Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp3282962rwb; Fri, 20 Jan 2023 13:53:32 -0800 (PST) X-Google-Smtp-Source: AMrXdXvWklCBO3aIV++2u0GjgYN7pjqBaPymAe74Im8Lf/yu98I1QBBFeIAxwfXGcysj6Aeglqwp X-Received: by 2002:a17:906:c18f:b0:7f7:a4ed:f2d4 with SMTP id g15-20020a170906c18f00b007f7a4edf2d4mr30086213ejz.77.1674251612562; Fri, 20 Jan 2023 13:53:32 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674251612; cv=none; d=google.com; s=arc-20160816; b=ZczKRtmlQDVzqvfttNrSRXmrE4kndcXT6LHiyUGE1kJPkFGKGyGcJamqCb09WL6cf+ 8pLSkw2opgm/58WHp6ZfGgw69cvex1L5jw6AIEmeNr3HmD3cFqMJuu3fNhwlpbAO4n6n zEsxyZojX1WYcTTux+vJSzpD0iDz1lkZARn9EPEqw540SxPkfQ9sJyZPW7VkCQFcOQ+C 6AeH9p6TOkO16RgkgXn7rGHOho6Z0qQ1whlnqFyUaQgl3HJlPu54XNnXBJS0/WPohoBb YkvTMYto1knkPRqRzpm23E3VQGGo8AMcPJT1+gQJfCM4qBa4cvD6/MY/x0zmHFeZUotY qV4w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=lhXCpYCNDpSSTfgjiBmdEM36g/9xBTrh73tARBL6V/8=; b=l9QnD4ktlr3FCWpDOgggON29UaU64+dMTu/07iEeh2GQdAoqldqmlgU+T1IovkLIoi zA4299+Opa5g4wFaaPSlIRLhugAtsq/Re4DStSgNVsA1gb1vD9N9Hm6qr483d8TJyUYf 1CKQttV3BHPTBfgSlRqAE2VTJg21iwDd9vRKax8ZmBJXN3TP3cJgDtz1QlS9nKd/o9yr JhsYJzDA73dbziBEbwL0K73OVHz+mvpfhoHuLjJTapVK04fgbmuPS8EWMmUC0FpEDabe NU5T63DGK45RTn0b1wiE/RVXAn7eB5FZ870w8L70WsSyctrZsz+3Dd9KCLgrLaWXnVrU NRsA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=uzq8gWdx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id nd11-20020a170907628b00b007c12aad4c05si47150694ejc.123.2023.01.20.13.53.20; Fri, 20 Jan 2023 13:53:32 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=uzq8gWdx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229831AbjATVK5 (ORCPT + 50 others); Fri, 20 Jan 2023 16:10:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33510 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229710AbjATVK4 (ORCPT ); Fri, 20 Jan 2023 16:10:56 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A2DB7CD23C; Fri, 20 Jan 2023 13:10:39 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C89E8B82A64; Fri, 20 Jan 2023 21:10:37 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 227C8C433EF; Fri, 20 Jan 2023 21:10:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1674249036; bh=wLkgPsR5vSZDOWEBXjVKqodCnOqgDMrn3SAnrDftXDY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=uzq8gWdxYIpw3LE8DvysdyT0nQHUZZz7A2QpcyfzYVN0U3eV38JMo36fwQAb2Bg8F JpOenqCQLJN/WQBm8EdPELmm5mdqigxH1ZtTVNgKpcwtTxFUm6C8PfFBNJUypMFRcK Mxs14MQHT2tUGfmbXY6eHUJPm6HJlzz8AG2kwala+P0dXa0fpAycAYFmXJ2zUPWoxx 1AkF5ee0PtTVPct3l68ZyAlx2pWN2RjZ/ks3ftG6vptvjjmya1TGVv79C0PVpLURul tr6kC70Pfozg/adVLK4ryPSoXAGSZ2rRLsR6WEb8a3fvxpiJXMV++31vjYgFCdJove o6KWRFUwnzOEA== Date: Fri, 20 Jan 2023 21:10:33 +0000 From: Jarkko Sakkinen To: Thomas =?iso-8859-1?Q?Wei=DFschuh?= Cc: David Howells , David Woodhouse , Paul Moore , James Morris , "Serge E. Hallyn" , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, Paul Menzel , Mark Pearson Subject: Re: [PATCH RESEND v6 0/3] certs: Prevent spurious errors on repeated blacklisting Message-ID: References: <20221212-keys-blacklist-v6-0-933267a80582@weissschuh.