Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2110117imu; Wed, 12 Dec 2018 09:38:09 -0800 (PST) X-Google-Smtp-Source: AFSGD/U7wUmHide73aGA4E3Ok/EmTGblE69tUkZ/b10HiJ69RRBTXVJuilSngsLBgpBv9Bd1E9Ib X-Received: by 2002:a63:b81a:: with SMTP id p26mr19418417pge.433.1544636289120; Wed, 12 Dec 2018 09:38:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544636289; cv=none; d=google.com; s=arc-20160816; b=p7k+kMgSMsZckI6oygiqubvi9RbqY2DgzabiFkx6KSLQoCiHHqcCy0ME3ZroEzq3E4 uJb+SPw+fKLIDABo4/nkRNlbu2twYAAD36pTvdyLy2I5WmvLc/MEe3D0hepQ/tiZGj5J Ri90SiiEJjBuf51xn4VCYvscDq2XMsfbuqFGiF5YdTQJnJ4W12GRTkKYLYVaE3+kE5mv zVUSdJzDwp2SZgaWVpcmEn5JxdQIQy99r07GvDRyqvdgd8tZ+ND2l/Ajf0tTGziIVFvY qdTpLiLI7BdIL2ziQn3RbVCNey38i2b3aL90tTKvFqYvwim+LlktU1YAtm3ixf7yMphH zbLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :from:references:cc:to:subject; bh=ia0tVGxVQ4Rdr6ht1k7UrghG3OmoaD+/6D2gbIzFYVI=; b=L9Xq0ggWfontrLy5aQ9tSMguruM+4g4dGTXjKRYoji6RIpY9UtIukkJqwbtfrf9A7G /BcT7OFMeO7rxsUlDk1vXectK8NmH1H5rfwefc4iyL0HZ5Lj7PjzDdP/I/TuyxQ4MYBt iz0fDhDIjwr1eK1AQOUZGB3ilq0UkrtVkaaq3oMamwUh+RJkmBm8g4R2B7epZbZP8gZs eBr9BNSgw18EEp0gwhesip2m2lWBIY3joo6/X/Zy1yOTCCUbL2rV6goHTS+dctGS6ReA BsyhSsngFOiyh33FpRvQUbzkyPI6dg3qSV3QczihBV7v5xhaE0im0mekYhSMlZNgPs92 h7tg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i1si14014185pgs.417.2018.12.12.09.37.53; Wed, 12 Dec 2018 09:38:09 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728175AbeLLRex (ORCPT + 99 others); Wed, 12 Dec 2018 12:34:53 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:37824 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728160AbeLLRev (ORCPT ); Wed, 12 Dec 2018 12:34:51 -0500 Received: from pps.filterd (m0098413.ppops.net [127.0.0.1]) by mx0b-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id wBCHYH3d096023 for ; Wed, 12 Dec 2018 12:34:50 -0500 Received: from e12.ny.us.ibm.com (e12.ny.us.ibm.com [129.33.205.202]) by mx0b-001b2d01.pphosted.com with ESMTP id 2pb4xtwppv-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 12 Dec 2018 12:34:50 -0500 Received: from localhost by e12.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 12 Dec 2018 17:34:49 -0000 Received: from b01cxnp23033.gho.pok.ibm.com (9.57.198.28) by e12.ny.us.ibm.com (146.89.104.199) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 12 Dec 2018 17:34:44 -0000 Received: from b01ledav005.gho.pok.ibm.com (b01ledav005.gho.pok.ibm.com [9.57.199.110]) by b01cxnp23033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id wBCHYhgQ20250842 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 12 Dec 2018 17:34:43 GMT Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 9E1BAAE064; Wed, 12 Dec 2018 17:34:43 +0000 (GMT) Received: from b01ledav005.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AF875AE05C; Wed, 12 Dec 2018 17:34:38 +0000 (GMT) Received: from [9.85.69.250] (unknown [9.85.69.250]) by b01ledav005.