From af53d158a019846a96e3d23ec3ed13e55f1ad70e Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Thu, 14 Mar 2019 13:21:57 +0100 Subject: [PATCH] certs: include both root CA and direct signing certificate. closes: #924545 Module loading needs the issuer certificate to validate the signature, and that certificate is not embedded in the signature itself. For now embed both the signing certificate and the root CA. --- ...ebian-uefi-ca.pem => debian-uefi-certs.pem} | 18 ++++++++++++++++++ debian/changelog | 4 ++++ debian/config/config | 2 +- debian/config/featureset-rt/config | 2 +- 4 files changed, 24 insertions(+), 2 deletions(-) rename debian/certs/{debian-uefi-ca.pem => debian-uefi-certs.pem} (54%) diff --git a/debian/certs/debian-uefi-ca.pem b/debian/certs/debian-uefi-certs.pem similarity index 54% rename from debian/certs/debian-uefi-ca.pem rename to debian/certs/debian-uefi-certs.pem index 315301e73..b16b0c93a 100644 --- a/debian/certs/debian-uefi-ca.pem +++ b/debian/certs/debian-uefi-certs.pem @@ -20,3 +20,21 @@ UdeTk566CA1Zl/LiKaBETeru+D4CYMoVz06aJZGEP7dax+68a4Cj2f2ybXoeYxTr 7/GwQCXV6A6B62v3y//lIQAiLC6aNWASS1tfOEaEDAacz3KTYhjuXJjWs30GJTmV 305gdrAGewiwbuNknyFWrTkP -----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIC/DCCAeSgAwIBAgIFAKdGje8wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UEAxMV +RGViaWFuIFNlY3VyZSBCb290IENBMB4XDTE2MDgxNjE4MjI1MFoXDTI2MDgxNjE4 +MjI1MFowJDEiMCAGA1UEAxMZRGViaWFuIFNlY3VyZSBCb290IFNpZ25lcjCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANPRg5AP2mWiLwdaYJXr98eGfCCG +2mWjphLrWzvOyPs/oXJLnt9QxQMzpAwrX9ZBBA22z5VI7YqyrdblATdOYM2ySjgE +s0SAlK+fblTbqB88t0sw3iGBbwmjZrpqK5bWmmF3DNTtPNBxu62M8CJcPiXMbSIu +YZeVr5suTVi2fngCww65+rJbJ959or4MFKxz7JewFV7t7eWldT944HHOL86D7VMx +MJhO5vkBooiIpiMIfA23VDoWle1eeV6QTv7Nqt6C/PaWcU5JSbnT6bCrf9cqR7dT +MCd83GaYCW/RfvV/PT7UomqIWQIvLz3IxijeQv7ZUj0kwvxAmBH2dr+Mu2UCAwEA +AaM5MDcwEQYJYIZIAYb4QgEBBAQDAgQQMBUGA1UdJQQOMAwGCisGAQQBgjcKAwEw +CwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBCwUAA4IBAQBXG6RgTCnp8n1rXJPbzGyf +GD9pSJp13mTzg0oJqSYh7ulWXeE+2XXLzH+/TeToiT1+EUKHQMPV4HF53ABs4XFi +x5jCyycLL5/M7PqLsvMLnvPyw8mf2yWTkKTNuwHljvTXVai0dUEx/U5dAxigwqzF +3kbn3BzPEtWd6Eedk4wyzUTVdMcwmlelVtB+zwURtPTzKfnbm1PSvS+tanUmRWS6 +uiiWh4638HlX+noOPEo4krzylfLnKND32JgaXjmetWWAvfPaEj9Qdmcpn9ELCh6H +l1xy2/MBdErdB7p26Wr83SLbRgLXrwrF7RW8Dyup242/f2+torfFTUpHs8FWkLYX +-----END CERTIFICATE----- diff --git a/debian/changelog b/debian/changelog index cf41fc6a4..feea5920f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -10,6 +10,10 @@ linux (4.19.28-2) UNRELEASED; urgency=medium * [arm64] Enable I2C_GPIO as a module. * [arm64] Enable MESON_EFUSE as a module. + [ Yves-Alexis Perez ] + * certs: include both root CA and direct signing certificate. + closes: #924545 + -- Ben Hutchings Tue, 12 Mar 2019 15:44:31 +0000 linux (4.19.28-1) unstable; urgency=medium diff --git a/debian/config/config b/debian/config/config index 08bee25b9..e6c3c573b 100644 --- a/debian/config/config +++ b/debian/config/config @@ -77,7 +77,7 @@ CONFIG_MODULE_SIG_KEY="" #. Actually a file containing X.509 certificates, not keys. #. Whenever the filename changes, this also needs to be updated in #. debian/featureset-*/config -CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-ca.pem" +CONFIG_SYSTEM_TRUSTED_KEYS="debian/certs/debian-uefi-certs.pem" ## ## file: crypto/Kconfig diff --git a/debian/config/featureset-rt/config b/debian/config/featureset-rt/config index 7c7989648..088c60e7f 100644 --- a/debian/config/featureset-rt/config +++ b/debian/config/featureset-rt/config @@ -2,7 +2,7 @@ ## file: certs/Kconfig ## #. Certificate paths are resolved relative to debian/build/source_rt -CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/debian-uefi-ca.pem" +CONFIG_SYSTEM_TRUSTED_KEYS="../../certs/debian-uefi-certs.pem" ## ## file: kernel/Kconfig.preempt