certs: include both root CA and direct signing certificate. closes: #924545

Module loading needs the issuer certificate to validate the signature,
and that certificate is not embedded in the signature itself.

For now embed both the signing certificate and the root CA.
This commit is contained in:
Yves-Alexis Perez 2019-03-14 13:21:57 +01:00
parent 2f067b01ec
commit af53d158a0
4 changed files with 24 additions and 2 deletions

View File

@ -20,3 +20,21 @@ UdeTk566CA1Zl/LiKaBETeru+D4CYMoVz06aJZGEP7dax+68a4Cj2f2ybXoeYxTr
7/GwQCXV6A6B62v3y//lIQAiLC6aNWASS1tfOEaEDAacz3KTYhjuXJjWs30GJTmV
305gdrAGewiwbuNknyFWrTkP
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIC/DCCAeSgAwIBAgIFAKdGje8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UEAxMV
RGViaWFuIFNlY3VyZSBCb290IENBMB4XDTE2MDgxNjE4MjI1MFoXDTI2MDgxNjE4
MjI1MFowJDEiMCAGA1UEAxMZRGViaWFuIFNlY3VyZSBCb290IFNpZ25lcjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANPRg5AP2mWiLwdaYJXr98eGfCCG
2mWjphLrWzvOyPs/oXJLnt9QxQMzpAwrX9ZBBA22z5VI7YqyrdblATdOYM2ySjgE
s0SAlK+fblTbqB88t0sw3iGBbwmjZrpqK5bWmmF3DNTtPNBxu62M8CJcPiXMbSIu
YZeVr5suTVi2fngCww65+rJbJ959or4MFKxz7JewFV7t7eWldT944HHOL86D7VMx
MJhO5vkBooiIpiMIfA23VDoWle1eeV6QTv7Nqt6C/PaWcU5JSbnT6bCrf9cqR7dT
MCd83GaYCW/RfvV/PT7UomqIWQIvLz3IxijeQv7ZUj0kwvxAmBH2dr+Mu2UCAwEA
AaM5MDcwEQYJYIZIAYb4QgEBBAQDAgQQMBUGA1UdJQQOMAwGCisGAQQBgjcKAwEw
CwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBXG6RgTCnp8n1rXJPbzGyf
GD9pSJp13mTzg0oJqSYh7ulWXeE+2XXLzH+/TeToiT1+EUKHQMPV4HF53ABs4XFi
x5jCyycLL5/M7PqLsvMLnvPyw8mf2yWTkKTNuwHljvTXVai0dUEx/U5dAxigwqzF
3kbn3BzPEtWd6Eedk4wyzUTVdMcwmlelVtB+zwURtPTzKfnbm1PSvS+tanUmRWS6
uiiWh4638HlX+noOPEo4krzylfLnKND32JgaXjmetWWAvfPaEj9Qdmcpn9ELCh6H
l1xy2/MBdErdB7p26Wr83SLbRgLXrwrF7RW8Dyup242/f2+torfFTUpHs8FWkLYX
-----END CERTIFICATE-----

4
debian/changelog vendored
View File

@ -10,6 +10,10 @@ linux (4.19.28-2) UNRELEASED; urgency=medium
* [arm64] Enable I2C_GPIO as a module.
* [arm64] Enable MESON_EFUSE as a module.
[ Yves-Alexis Perez ]
* certs: include both root CA and direct signing certificate.
closes: #924545
-- Ben Hutchings <ben@decadent.org.uk> Tue, 12 Mar 2019 15:44:31 +0000
linux (4.19.28-1) unstable; urgency=medium

View File

@ -77,7 +77,7 @@ CONFIG_MODULE_SIG_KEY=""
#. Actually a file containing X.509 certificates, not keys.
#. Whenever the filename changes, this also needs to be updated in
#. debian/featureset-*/config
CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-ca.pem"
CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem"
##
## file: crypto/Kconfig

View File

@ -2,7 +2,7 @@
## file: certs/Kconfig
##
#. Certificate paths are resolved relative to debian/build/source_rt
CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/debian-uefi-ca.pem"
CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/debian-uefi-certs.pem"
##
## file: kernel/Kconfig.preempt