-
Josh Boyer authored
BugLink: http://bugs.launchpad.net/bugs/1571691 git://pkgs.fedoraproject.org/rpms/kernel.git Secure Boot stores a list of allowed certificates in the 'db' variable. This imports those certificates into the system trusted keyring. This allows for a third party signing certificate to be used in conjunction with signed modules. By importing the public certificate into the 'db' variable, a user can allow a module signed with that certificate to load. The shim UEFI bootloader has a similar certificate list stored in the 'MokListRT' variable. We import those as well. In the opposite case, Secure Boot maintains a list of disallowed certificates in the 'dbx' variable. We load those certificates into the newly introduced system blacklist keyring and forbid any module signed with those from loading. Signed-off-by:
Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by:
Tim Gardner <tim.gardner@canonical.com> Signed-off-by:
Andy Whitcroft <andy.whitcroft@canonical.com> Signed-off-by:
Kamal Mostafa <kamal@canonical.com>
89052b26
