Merge tag 'keys-cve-2020-26541-v3' of git://git.kernel.org/pub/scm/linux/kernel/git...

Pull x509 dbx/mokx UEFI support from David Howells:
 "Here's a set of patches from Eric Snowberg[1] that add support for
  EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such
  entries cause matching certificates to be rejected).

  These are currently ignored and only the hash entries are made use of.

  Additionally Eric included his patches to allow such certificates to
  be preloaded.

  These patches deal with CVE-2020-26541.

  To quote Eric:
       'This is the fifth patch series for adding support for
        EFI_CERT_X509_GUID entries [2]. It has been expanded to not only
        include dbx entries but also entries in the mokx. Additionally
        my series to preload these certificate [3] has also been
        included'"

Link: https://lore.kernel.org/r/[email protected]
Link: https://patchwork.kernel.org/project/linux-security-module/patch/[email protected]/
Link: https://lore.kernel.org/patchwork/cover/1315485/
* tag 'keys-cve-2020-26541-v3' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  integrity: Load mokx variables into the blacklist keyring
  certs: Add ability to preload revocation certs
  certs: Move load_system_certificate_list to a common function
  certs: Add EFI_CERT_X509_GUID support for dbx entries

diff --combined scripts/Makefile
index c36106bce80ee273342558186ca3399b91eb72f1,bd0718f7c493e88b86cdfb1ea7cb1f75c168b755..9adb6d247818f1355e2e478256022cd10afd05f2
--- 1/scripts/Makefile
--- 2/scripts/Makefile
+++ b/scripts/Makefile
@@@ -3,9 -3,6 +3,9 @@@
  # scripts contains sources for various helper programs used throughout
  # the kernel for the build process.
  
 +CRYPTO_LIBS = $(shell pkg-config --libs libcrypto 2> /dev/null || echo -lcrypto)
 +CRYPTO_CFLAGS = $(shell pkg-config --cflags libcrypto 2> /dev/null)
 +
  hostprogs-always-$(CONFIG_BUILD_BIN2C)                        += bin2c
  hostprogs-always-$(CONFIG_KALLSYMS)                   += kallsyms
  hostprogs-always-$(BUILD_C_RECORDMCOUNT)              += recordmcount
@@@ -14,13 -11,12 +14,14 @@@ hostprogs-always-$(CONFIG_ASN1)                            += a
  hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT)          += sign-file
  hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING)     += extract-cert
  hostprogs-always-$(CONFIG_SYSTEM_EXTRA_CERTIFICATE)   += insert-sys-cert
+ hostprogs-always-$(CONFIG_SYSTEM_REVOCATION_LIST)     += extract-cert
  
  HOSTCFLAGS_sorttable.o = -I$(srctree)/tools/include
  HOSTCFLAGS_asn1_compiler.o = -I$(srctree)/include
 -HOSTLDLIBS_sign-file = -lcrypto
 -HOSTLDLIBS_extract-cert = -lcrypto
 +HOSTCFLAGS_sign-file.o = $(CRYPTO_CFLAGS)
 +HOSTLDLIBS_sign-file = $(CRYPTO_LIBS)
 +HOSTCFLAGS_extract-cert.o = $(CRYPTO_CFLAGS)
 +HOSTLDLIBS_extract-cert = $(CRYPTO_LIBS)
  
  ifdef CONFIG_UNWINDER_ORC
  ifeq ($(ARCH),x86_64)