diff --git a/pkg/debian/kernel/0001-Revert-integrity-Only-use-machine-keyring-when-uefi_.patch b/pkg/debian/kernel/0001-Revert-integrity-Only-use-machine-keyring-when-uefi_.patch new file mode 100644 index 000000000..a20cdbabb --- /dev/null +++ b/pkg/debian/kernel/0001-Revert-integrity-Only-use-machine-keyring-when-uefi_.patch @@ -0,0 +1,102 @@ +From 5b4a9bf506709048bdc7e34dfd45d77d12204088 Mon Sep 17 00:00:00 2001 +From: Maximilian Luz +Date: Fri, 26 Aug 2022 21:24:36 +0200 +Subject: [PATCH] Revert "integrity: Only use machine keyring when + uefi_check_trust_mok_keys is true" + +This reverts commit 3d6ae1a5d0c2019d274284859f556dcb64aa98a7. + +MokListTrustedRT doesn't seem to be set by the Shim version used by +Ubuntu and Debian. Therefore, these systems don't trust the MOK keys on +newer kernels. While pre-5.19 kernels silently disregard the untrusted +keys and (without signature enforcement enabled) still load external +modules (tainting the kernel), on 5.19 kernels, this breaks module +loading. Therefore, revert this change. + +See https://github.com/linux-surface/linux-surface/issues/906. +--- + security/integrity/digsig.c | 2 +- + security/integrity/integrity.h | 5 ----- + .../integrity/platform_certs/keyring_handler.c | 2 +- + .../integrity/platform_certs/machine_keyring.c | 16 ---------------- + 4 files changed, 2 insertions(+), 23 deletions(-) + +diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c +index 8a82a6c7f48a..c0c2fd0a6c71 100644 +--- a/security/integrity/digsig.c ++++ b/security/integrity/digsig.c +@@ -113,7 +113,7 @@ static int __init __integrity_init_keyring(const unsigned int id, + } else { + if (id == INTEGRITY_KEYRING_PLATFORM) + set_platform_trusted_keys(keyring[id]); +- if (id == INTEGRITY_KEYRING_MACHINE && trust_moklist()) ++ if (id == INTEGRITY_KEYRING_MACHINE) + set_machine_trusted_keys(keyring[id]); + if (id == INTEGRITY_KEYRING_IMA) + load_module_cert(keyring[id]); +diff --git a/security/integrity/integrity.h b/security/integrity/integrity.h +index 7167a6e99bdc..1dbb494c86c0 100644 +--- a/security/integrity/integrity.h ++++ b/security/integrity/integrity.h +@@ -320,14 +320,9 @@ static inline void __init add_to_platform_keyring(const char *source, + + #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING + void __init add_to_machine_keyring(const char *source, const void *data, size_t len); +-bool __init trust_moklist(void); + #else + static inline void __init add_to_machine_keyring(const char *source, + const void *data, size_t len) + { + } +-static inline bool __init trust_moklist(void) +-{ +- return false; +-} + #endif +diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c +index 8a1124e4d769..b22e0125a483 100644 +--- a/security/integrity/platform_certs/keyring_handler.c ++++ b/security/integrity/platform_certs/keyring_handler.c +@@ -61,7 +61,7 @@ __init efi_element_handler_t get_handler_for_db(const efi_guid_t *sig_type) + __init efi_element_handler_t get_handler_for_mok(const efi_guid_t *sig_type) + { + if (efi_guidcmp(*sig_type, efi_cert_x509_guid) == 0) { +- if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING) && trust_moklist()) ++ if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING)) + return add_to_machine_keyring; + else + return add_to_platform_keyring; +diff --git a/security/integrity/platform_certs/machine_keyring.c b/security/integrity/platform_certs/machine_keyring.c +index 7aaed7950b6e..09fd8f20c756 100644 +--- a/security/integrity/platform_certs/machine_keyring.c ++++ b/security/integrity/platform_certs/machine_keyring.c +@@ -8,8 +8,6 @@ + #include + #include "../integrity.h" + +-static bool trust_mok; +- + static __init int machine_keyring_init(void) + { + int rc; +@@ -61,17 +59,3 @@ static __init bool uefi_check_trust_mok_keys(void) + + return false; + } +- +-bool __init trust_moklist(void) +-{ +- static bool initialized; +- +- if (!initialized) { +- initialized = true; +- +- if (uefi_check_trust_mok_keys()) +- trust_mok = true; +- } +- +- return trust_mok; +-} +-- +2.37.2 +