[linux-yocto] [PATCH v5.10 0/4] backport of mainline CVE-2020-26541 fixes

Mon, 21 Jun 2021 08:43:42 -0700 

As per the date, this CVE has been around for a while but the fixes were
only added to mainline for v5.13 about a month ago:

   -------------------
   linux$git describe --contains b0e22b47f65
   v5.13-rc1~202
   linux$git log --oneline ^b0e22b47f650^ b0e22b47f650^2
   ebd9c2ae369a integrity: Load mokx variables into the blacklist keyring
   d1f044103dad certs: Add ability to preload revocation certs
   2565ca7f5ec1 certs: Move load_system_certificate_list to a common function
   56c5812623f9 certs: Add EFI_CERT_X509_GUID support for dbx entries
   linux$git show b0e22b47f65
   commit b0e22b47f650b53dbb094cd0011a48f6f3ae3e29
   Merge: 87f27e7b189f ebd9c2ae369a
   Author: Linus Torvalds <[email protected]>
   Date:   Mon Apr 26 08:38:10 2021 -0700
   
       Merge tag 'keys-cve-2020-26541-v3' of 
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

   [...]     
       
         These patches deal with CVE-2020-26541.
   -------------------
   
They aren't (yet?) a part of linux-stable but I did let stable know that
they backport to v5.10 essentially hands free.  We can see that other
distros[1] have already selected these commits for backporting as well.

Build tested with defconfig, and with the new Kconfig option enabled.

Paul.

[1] https://ubuntu.com/security/CVE-2020-26541
---

Eric Snowberg (4):
  certs: Add EFI_CERT_X509_GUID support for dbx entries
  certs: Move load_system_certificate_list to a common function
  certs: Add ability to preload revocation certs
  integrity: Load mokx variables into the blacklist keyring

 certs/Kconfig                                 | 17 +++++
 certs/Makefile                                | 21 +++++-
 certs/blacklist.c                             | 64 +++++++++++++++++++
 certs/blacklist.h                             |  2 +
 certs/common.c                                | 57 +++++++++++++++++
 certs/common.h                                |  9 +++
 certs/system_keyring.c                        | 55 +++-------------
 include/keys/system_keyring.h                 | 15 +++++
 scripts/Makefile                              |  1 +
 .../platform_certs/keyring_handler.c          | 11 ++++
 security/integrity/platform_certs/load_uefi.c | 20 +++++-
 11 files changed, 221 insertions(+), 51 deletions(-)
 create mode 100644 certs/common.c
 create mode 100644 certs/common.h

-- 
2.29.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#9988): 
https://lists.yoctoproject.org/g/linux-yocto/message/9988
Mute This Topic: https://lists.yoctoproject.org/mt/83691649/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/linux-yocto/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to