dgit.raspbian.org Git - linux.git/commit

author	Ben Hutchings <benh@debian.org>
	Sun, 15 Nov 2020 01:01:03 +0000 (01:01 +0000)
committer	Salvatore Bonaccorso <carnil@debian.org>
	Thu, 30 Sep 2021 19:36:41 +0000 (20:36 +0100)
commit	21a6a0e5b79c6e355de349682ec7d32dac9e50cc
tree	ba540d5aab7a3d3c728f3bfb7b178c93f6f82973	tree \| snapshot
parent	bce69633ff8a4caa1fca959036fdbd52fd4ada63	commit \| diff

MODSIGN: load blacklist from MOKx

Loosely based on a patch by "Lee, Chun-Yi" <joeyli.kernel@gmail.com>
at <https://lore.kernel.org/patchwork/patch/933177/> which was later
rebased by Luca Boccassi.

This patch adds the logic to load the blacklisted hash and
certificates from MOKx which is maintained by shim bootloader.

Since MOK list loading became more complicated in 5.10 and was moved
to load_moklist_certs(), add parameters to that and call it once for
each of MokListRT and MokListXRT.

Signed-off-by: Ben Hutchings <benh@debian.org>
[Salvatore Bonaccorso: Forward-port to 5.10.47: Drop upstream hunk to get the
MokListXRT certificates as we do load via load_moklist_certs().]

Gbp-Pq: Topic features/all/db-mok-keyring
Gbp-Pq: Name 0002-MODSIGN-load-blacklist-from-MOKx.patch