Received: by 2002:a05:6358:16cd:b0:dc:6189:e246 with SMTP id r13csp1331690rwl; Fri, 4 Nov 2022 12:36:02 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4Gao1a+k+R5rjzTIANnZhHBNBTkULqOOp02UptCstl2ZrZRY8N8843nKhas7nrjsIS17T2 X-Received: by 2002:a05:6a00:3699:b0:56c:80f6:bee with SMTP id dw25-20020a056a00369900b0056c80f60beemr37901399pfb.13.1667590562514; Fri, 04 Nov 2022 12:36:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667590562; cv=none; d=google.com; s=arc-20160816; b=dNaZ7+bGzO0mGNFcmoqL94Ugfu3bU6g8TastszE5Q79fjKhtnjq0TsAgeiTsCzp0io pgDMfphIeelnsMehNezxmfG+u8DnEVqJvI8pDPcPIT2adnw6t+onqd4A6CTIjmFqWk9k TnZH0pl8WVqbsau0xDbVAryM3A216GBhp8J4ao1j7jj+juCsEbIAjvt15YFciz7dtIBg ZKvtvPkIXWa1+bueQ4UZ8o1fXOxZs3bOs+/C5gvXB6SgE4zswyZZaaTGcSlJdP9o6w7N QjbJb1sdVXIUrNmzpek6l9O7viDIUW8D5HaM4yXBFLCg9tBIMwUfRtRfA9BS86jOz8+e DIdQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:jabber-id:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:dkim-signature:date; bh=G3NZjvQQr6uRr/W77P76dp5occrLHdqJSyeu1esQKYM=; b=Hkgz1CwGKM82CmRocRUHjZfhq11sJPSCInFHiBYCJ39J+Hjy6XYZfJBiZPOfpHM0Kg kf8yVN5IFui9rg2E+ftqT2MqYz6rYNk3n+Pc3Z6cvIaZrakEo9D9lkRxf+xKICT0j2UW l09El9lgN++aBR1ZIjH0wR5+Uh1whvRbP3BNGZ6LWqydhpsGjHL1luotMtjyBpGYdyll wWu1OI55a/4F8dIY5rIYC/1XzVEMyn8D8xArUKelF8aRfzWavw4b5u3e0ui+BdmF4XwY Qzmhx/BtXuUuUe+HVws9mUhof8BrlsRX/9zsKolfQUG25yQxKRU2XhXYr+iMJULPVan1 NpRA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@t-8ch.de header.s=mail header.b=RliUcthL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ix10-20020a170902f80a00b0017f829330e3si334654plb.70.2022.11.04.12.35.49; Fri, 04 Nov 2022 12:36:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@t-8ch.de header.s=mail header.b=RliUcthL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229783AbiKDTLt (ORCPT + 97 others); Fri, 4 Nov 2022 15:11:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49132 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229748AbiKDTLo (ORCPT ); Fri, 4 Nov 2022 15:11:44 -0400 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66BB569DC8; Fri, 4 Nov 2022 12:11:41 -0700 (PDT) Date: Fri, 4 Nov 2022 20:11:33 +0100 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=t-8ch.de; s=mail; t=1667589096; bh=mmhBi7QB7LltXTiDiPTvIZiQKPGsrakjKVHkFQwHxR8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=RliUcthLTL78oYdnbv6cGpfbEI9Ctu78m6xqETt0VvL6oyYBSajt/HJ8Mt88J5BDf sq1o5hYgXh9ek5gwC9YSiqasvHu/2LUT4bfmFtSsARlNC4yB0QyCProJbtQ4X+Q2V8 tFMBlND0nUzObQbJFrcuFH3v3XA4L8y7IXH1kr8I= From: Thomas =?utf-8?Q?Wei=C3=9Fschuh?= To: =?utf-8?Q?Micka=C3=ABl_Sala=C3=BCn?= Cc: Jarkko Sakkinen , David Howells , David Woodhouse , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, Mark Pearson , linux-security-module , "linux-integrity@vger.kernel.org" Subject: Re: [BUG] blacklist: Problem blacklisting hash (-13) during boot Message-ID: <632d2180-02f8-4a5f-803a-57a6443a60f4@t-8ch.de> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: Jabber-ID: thomas@t-8ch.de X-Accept: text/plain, text/html;q=0.2, text/*;q=0.1 X-Accept-Language: en-us, en;q=0.8, de-de;q=0.7, de;q=0.6 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Mickaël, On 2022-11-04 18:03+0100, Mickaël Salaün wrote: > Thanks for this report. These error messages seem correct but I don't see > any legitimate reason for the firmware to store duplicate blacklisted > hashes. > > According to the blacklist_init() function, the "blacklisting failed" > message could be improved to explain that only a set of hashes failed, and > why they failed. However, despite this message, this should work as expected > and should not generate any issue. > > Did you contact Lenovo to report this issue (i.e. duplicate hashes in their > firmware)? I CCed Mark Person from Lenovo on this mail, nothing more for now. There seem to more devices than just from Lenovo to be affected: * Samsung: https://askubuntu.com/questions/1436856/ * Acer: https://ubuntuforums.org/showthread.php?t=2478840 * MSI: https://forum.archlabslinux.com/t/blacklist-problem-blacklisting-hash-13-errors-on-boot/6674/7 * Micro-Star: https://bbs.archlinux.org/viewtopic.php?id=278860 While there are reports that it helps to reset the blacklist in firmware this doesn't seem like a general solution for endusers. FYI I also posted a patch that silences the spurious logs: https://lore.kernel.org/lkml/20221104014704.3469-1-linux@weissschuh.net/ > Could you please provide the list of duplicate hashes? bin:80b4d96931bf0d02fd91a61e19d14f1da452e66db2408ca8604d411f92659f0a bin:f52f83a3fa9cfbd6920f722824dbe4034534d25b8507246b3b957dac6e1bce7a bin:c5d9d8a186e2c82d09afaa2a6f7f2e73870d3e64f72c4e08ef67796a840f0fbd bin:1aec84b84b6c65a51220a9be7181965230210d62d6d33c48999c6b295a2b0a06 bin:c3a99a460da464a057c3586d83cef5f4ae08b7103979ed8932742df0ed530c66 bin:58fb941aef95a25943b3fb5f2510a0df3fe44c58c95e0ab80487297568ab9771 bin:5391c3a2fb112102a6aa1edc25ae77e19f5d6f09cd09eeb2509922bfcd5992ea bin:d626157e1d6a718bc124ab8da27cbb65072ca03a7b6b257dbdcbbd60f65ef3d1 bin:d063ec28f67eba53f1642dbf7dff33c6a32add869f6013fe162e2c32f1cbe56d bin:29c6eb52b43c3aa18b2cd8ed6ea8607cef3cfae1bafe1165755cf2e614844a44 bin:90fbe70e69d633408d3e170c6832dbb2d209e0272527dfb63d49d29572a6f44c bin:106faceacfecfd4e303b74f480a08098e2d0802b936f8ec774ce21f31686689c bin:174e3a0b5b43c6a607bbd3404f05341e3dcf396267ce94f8b50e2e23a9da920c bin:2b99cf26422e92fe365fbf4bc30d27086c9ee14b7a6fff44fb2f6b9001699939 bin:2e70916786a6f773511fa7181fab0f1d70b557c6322ea923b2a8d3b92b51af7d bin:3fce9b9fdf3ef09d5452b0f95ee481c2b7f06d743a737971558e70136ace3e73 bin:47cc086127e2069a86e03a6bef2cd410f8c55a6d6bdb362168c31b2ce32a5adf bin:71f2906fd222497e54a34662ab2497fcc81020770ff51368e9e3d9bfcbfd6375 bin:82db3bceb4f60843ce9d97c3d187cd9b5941cd3de8100e586f2bda5637575f67 bin:8ad64859f195b5f58dafaa940b6a6167acd67a886e8f469364177221c55945b9 bin:8d8ea289cfe70a1c07ab7365cb28ee51edd33cf2506de888fbadd60ebf80481c bin:aeebae3151271273ed95aa2e671139ed31a98567303a332298f83709a9d55aa1 bin:c409bdac4775add8db92aa22b5b718fb8c94a1462c1fe9a416b95d8a3388c2fc bin:c617c1a8b1ee2a811c28b5a81b4c83d7c98b5b0c27281d610207ebe692c2967f bin:c90f336617b8e7f983975413c997f10b73eb267fd8a10cb9e3bdbfc667abdb8b bin:64575bd912789a2e14ad56f6341f52af6bf80cf94400785975e9f04e2d64d745 bin:45c7c8ae750acfbb48fc37527d6412dd644daed8913ccd8a24c94d856967df8e bin:47ff1b63b140b6fc04ed79131331e651da5b2e2f170f5daef4153dc2fbc532b1 bin:5391c3a2fb112102a6aa1edc25ae77e19f5d6f09cd09eeb2509922bfcd5992ea bin:80b4d96931bf0d02fd91a61e19d14f1da452e66db2408ca8604d411f92659f0a bin:992d359aa7a5f789d268b94c11b9485a6b1ce64362b0edb4441ccc187c39647b bin:c452ab846073df5ace25cca64d6b7a09d906308a1a65eb5240e3c4ebcaa9cc0c bin:e051b788ecbaeda53046c70e6af6058f95222c046157b8c4c1b9c2cfc65f46e5 Thanks, Thomas > On 15/10/2022 05:16, Thomas Weißschuh wrote: > > Hi, > > > > Since 5.19 during boot I see lots of the following entries in dmesg: > > > > blacklist: Problem blacklisting hash (-13) > > > > This happens because the firmware contains duplicate blacklist entries. > > As commit 6364d106e041 [0] modified the "blacklist" keyring to reject updates > > this now leads to the spurious error messages. > > > > The machine is a Thinkpad X1 Cargon Gen9 with BIOS revision 1.56 and firmware > > revision 1.33. > > > > [0] 6364d106e041 ("certs: Allow root user to append signed hashes to the blacklist keyring")