Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp2246007ybg; Sat, 19 Oct 2019 11:07:46 -0700 (PDT) X-Google-Smtp-Source: APXvYqydBquHpTUhAGCMSftAmcuSfZB3QnqxU645X/Zk8DPesIBIswnjY3I3x92ob5GHEkGqF/XV X-Received: by 2002:a50:f699:: with SMTP id d25mr2115241edn.72.1571508466170; Sat, 19 Oct 2019 11:07:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1571508466; cv=none; d=google.com; s=arc-20160816; b=AtmAEo1KU1+C06B/gvXvwO2Sj3Cu2moKhoNbYTbVgvIYUGzvr0U7x6X8mRZIs/mXzu 5d0TQviNtptqxlTioN8Zt1hpWpQ6fE4mdB3EupzYzlY3dgBu9YXvJNf464JSuQwl67cp 2ehVPsY0mF/7S5GFrnEehzH8IGNbFVbPe4bRZYnWfVfJUPy+vKuYB8JhkqLVE+3J8HFK eU+fKk3p+l0pb2X5AU3IBTmYOrl1Wx4XDqm0v7SZXQP0w7BEiXX+iJrprMDvgK3+k1MW KV7xK1YEHMaJvWyjx47vLV54p9Uo8gOXXHVheIj+F9FQhJbg1D3wVUVFGlKiONnURf5Y cZPA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:references:in-reply-to:date :subject:cc:to:from; bh=/ZqlPiVOQhOWIj6zTFlyFff5FSxcnklRucQLtvFNGWY=; b=FfkD3HzIZwoya0BuFBp5YEzlQiRchFGKCqLmI5hW9d51Q6NKCwQdE0eZohBax4iG24 ZEhXT3CtjJLfBHk65pyWqora++9fzMYMsChkMOrT0/Y+xXHE3C51POxTNsnnBTeEMJVd 6lzL7xn7yOECPcQSSstUTQqh2JJCano/jr4mLgQ10slUOGcHfUkmzIumSFMQIKMxmx5l PKSAiaUMcBpCHwNfvvxl9IxEFqi2yR+w4VZuaRPRQt0xrtRcGAdnHmjkaZZYhS6LWXUi 07KvIjYWBjp5ta+fDlvGBSqdxJs49EONPe3WBW/Ft3IVQA5MsHldWF/vng9uQ839pVTc JQuw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y2si6331868eds.98.2019.10.19.11.07.22; Sat, 19 Oct 2019 11:07:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726347AbfJSSHC (ORCPT + 99 others); Sat, 19 Oct 2019 14:07:02 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:42652 "EHLO mx0b-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726326AbfJSSHB (ORCPT ); Sat, 19 Oct 2019 14:07:01 -0400 Received: from pps.filterd (m0127361.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x9JI6dM4159586 for ; Sat, 19 Oct 2019 14:07:00 -0400 Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100]) by mx0a-001b2d01.pphosted.com with ESMTP id 2vqwa3d1v7-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sat, 19 Oct 2019 14:07:00 -0400 Received: from localhost by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Sat, 19 Oct 2019 19:06:58 +0100 Received: from b06cxnps3075.portsmouth.uk.ibm.com (9.149.109.195) by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Sat, 19 Oct 2019 19:06:53 +0100 Received: from d06av21.portsmouth.uk.ibm.com (d06av21.portsmouth.uk.ibm.com [9.149.105.232]) by b06cxnps3075.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x9JI6pjk55377954 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 19 Oct 2019 18:06:51 GMT Received: from d06av21.portsmouth.uk.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5340A52057; Sat, 19 Oct 2019 18:06:51 +0000 (GMT) Received: from swastik.ibm.com (unknown [9.85.146.216]) by d06av21.portsmouth.uk.ibm.com (Postfix) with ESMTP id 9C1D45204F; Sat, 19 Oct 2019 18:06:48 +0000 (GMT) From: Nayna Jain To: linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org, linux-integrity@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Michael Ellerman , Benjamin Herrenschmidt , Paul Mackerras , Ard Biesheuvel , Jeremy Kerr , Matthew Garret , Mimi Zohar , Greg Kroah-Hartman , Claudio Carvalho , George Wilson , Elaine Palmer , Eric Ricther , "Oliver O'Halloran" , Nayna Jain , Prakhar Srivastava , Lakshmi Ramasubramanian Subject: [PATCH v8 6/8] certs: add wrapper function to check blacklisted binary hash Date: Sat, 19 Oct 2019 14:06:15 -0400 X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1571508377-23603-1-git-send-email-nayna@linux.ibm.com> References: <1571508377-23603-1-git-send-email-nayna@linux.ibm.com> X-TM-AS-GCONF: 00 x-cbid: 19101918-0016-0000-0000-000002BA039A X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 19101918-0017-0000-0000-0000331B3458 Message-Id: <1571508377-23603-7-git-send-email-nayna@linux.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-10-19_04:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910190171 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The -EKEYREJECTED error returned by existing is_hash_blacklisted() is misleading when called for checking against blacklisted hash of a binary. This patch adds a wrapper function is_binary_blacklisted() to return -EPERM error if binary is blacklisted. Signed-off-by: Nayna Jain Reviewed-by: Mimi Zohar --- certs/blacklist.c | 9 +++++++++ include/keys/system_keyring.h | 6 ++++++ 2 files changed, 15 insertions(+) diff --git a/certs/blacklist.c b/certs/blacklist.c index ec00bf337eb6..6514f9ebc943 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -135,6 +135,15 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) } EXPORT_SYMBOL_GPL(is_hash_blacklisted); +int is_binary_blacklisted(const u8 *hash, size_t hash_len) +{ + if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED) + return -EPERM; + + return 0; +} +EXPORT_SYMBOL_GPL(is_binary_blacklisted); + /* * Initialise the blacklist */ diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index c1a96fdf598b..fb8b07daa9d1 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -35,12 +35,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted( extern int mark_hash_blacklisted(const char *hash); extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type); +extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); #else static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) { return 0; } + +static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len) +{ + return 0; +} #endif #ifdef CONFIG_IMA_BLACKLIST_KEYRING -- 2.20.1