Received: by 2002:a05:6358:16cd:b0:dc:6189:e246 with SMTP id r13csp1175051rwl; Fri, 4 Nov 2022 10:35:26 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4pt54CQ5NQCFCfjPP+rkR+Pr7aEP9g5ZlUaDaHMxBvO3/pboOCkm3V1HhCKK1pKjkmR9zJ X-Received: by 2002:aa7:c6c1:0:b0:460:f684:901a with SMTP id b1-20020aa7c6c1000000b00460f684901amr37021269eds.6.1667583326713; Fri, 04 Nov 2022 10:35:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667583326; cv=none; d=google.com; s=arc-20160816; b=t0oq/Czu3GkXXL/2je4EJxinJhHJQ3BNb8x+/z5M8l0CfL0t7j6qbOVU6r9lr6BNoF xT62MscXDpadV56QblqXkmwoxP+29HYGqZsA8I1JpR2/cvuTOdDN5oDCLRWTJchgPpll UEgLTEuhIG2wWpbvW1OoDZNADdWQrUg+t9q7Qiw0Ee3cPspd5J8MlwHgRqEaKMdnnr8j oOl1hQTEQVZ8Y9YA8Sr+eW+F0jXTJg373MHOda/qoKBdsBncSUkQZvtjxWgf18S0AmZM C50MWTqSwvlOy5AXQARO3wWpOaHF62IZexHXKS5x8/DyiyAnvmJzRry7qpF2FJqk3ZEF fBhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=qRknniw26rILeBgdNpEiYpnsu4AZZXTPdlgp3gPRUL0=; b=T4WYspPQhPYL0iDWR0E3LvoFU3likwvQw7cUONJ8BgB6aWYMdmyy8V9iziCvv/l+O5 geIo3zfhQFNhp2Ap+fLZdF8XPMEs0bqh+bAU6EJMpMA9xZROMfvAUGnTgcdFa1dZI7vu ZpN72YxQ3wT3uEzWDdFN9XH/0JGH6s1BeHMdwkREDaAvOjSI2ZHetxNQsjYbthwaQ0iJ EVfeQaTNPABpUBN++NPyhivcCRntN2L8JGvtzVjZncyaKADz0OMGvx8ufZnFlSNl58uI yGaZbcZJijlWkj2LkhD+95x5stv8m2NY2dKmItTIXqZom/9JzpOHZJQhhviuZy64xX47 epTA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=C4wdECx7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c6-20020a05640227c600b0045c42a9f588si51982ede.408.2022.11.04.10.35.01; Fri, 04 Nov 2022 10:35:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@digikod.net header.s=20191114 header.b=C4wdECx7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230375AbiKDREB (ORCPT + 96 others); Fri, 4 Nov 2022 13:04:01 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51778 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230089AbiKDRD6 (ORCPT ); Fri, 4 Nov 2022 13:03:58 -0400 Received: from smtp-bc0c.mail.infomaniak.ch (smtp-bc0c.mail.infomaniak.ch [IPv6:2001:1600:4:17::bc0c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8855F2C64E for ; Fri, 4 Nov 2022 10:03:57 -0700 (PDT) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4N3n5l3xVSzMqP72; Fri, 4 Nov 2022 18:03:55 +0100 (CET) Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4N3n5k5nYNzMpprG; Fri, 4 Nov 2022 18:03:54 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=digikod.net; s=20191114; t=1667581435; bh=rDKlvs8YU46CKqX82hlxiACZy1AJYlqE6JjX6FipWvY=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=C4wdECx7thGygxi5nrmA3/kCeEewHDEX338TkrABm3eCBt+52aGJsEpDx39JZs54+ SbOE59h+HHFRl4V1yri2Lnl/43ykDhCcxJjBoQQNwn+1EulC3fTuJkL8lyJON/Xjlm PGn8iDj4oEvB8LSEmCrtuBIobYASOQyNZNfqvoCA= Message-ID: Date: Fri, 4 Nov 2022 18:03:53 +0100 MIME-Version: 1.0 User-Agent: Subject: Re: [BUG] blacklist: Problem blacklisting hash (-13) during boot Content-Language: en-US To: =?UTF-8?Q?Thomas_Wei=c3=9fschuh?= , Jarkko Sakkinen , David Howells , David Woodhouse , keyrings@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Mark Pearson , keyrings@vger.kernel.org, linux-security-module , "linux-integrity@vger.kernel.org" References: From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Thanks for this report. These error messages seem correct but I don't see any legitimate reason for the firmware to store duplicate blacklisted hashes. According to the blacklist_init() function, the "blacklisting failed" message could be improved to explain that only a set of hashes failed, and why they failed. However, despite this message, this should work as expected and should not generate any issue. Did you contact Lenovo to report this issue (i.e. duplicate hashes in their firmware)? Could you please provide the list of duplicate hashes? Regards, Mickaël On 15/10/2022 05:16, Thomas Weißschuh wrote: > Hi, > > Since 5.19 during boot I see lots of the following entries in dmesg: > > blacklist: Problem blacklisting hash (-13) > > This happens because the firmware contains duplicate blacklist entries. > As commit 6364d106e041 [0] modified the "blacklist" keyring to reject updates > this now leads to the spurious error messages. > > The machine is a Thinkpad X1 Cargon Gen9 with BIOS revision 1.56 and firmware > revision 1.33. > > [0] 6364d106e041 ("certs: Allow root user to append signed hashes to the blacklist keyring")