20210122181054.32635-1-eric.snowberg@oracle.com [1]
Link: https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/ [2]
Link: https://lore.kernel.org/patchwork/cover/1315485/ [3]
* tag 'keys-cve-2020-26541-v3' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
integrity: Load mokx variables into the blacklist keyring
certs: Add ability to preload revocation certs
certs: Move load_system_certificate_list to a common function
certs: Add EFI_CERT_X509_GUID support for dbx entries
47 lines
1.6 KiB
Makefile
47 lines
1.6 KiB
Makefile
# SPDX-License-Identifier: GPL-2.0
|
|
###
|
|
# scripts contains sources for various helper programs used throughout
|
|
# the kernel for the build process.
|
|
|
|
CRYPTO_LIBS = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto)
|
|
CRYPTO_CFLAGS = $(shell pkg-config --cflags libcrypto 2> /dev/null)
|
|
|
|
hostprogs-always-$(CONFIG_BUILD_BIN2C) += bin2c
|
|
hostprogs-always-$(CONFIG_KALLSYMS) += kallsyms
|
|
hostprogs-always-$(BUILD_C_RECORDMCOUNT) += recordmcount
|
|
hostprogs-always-$(CONFIG_BUILDTIME_TABLE_SORT) += sorttable
|
|
hostprogs-always-$(CONFIG_ASN1) += asn1_compiler
|
|
hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file
|
|
hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert
|
|
hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE) += insert-sys-cert
|
|
hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST) += extract-cert
|
|
|
|
HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include
|
|
HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include
|
|
HOSTCFLAGS_sign-file.o = $(CRYPTO_CFLAGS)
|
|
HOSTLDLIBS_sign-file = $(CRYPTO_LIBS)
|
|
HOSTCFLAGS_extract-cert.o = $(CRYPTO_CFLAGS)
|
|
HOSTLDLIBS_extract-cert = $(CRYPTO_LIBS)
|
|
|
|
ifdef CONFIG_UNWINDER_ORC
|
|
ifeq ($(ARCH),x86_64)
|
|
ARCH := x86
|
|
endif
|
|
HOSTCFLAGS_sorttable.o += -I$(srctree)/tools/arch/x86/include
|
|
HOSTCFLAGS_sorttable.o += -DUNWINDER_ORC_ENABLED
|
|
HOSTLDLIBS_sorttable = -lpthread
|
|
endif
|
|
|
|
# The following programs are only built on demand
|
|
hostprogs += unifdef
|
|
|
|
# The module linker script is preprocessed on demand
|
|
targets += module.lds
|
|
|
|
subdir-$(CONFIG_GCC_PLUGINS) += gcc-plugins
|
|
subdir-$(CONFIG_MODVERSIONS) += genksyms
|
|
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
|
|
|
|
# Let clean descend into subdirs
|
|
subdir- += basic dtc gdb kconfig mod
|