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 12 Dec 2018 17:34:38 +0000 (GMT) Subject: Re: [PATCH v2 5/7] efi: Import certificates from UEFI Secure Boot To: James Morris Cc: linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, zohar@linux.ibm.com, dhowells@redhat.com, jforbes@redhat.com, seth.forshee@canonical.com, kexec@lists.infradead.org, keyrings@vger.kernel.org, vgoyal@redhat.com, ebiederm@xmission.com, mpe@ellerman.id.au, Josh Boyer References: <20181208202705.18673-1-nayna@linux.ibm.com> <20181208202705.18673-6-nayna@linux.ibm.com> From: Nayna Jain Date: Wed, 12 Dec 2018 23:01:15 +0530 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-TM-AS-GCONF: 00 x-cbid: 18121217-0060-0000-0000-000002E2F4EB X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00010214; HX=3.00000242; KW=3.00000007; PH=3.00000004; SC=3.00000270; SDB=6.01130779; UDB=6.00587611; IPR=6.00910912; MB=3.00024670; MTD=3.00000008; XFM=3.00000015; UTC=2018-12-12 17:34:47 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18121217-0061-0000-0000-000047836919 Message-Id: X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-12-12_04:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812120151 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 12/12/2018 12:17 AM, James Morris wrote: > On Sun, 9 Dec 2018, Nayna Jain wrote: > >> +/* >> + * Blacklist an X509 TBS hash. >> + */ >> +static __init void uefi_blacklist_x509_tbs(const char *source, >> + const void *data, size_t len) >> +{ >> + char *hash, *p; >> + >> + hash = kmalloc(4 + len * 2 + 1, GFP_KERNEL); >> + if (!hash) >> + return; >> + p = memcpy(hash, "tbs:", 4); >> + p += 4; >> + bin2hex(p, data, len); >> + p += len * 2; >> + *p = 0; >> + >> + mark_hash_blacklisted(hash); >> + kfree(hash); >> +} >> + >> +/* >> + * Blacklist the hash of an executable. >> + */ >> +static __init void uefi_blacklist_binary(const char *source, >> + const void *data, size_t len) >> +{ >> + char *hash, *p; >> + >> + hash = kmalloc(4 + len * 2 + 1, GFP_KERNEL); >> + if (!hash) >> + return; >> + p = memcpy(hash, "bin:", 4); >> + p += 4; >> + bin2hex(p, data, len); >> + p += len * 2; >> + *p = 0; >> + >> + mark_hash_blacklisted(hash); >> + kfree(hash); >> +} >> > These could be refactored into one function. > > Thanks James for reviewing. Yes, the code should be refactored.  However, I think making it a single function would require adding a new field to the function callback definitions as well. Probably, a simpler approach would be to define a common function uefi_blacklist_hash(...)  which can then be used by the two functions uefi_blacklist_x509_tbs(...) and uefi_blacklist_binary(...). These two functions now act as wrapper functions. Below is the example code: +/* + * Blacklist a hash. + */ +static __init void uefi_blacklist_hash(const char *source, const void *data, +                                 size_t len, char *type, size_t type_len) +{ +       char *hash, *p; + +       hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL); +       if (!hash) +               return; +       p = memcpy(hash, type, type_len); +       p += type_len; +       bin2hex(p, data, len); +       p += len * 2; +       *p = 0; + +       mark_hash_blacklisted(hash); +       kfree(hash); +} + +/* + * Blacklist an X509 TBS hash. + */ +static __init void uefi_blacklist_x509_tbs(const char *source, +                                          const void *data, size_t len) +{ +       uefi_blacklist_hash(source, data, len, "tbs:" , 4); +} + +/* + * Blacklist the hash of an executable. + */ +static __init void uefi_blacklist_binary(const char *source, +                                        const void *data, size_t len) +{ +       uefi_blacklist_hash(source, data, len, "bin:" , 4); +} Thanks & Regards,    - Nayna