Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp4549886rwb; Tue, 8 Nov 2022 19:37:41 -0800 (PST) X-Google-Smtp-Source: AMsMyM5EHy3eiuDC5NddMOjiz8cL2awSE1QVJzPi3bqJMxI4Ru7+pKy9Fmv8tOnEo4FpRpaoZOmW X-Received: by 2002:a17:90b:152:b0:213:dfd6:3e5e with SMTP id em18-20020a17090b015200b00213dfd63e5emr50054303pjb.229.1667965060947; Tue, 08 Nov 2022 19:37:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667965060; cv=none; d=google.com; s=arc-20160816; b=VibTzSyt3ChtodPLN5a/6120Kf8Noh93AHl7JZ0Ma0pd72fTgqj+BRoowCIX0xI/yI EvdxeiucZcY7va9qgVGSW3hP0PIg/yZ2R2hDwZZKnYyHrnGPZ2yno0nDxEIFQWvMqf2D mGqwOLI4po3zqWvU2sKVpUWQYX5wUXaUJ+67hLHntUA/Wo4JJNrWNKngvhv96XpFPhnL 3qwXIVscuIe2QPSaf055lUoVo5xRSQyCetACRkaL79ygT4Bm948Qsajd1kT9qSHDjmq5 GoKNvBQZcSgP5HPZIp4PF5lU0ZIUzZS2XjnLcF1zrbrJfBH15/jT2vOuVopkOCiWSk8q 8gGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:dkim-signature:from; bh=F+kD6EDtQlBlJQFLQ1uYfnmN5P1O0hgnOlmcx5MQYPA=; b=qYhihoFsTOqR5wOwsvhhH2iO/uGfEmPea74Ne7Br8+aSE5yFtTbSvRQyRyx++QZxRh JUTJEZbPBGcCo/JYkq4w/Bfnw909Zt6MvQwFO2OxAEb5r5GnaHJW/4qJW/mUsH8VRPEO I2xEcpbpxQbj3RB178FDhfUFhFjLpcW66rpStIBxuHylC0RS7Tv1nFwZoq/azyFCxSaq yZ7p5tIkqHsqS7VG1XnpKjM4xLWpg1eSINpbAT/huFT8pPjgF/KOX1I2pdsewvotCOK4 7YyxbJJJtAMs5WBBzllQyqzNRtq+oIle24WP1BUkbmHBbYg9fjU4oSRAiZyKprmiVuoU Mj/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@weissschuh.net header.s=mail header.b=ak7T7+oR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t135-20020a635f8d000000b0046f3dfb97a5si15229936pgb.660.2022.11.08.19.37.28; Tue, 08 Nov 2022 19:37:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@weissschuh.net header.s=mail header.b=ak7T7+oR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230093AbiKICun (ORCPT + 93 others); Tue, 8 Nov 2022 21:50:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41812 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229867AbiKICuf (ORCPT ); Tue, 8 Nov 2022 21:50:35 -0500 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B62F1F9DD; Tue, 8 Nov 2022 18:50:34 -0800 (PST) From: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=weissschuh.net; s=mail; t=1667962230; bh=sRBb1yoX5FkhrIkmhhnkMlMgMwZoHsWyWpPUUDhCe1A=; h=From:To:Cc:Subject:Date:From; b=ak7T7+oRpA3erDu1wQ3UgJ9+njLjl0ooywpMrO9E2TQReGV77M6io1GeUyqJ5PjKz KsFSLoEJBCcoKbzoaBQj2DZUdon7iKxJ3a1ecUWBtEl0Q8VwU1zB2MUSQh3oib1U4I Be939Vqs0G3jizW1V4dcRC4kcVxgKCxzow/spxBs= To: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= , David Howells , David Woodhouse , Jarkko Sakkinen , Eric Snowberg Cc: =?UTF-8?q?Thomas=20Wei=C3=9Fschuh?= , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, Mark Pearson , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 0/3] certs: Prevent spurious errors on repeated blacklisting Date: Wed, 9 Nov 2022 03:50:16 +0100 Message-Id: <20221109025019.1855-1-linux@weissschuh.net> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Developer-Signature: v=1; a=ed25519-sha256; t=1667962214; l=1370; s=20211113; h=from:subject; bh=sRBb1yoX5FkhrIkmhhnkMlMgMwZoHsWyWpPUUDhCe1A=; b=/FQehqL8oo8cDEvahT+bddamTe3EHhG1k4Xm2iu/e0fdzh+kZ3cQJr+iQWeiWRrEF0sxCWqO/6Z7 0noAI3i7CYaMUGKPSch6B469ssLVsPrwFF2X98m1zrCHluYkpWDD X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=9LP6KM4vD/8CwHW7nouRBhWLyQLcK1MkP6aTZbzUlj4= Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When the blacklist keyring was changed to allow updates from the root user it gained an ->update() function that disallows all updates. When the a hash is blacklisted multiple times from the builtin or firmware-provided blacklist this spams prominent logs during boot: [ 0.890814] blacklist: Problem blacklisting hash (-13) This affects the firmware of various vendors. Reported have been at least: * Samsung: https://askubuntu.com/questions/1436856/ * Acer: https://ubuntuforums.org/showthread.php?t=2478840 * MSI: https://forum.archlabslinux.com/t/blacklist-problem-blacklisting-hash-13-errors-on-boot/6674/7 * Micro-Star: https://bbs.archlinux.org/viewtopic.php?id=278860 This series is an extension of the following single patch: https://lore.kernel.org/all/20221104014704.3469-1-linux@weissschuh.net/ Only the first patch has been marked for stable as otherwise the whole of key_create() would need to be applied to stable. Thomas Weißschuh (3): certs: log more information on blacklist error KEYS: Add key_create() certs: don't try to update blacklist keys certs/blacklist.c | 23 ++++--- include/linux/key.h | 8 +++ security/keys/key.c | 149 +++++++++++++++++++++++++++++++++----------- 3 files changed, 133 insertions(+), 47 deletions(-) base-commit: f141df371335645ce29a87d9683a3f79fba7fd67 -- 2.38.1