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20221212-keys-blacklist-v6-0-933267a80582@weissschuh.net> X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jan 09, 2023 at 11:59:41PM +0000, Thomas Wei?schuh wrote: > When the blacklist keyring was changed to allow updates from the root > user it gained an ->update() function that disallows all updates. > When the a hash is blacklisted multiple times from the builtin or > firmware-provided blacklist this spams prominent logs during boot: > > [ 0.890814] blacklist: Problem blacklisting hash (-13) > > This affects the firmware of various vendors. Reported have been at least: > * Samsung: https://askubuntu.com/questions/1436856/ > * Acer: https://ubuntuforums.org/showthread.php?t=2478840 > * MSI: https://forum.archlabslinux.com/t/blacklist-problem-blacklisting-hash-13-errors-on-boot/6674/7 > * Micro-Star: https://bbs.archlinux.org/viewtopic.php?id=278860 > * Lenovo: https://lore.kernel.org/lkml/c8c65713-5cda-43ad-8018-20f2e32e4432@t-8ch.de/ > > Note: In the meantime I lost access to the machine exhibiting the > problematic behavior. If larger changes are required to this series > somebody else would have to validate them or take over the series. > > Changelog: > > v1: https://lore.kernel.org/all/20221104014704.3469-1-linux@weissschuh.net/ > v1 -> v2: > * Improve logging message to include the failed hash > * Add key_create() function without update semantics > * Use key_create() from mark_raw_hash_blacklisted() and log specific message > on -EEXIST > > v2: https://lore.kernel.org/lkml/20221109025019.1855-1-linux@weissschuh.net/ > v2 -> v3: > * Clarify commit titles and messages > * Drop the change to BLACKLIST_KEY_PERM from patch 3, as it was an artifact > of some obsolete version of the patch and not needed > > v3: https://lore.kernel.org/lkml/20221118040343.2958-1-linux@weissschuh.net/ > v3 -> v4: > * Drop Fixes-tag from first patch > * Flesh out commit descriptions and messages > > v4: https://lore.kernel.org/r/20221212-keys-blacklist-v4-0-00afeb3137fb@weissschuh.net > v4 -> v5: > * Reduce lines needed by function calls in key.c > * Add Reviewed-by from Jarkko > > v5: https://lore.kernel.org/r/20221212-keys-blacklist-v5-0-52e9eb5a8827@weissschuh.net > v5 -> v6: > * Correct Jarkkos email in Reviewed-by tags > * Resend to hopefully reach @kernel.org recipients > > Thomas Wei?schuh (3): > certs: log hash value on blacklist error > KEYS: Add key_create() > certs: don't try to update blacklist keys > > certs/blacklist.c | 21 ++++--- > include/linux/key.h | 8 +++ > security/keys/key.c | 149 +++++++++++++++++++++++++++++++++----------- > 3 files changed, 132 insertions(+), 46 deletions(-) > > -- > 2.38.1 > > To: David Howells > To: David Woodhouse > To: Jarkko Sakkinen > To: Paul Moore > To: James Morris > To: "Serge E. Hallyn" > To: "Micka?l Sala?n" > Cc: keyrings@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: linux-security-module@vger.kernel.org > Cc: Paul Menzel > Signed-off-by: Thomas Wei?schuh > Cc: Mark Pearson > > --- > Thomas Wei?schuh (3): > certs: make blacklisted hash available in klog > KEYS: Add new function key_create() > certs: don't try to update blacklist keys > > certs/blacklist.c | 21 ++++---- > include/linux/key.h | 8 +++ > security/keys/key.c | 137 ++++++++++++++++++++++++++++++++++++++-------------- > 3 files changed, 120 insertions(+), 46 deletions(-) > --- > base-commit: 512dee0c00ad9e9c7ae9f11fc6743702ea40caff > change-id: 20221212-keys-blacklist-2c79a64667c9 > > Best regards, > -- > Thomas Wei?schuh Hi, I'e applied and pushed this now. Thank you. BR, Jarkko