Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp304162pxf; Thu, 25 Mar 2021 04:39:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJydJHHJ174QHxBKcEsm0Zgabm3dW1FWx+PdSS1HqAPIZ8ny4j85LWSU8vz+Gah1IYFxRbQv X-Received: by 2002:a17:907:d1f:: with SMTP id gn31mr8788233ejc.536.1616672374867; Thu, 25 Mar 2021 04:39:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616672374; cv=none; d=google.com; s=arc-20160816; b=KdWkefLO4ceaA9tMy1P5XgxTZoWRd8IF5NW2WCScUAvPR9w9DJA/XduBYSo6qnmvDT 9W5OIFTua7z5rjBPpt8b7GOHPR+H6YfgP5sIHEc8gUINs2Mlvw5/i46JMYCNndztkr1T sXzd38mHOqDZwneIkao2WHdy5DEoSZIEl6TkJxyDCNV7hY1Z0WkcY7SKMnpLtYLNGCxE gTX6+gt4TeBTPaXnjJP9uPlAcGhmWEX4UyjiohIqux3zQjia1SyIPfC9K50StEJsHYwB AJ0h9hiPhGiE20B/f9xQNGBuSB1j7aBdcCy5M3CftrF/r+eUQvAV9Z26Fr7gT/1TBNQ6 EA1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=ICd+WauFvGzIaSsMNbqq3QTPzjbob2V7zbW83VZLOnI=; b=Qxehy1CghotvugL+atV646j9y8jkexluv3JkvbgKXtZ8Coz8o7N4sSy6hkIfHZt7WA hk/lRMX+RRqUKCM9zkoW3YIz5TMMi5MVy3ZZX6MB2EDaCHk0QAuTB+pyzd6lk7apPfMX 6O+6l4MDbjKsQUSoFJhd1o3g2776igoHTsFZnUJgLzVrGNJYKnVmUCViMGCgswjaW2lW wemOMbjIC1TzuANncQYBH6YfRr4ZMQGS4s43m30d5miYmIvhEg7O/Biw2jgEqyiymHod qHxqrHYsrWF8dqh1kUt4sL9YmSNrBTmFNukE8rVxuw24Fg0xBzEMFWAxQeX/gBXczkj5 HUhw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p10si3901377edm.261.2021.03.25.04.39.02; Thu, 25 Mar 2021 04:39:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230347AbhCYLiQ (ORCPT + 99 others); Thu, 25 Mar 2021 07:38:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41368 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231165AbhCYLfd (ORCPT ); Thu, 25 Mar 2021 07:35:33 -0400 Received: from smtp-8fa8.mail.infomaniak.ch (smtp-8fa8.mail.infomaniak.ch [IPv6:2001:1600:4:17::8fa8]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 700FAC0613DF for ; Thu, 25 Mar 2021 04:35:29 -0700 (PDT) Received: from smtp-3-0001.mail.infomaniak.ch (unknown [10.4.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4F5jhb2yFfzMq3tQ; Thu, 25 Mar 2021 12:35:27 +0100 (CET) Received: from ns3096276.ip-94-23-54.eu (unknown [23.97.221.149]) by smtp-3-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4F5jhW3mRTzlh8V1; Thu, 25 Mar 2021 12:35:23 +0100 (CET) Subject: Re: [PATCH v7 0/5] Enable root to update the blacklist keyring To: David Howells , David Woodhouse , Jarkko Sakkinen Cc: "David S . Miller" , Eric Snowberg , Herbert Xu , James Morris , =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= , Mimi Zohar , "Serge E . Hallyn" , Tyler Hicks , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org References: <20210312171232.2681989-1-mic@digikod.net> From: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Message-ID: <44ea1b45-1eca-89b2-34b5-e282f543cb99@digikod.net> Date: Thu, 25 Mar 2021 12:36:04 +0100 User-Agent: MIME-Version: 1.0 In-Reply-To: <20210312171232.2681989-1-mic@digikod.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi David, What is the status of this patchset? Could you please push it to -next? Regards, Mickaël On 12/03/2021 18:12, Mickaël Salaün wrote: > This new patch series is a rebase on David Howells's and Eric Snowberg's > keys-cve-2020-26541-v3. > > I successfully tested this patch series with the 186 entries from > https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin (184 > binary hashes and 2 certificates). > > The goal of these patches is to add a new configuration option to enable the > root user to load signed keys in the blacklist keyring. This keyring is useful > to "untrust" certificates or files. Enabling to safely update this keyring > without recompiling the kernel makes it more usable. > > This can be applied on top of David Howells's keys-cve-2020-26541-branch: > https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-cve-2020-26541-branch > > Previous patch series: > https://lore.kernel.org/lkml/20210210120410.471693-1-mic@digikod.net/ > > Regards, > > Mickaël Salaün (5): > tools/certs: Add print-cert-tbs-hash.sh > certs: Check that builtin blacklist hashes are valid > certs: Make blacklist_vet_description() more strict > certs: Factor out the blacklist hash creation > certs: Allow root user to append signed hashes to the blacklist > keyring > > MAINTAINERS | 2 + > certs/.gitignore | 1 + > certs/Kconfig | 17 +- > certs/Makefile | 17 +- > certs/blacklist.c | 218 ++++++++++++++---- > crypto/asymmetric_keys/x509_public_key.c | 3 +- > include/keys/system_keyring.h | 14 +- > scripts/check-blacklist-hashes.awk | 37 +++ > .../platform_certs/keyring_handler.c | 26 +-- > tools/certs/print-cert-tbs-hash.sh | 91 ++++++++ > 10 files changed, 346 insertions(+), 80 deletions(-) > create mode 100755 scripts/check-blacklist-hashes.awk > create mode 100755 tools/certs/print-cert-tbs-hash.sh > > > base-commit: ebd9c2ae369a45bdd9f8615484db09be58fc242b >