dgit.raspbian.org Git - linux.git/commit

author	Lee, Chun-Yi <joeyli.kernel@gmail.com>
	Tue, 13 Mar 2018 10:37:59 +0000 (18:37 +0800)
committer	Salvatore Bonaccorso <carnil@debian.org>
	Sat, 6 Feb 2021 08:23:52 +0000 (08:23 +0000)
commit	20d42f76be2f02cc59ba200847e7533b4384f026
tree	29b998d9c443f5583d74908d222574171f91d49d	tree \| snapshot
parent	d2a54caa888f902dc311c7c1e929bb3903afaf41	commit \| diff

[PATCH 1/5] MODSIGN: do not load mok when secure boot disabled

Origin: https://lore.kernel.org/patchwork/patch/933173/

The mok can not be trusted when the secure boot is disabled. Which
means that the kernel embedded certificate is the only trusted key.

Due to db/dbx are authenticated variables, they needs manufacturer's
KEK for update. So db/dbx are secure when secureboot disabled.

Cc: David Howells <dhowells@redhat.com>
Cc: Josh Boyer <jwboyer@fedoraproject.org>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
[Rebased by Luca Boccassi]
[bwh: Forward-ported to 5.5.9:
- get_cert_list() takes a pointer to status and returns the cert list
- Adjust filename]
[Salvatore Bonaccorso: Forward-ported to 5.10: Refresh for changes in
38a1f03aa240 ("integrity: Move import of MokListRT certs to a separate
routine")]

Gbp-Pq: Topic features/all/db-mok-keyring
Gbp-Pq: Name 0001-MODSIGN-do-not-load-mok-when-secure-boot-disabled.patch