Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1831685pxb; Fri, 5 Feb 2021 02:34:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJwbniR4B9v69pHwbu0UhbGjManWXyIetnLE0V2bDLlUrVJIzvxhW4iL2lZH2Trx3HTP89fY X-Received: by 2002:aa7:c94a:: with SMTP id h10mr3000696edt.41.1612521248738; Fri, 05 Feb 2021 02:34:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612521248; cv=none; d=google.com; s=arc-20160816; b=ulJCOUy6TugLWPuU+HvghvyUs09XayIeqlTaj2Yevx49Cam26sXjEtO/JAmqS2kT5j 1AhAhjPOrI3BAu0spM3s9vsstPtzKGu2K1f2XZsszZOlzKL/Ldk2Td26YPsvF35uw55F rXFRkH0XTVtkDes67RX8CisRtLLHckEt054gl3djWF4BI2ggb9dqweguiLbwSykME6E6 C6ySlKkFn6E0q7F2KM3GPbSY8PkijIMHz9CpFMWT4e2T96RsGXDn0rCwLEYP3OlHurod AJamFw6ImKRPzGxAitcLdJqKrXCm28Xr6WtT3hm9ArO+VoQEgCprBQct0oZAZUQSgzOy eZOg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=eCW2J6PjyS8G8kJFvEkVJnOrCx+Lng1mPWj8tY6z5Hc=; b=Sfzunz01DnuFbGQGBGbtVJ4Qzzqeuy32r4rI5NU4f08EQug6F7jDuKodlMcgmBqwzY HHTUzkrTjQen2UGp47I5AURiddbLhgaFwKoMZAl1iJLBmYwxiG5mWWKy1SySvnaPex79 BGlJPDl3wYPpJ/WxHsmJVObdrbhKNk/PsLeKsiOQRFWDf0gAyjfyQ30bTHfI9wgjn4eL 1bQYGeCzH2Ekgv/NDoStEzcyCGc6WjdqgDrrgwYANwj/3K0MGxHIWGSqm4b1+iAg42t0 +n0cGRkQaN3W17kwat2uT9ufxNcD0FNIf20cNS384Mrrwi5Ns5+/0YLxFcLikc0yhuTq x/9g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y14si5346044edc.349.2021.02.05.02.33.42; Fri, 05 Feb 2021 02:34:08 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231367AbhBEKb7 (ORCPT + 99 others); Fri, 5 Feb 2021 05:31:59 -0500 Received: from smtp-8fa9.mail.infomaniak.ch ([83.166.143.169]:34529 "EHLO smtp-8fa9.mail.infomaniak.ch" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231319AbhBEK2A (ORCPT ); Fri, 5 Feb 2021 05:28:00 -0500 Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4DXBRj2YVDzMqWkX; Fri, 5 Feb 2021 11:26:57 +0100 (CET) Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4DXBRf1R7Xzlh8TK; Fri, 5 Feb 2021 11:26:54 +0100 (CET) Subject: =?UTF-8?Q?Re=3a_Conflict_with_Micka=c3=abl_Sala=c3=bcn=27s_blacklis?= =?UTF-8?Q?t_patches_=5bwas_=5bPATCH_v5_0/4=5d_Add_EFI=5fCERT=5fX509=5fGUID_?= =?UTF-8?Q?support_for_dbx/mokx_entries=5d?= To: Eric Snowberg Cc: David Howells , dwmw2@infradead.org, Jarkko Sakkinen , James.Bottomley@HansenPartnership.com, masahiroy@kernel.org, michal.lkml@markovi.net, jmorris@namei.org, serge@hallyn.com, ardb@kernel.org, Mimi Zohar , lszubowi@redhat.com, javierm@redhat.com, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kbuild@vger.kernel.org, linux-security-module@vger.kernel.org, Tyler Hicks References: <20210122181054.32635-1-eric.snowberg@oracle.com> <1103491.1612369600@warthog.procyon.org.uk> <10e6616e-0598-9f33-2de9-4a5268bba586@digikod.net> <7924ce4c-ea94-9540-0730-bddae7c6af07@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: Date: Fri, 5 Feb 2021 11:27:02 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/02/2021 01:24, Eric Snowberg wrote: > >> On Feb 4, 2021, at 1:26 AM, Mickaël Salaün wrote: >> >> >> On 04/02/2021 04:53, Eric Snowberg wrote: >>> >>>> On Feb 3, 2021, at 11:49 AM, Mickaël Salaün wrote: >>>> >>>> This looks good to me, and it still works for my use case. Eric's >>>> patchset only looks for asymmetric keys in the blacklist keyring, so >>>> even if we use the same keyring we don't look for the same key types. My >>>> patchset only allows blacklist keys (i.e. hashes, not asymmetric keys) >>>> to be added by user space (if authenticated), but because Eric's >>>> asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should >>>> be OK for his use case. There should be no interference between the two >>>> new features, but I find it a bit confusing to have such distinct use of >>>> keys from the same keyring depending on their type. >>> >>> I agree, it is a bit confusing. What is the thought of having a dbx >>> keyring, similar to how the platform keyring works? >>> >>> https://www.spinics.net/lists/linux-security-module/msg40262.html >>> >>> >>>> On 03/02/2021 17:26, David Howells wrote: >>>>> >>>>> Eric Snowberg wrote: >>>>> >>>>>> This is the fifth patch series for adding support for >>>>>> EFI_CERT_X509_GUID entries [1]. It has been expanded to not only include >>>>>> dbx entries but also entries in the mokx. Additionally my series to >>>>>> preload these certificate [2] has also been included. >>>>> >>>>> Okay, I've tentatively applied this to my keys-next branch. However, it >>>>> conflicts minorly with Mickaël Salaün's patches that I've previously merged on >>>>> the same branch. Can you have a look at the merge commit >>>>> >>>>> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d >>>>> >>>>> (the top patch of my keys-next branch) >>>>> >>>>> to see if that is okay by both of you? If so, can you give it a whirl? >>> >>> >>> I’m seeing a build error within blacklist_hashes_checked with >>> one of my configs. >>> >>> The config is as follows: >>> >>> $ grep CONFIG_SYSTEM_BLACKLIST_HASH_LIST .config >>> CONFIG_SYSTEM_BLACKLIST_HASH_LIST=“revocation_list" >>> >>> $ cat certs/revocation_list >>> "tbs:1e125ea4f38acb7b29b0c495fd8e7602c2c3353b913811a9da3a2fb505c08a32” >>> >>> make[1]: *** No rule to make target 'revocation_list', needed by 'certs/blacklist_hashes_checked'. Stop. >> >> It requires an absolute path. > > Ok, if I use an absolute path now with CONFIG_SYSTEM_BLACKLIST_HASH_LIST > it works. > >> This is to align with other variables >> using the config_filename macro: CONFIG_SYSTEM_TRUSTED_KEYS, >> CONFIG_MODULE_SIG_KEY and now CONFIG_SYSTEM_REVOCATION_KEYS. > > I just did a quick test with CONFIG_SYSTEM_TRUSTED_KEYS. It looks like we > can use either a relative or absolute path with CONFIG_SYSTEM_TRUSTED_KEYS. > Shouldn’t this be consistent? CONFIG_SYSTEM_TRUSTED_KEYS (and similar config) works with relative path to $(srctree) not $(srctree)/certs as in your example. We can make CONFIG_SYSTEM_BLACKLIST_HASH_LIST works with $(srctree) with this patch: diff --git a/certs/Makefile b/certs/Makefile index eb45407ff282..92a233eaa926 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -14,6 +14,8 @@ $(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) $(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked +CFLAGS_blacklist_hashes.o += -I$(srctree) + targets += blacklist_hashes_checked > >> Cf. https://lore.kernel.org/lkml/1221725.1607515111@warthog.procyon.org.uk/ >> >> We may want to patch scripts/kconfig/streamline_config.pl for both >> CONFIG_SYSTEM_REVOCATION_KEYS and CONFIG_SYSTEM_BLACKLIST_HASH_LIST, to >> warn user (and exit with an error) if such files are not found. >