Received: by 2002:a05:6358:16cc:b0:ea:6187:17c9 with SMTP id r12csp7026004rwl; Mon, 9 Jan 2023 16:51:43 -0800 (PST) X-Google-Smtp-Source: AMrXdXt6/IyuL8s66Qhku4HZSLaFHtF8nCIhhmM17AdK+eNc1bMv4rube/QhgrmYF9daBiV0MYwz X-Received: by 2002:a17:907:a641:b0:7c1:4e8f:df2f with SMTP id vu1-20020a170907a64100b007c14e8fdf2fmr66687300ejc.17.1673311903229; Mon, 09 Jan 2023 16:51:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673311903; cv=none; d=google.com; s=arc-20160816; b=C7SDe4mR8KP3jz9T7SwNdGJ/uxrF6WjfLkLRMDplzwxPWtk8YJlOaGNUGfZK26vOJh Oi92Aso781/1vXB2lpp2Dv7muUv7d4r9C3huOXzIUkgpdQFhtjGz6JeBxd9T26PBps8I 9EKld/+h1Y46uJvVNvOxSoRi6oJNxryD09eW9yIPjgzqSc4IQLNbvI0VkKef/0S/xt6m 64HFyuUQOYTYJcWyKneqHc5DKYVCIkliBjR7JWHLk31Fp1DN0rBPqvV6ixomCBOZn7tw aattHhKIyJflNyLKEaeR26kqnVEtrsoDqK317fv9Z35XDZDsssJ9owF54XEhSiW6MgQ6 Ct+g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:dkim-signature :from; bh=dkUZDHm9dVfbogoew+zwFFGHkqpMO/XdUKtzZME4ywA=; b=ELH783R8Gesj/Ry8TdqU4WxIwiNW4hYSeudFblwsbcssLxZh95b3dkFh2bROihr8ks IA0bTuyRsNzCOcLMur9xQq1Yr4TM2s9dbO5xAXSpEdELGNQXnz1yiNtoyvWE3UxfcqsP ZXjIk1F35I0zIKnHA/0b8yOD6JcoXTGqemH2C3HDgoOwhujLxljp/rSJiiCh+pOlvHvC Mw8yIe0rjtBZ1kgmfVqyy9kimw54OnL624l57Lg8HtdQAVtXeVYHTyOfIc25WMCrEsnA htReVH2VNvotYvbP4Ob5kPildCqbcnZAfOkxkvVU7rkVBNkwzJaGNLkbs6eyjXiC0Jpo F3xg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@weissschuh.net header.s=mail header.b=JGTxi12A; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id wg7-20020a17090705c700b0084d4707b503si4449645ejb.458.2023.01.09.16.51.30; Mon, 09 Jan 2023 16:51:43 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@weissschuh.net header.s=mail header.b=JGTxi12A; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237591AbjAJAAD (ORCPT + 53 others); Mon, 9 Jan 2023 19:00:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47500 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234480AbjAIX75 (ORCPT ); Mon, 9 Jan 2023 18:59:57 -0500 Received: from todd.t-8ch.de (todd.t-8ch.de [IPv6:2a01:4f8:c010:41de::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3EB3A1D0FC; Mon, 9 Jan 2023 15:59:55 -0800 (PST) From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=weissschuh.net; s=mail; t=1673308792; bh=XbsyBGwFNX/+AhMDtn4NosVJq1CKEYv0BSyy10RgWi8=; h=From:Date:Subject:References:In-Reply-To:To:Cc:From; b=JGTxi12A9Q1nheqVStkHBKWzMEVW5z1qpY2qLGO9WHdBjI1WjHsUXawmS/cqTUAJj sVTTiEumgxwmWhWQIVdoGJxINu79EBLWDNLPiq/IH60IS/KvD65sb7andhXJkQJ7ti SzJUtSQ5OZg4S7vRQ4RbExw+/jjLFYwA7qC/y6dg= Date: Mon, 09 Jan 2023 23:59:43 +0000 Subject: [PATCH RESEND v6 3/3] certs: don't try to update blacklist keys MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-Id: <20221212-keys-blacklist-v6-3-933267a80582@weissschuh.net> References: <20221212-keys-blacklist-v6-0-933267a80582@weissschuh.net> In-Reply-To: <20221212-keys-blacklist-v6-0-933267a80582@weissschuh.net> To: David Howells , David Woodhouse , Jarkko Sakkinen , Paul Moore , James Morris , "Serge E. Hallyn" , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= Cc: keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Paul Menzel , Mark Pearson , =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Mailer: b4 0.12-dev-3dd91 X-Developer-Signature: v=1; a=ed25519-sha256; t=1673308789; l=1743; i=linux@weissschuh.net; s=20221212; h=from:subject:message-id; bh=XbsyBGwFNX/+AhMDtn4NosVJq1CKEYv0BSyy10RgWi8=; b=m22y9R8oSOW93S3ubz+AnnJoxZ9hUwAVd6c+F34GIiRUf5++/uFiiniR7WAkiS2gpmI1wx9XxO77 HypSBqAlAj56LRUxNTvo5JiRklFZoOhzbOwoxmmJ3ckeThurk1TJ X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=KcycQgFPX2wGR5azS7RhpBqedglOZVgRPfdFSPB1LNw= X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When the same key is blacklisted repeatedly logging at pr_err() level is excessive as no functionality is impaired. When these duplicates are provided by buggy firmware there is nothing the user can do to fix the situation. Instead of spamming the bootlog with errors we use a warning that can still be seen by OEMs when testing their firmware. Link: https://lore.kernel.org/all/c8c65713-5cda-43ad-8018-20f2e32e4432@t-8ch.de/ Link: https://lore.kernel.org/all/20221104014704.3469-1-linux@weissschuh.net/ Signed-off-by: Thomas Weißschuh Tested-by: Paul Menzel Reviewed-by: Jarkko Sakkinen --- certs/blacklist.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index 6e260c4b6a19..675dd7a8f07a 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -183,16 +183,19 @@ static int mark_raw_hash_blacklisted(const char *hash) { key_ref_t key; - key = key_create_or_update(make_key_ref(blacklist_keyring, true), - "blacklist", - hash, - NULL, - 0, - BLACKLIST_KEY_PERM, - KEY_ALLOC_NOT_IN_QUOTA | - KEY_ALLOC_BUILT_IN); + key = key_create(make_key_ref(blacklist_keyring, true), + "blacklist", + hash, + NULL, + 0, + BLACKLIST_KEY_PERM, + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN); if (IS_ERR(key)) { - pr_err("Problem blacklisting hash %s: %pe\n", hash, key); + if (PTR_ERR(key) == -EEXIST) + pr_warn("Duplicate blacklisted hash %s\n", hash); + else + pr_err("Problem blacklisting hash %s: %pe\n", hash, key); return PTR_ERR(key); } return 0; -- 2.39.0