diff mbox series

cert: Add kconfig dependency for validate_trust

Message ID 20210217165058.1336155-1-eric.snowberg@oracle.com (mailing list archive)
State New
Headers show
Series cert: Add kconfig dependency for validate_trust | expand

Commit Message

Eric Snowberg Feb. 17, 2021, 4:50 p.m. UTC
The kernel test robot reports when building with Kconfig
CONFIG_INTEGRITY_PLATFORM_KEYRING defined and 
CONFIG_SYSTEM_DATA_VERIFICATION undefined:

ld.lld: error: undefined symbol: pkcs7_validate_trust
referenced by blacklist.c:128 (certs/blacklist.c:128)
             blacklist.o:(is_key_on_revocation_list) in archive certs/built-in.a

Make CONFIG_SYSTEM_DATA_VERIFICATION a dependency for validate_trust.

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 certs/blacklist.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

David Howells Feb. 23, 2021, 11:47 p.m. UTC | #1
Eric Snowberg <eric.snowberg@oracle.com> wrote:

> The kernel test robot reports when building with Kconfig
> CONFIG_INTEGRITY_PLATFORM_KEYRING defined and 
> CONFIG_SYSTEM_DATA_VERIFICATION undefined:
> 
> ld.lld: error: undefined symbol: pkcs7_validate_trust
> referenced by blacklist.c:128 (certs/blacklist.c:128)
>              blacklist.o:(is_key_on_revocation_list) in archive certs/built-in.a
> 
> Make CONFIG_SYSTEM_DATA_VERIFICATION a dependency for validate_trust.
> 
> Reported-by: kernel test robot <lkp@intel.com>
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>

I wonder if it's better to provide a separate config option for the revocation
list, say:

	config SYSTEM_REVOCATION_LIST
		bool "Add revocation certs to the blacklist keyring"
		depends on SYSTEM_BLACKLIST_KEYRING
		depends on PKCS7_MESSAGE_PARSER
		help
		  ...

and use that in blacklist.c.

In keys/system_keyring.h, is_key_on_revocation_list() can then be defaulted to
return 0 if that is disabled.

Btw, I've just noticed that add_key_to_revocation_list() and
is_key_on_revocation_list() lack kernel doc comments.

David
Eric Snowberg Feb. 24, 2021, 1:26 a.m. UTC | #2
> On Feb 23, 2021, at 4:47 PM, David Howells <dhowells@redhat.com> wrote:
> 
> Eric Snowberg <eric.snowberg@oracle.com> wrote:
> 
>> The kernel test robot reports when building with Kconfig
>> CONFIG_INTEGRITY_PLATFORM_KEYRING defined and 
>> CONFIG_SYSTEM_DATA_VERIFICATION undefined:
>> 
>> ld.lld: error: undefined symbol: pkcs7_validate_trust
>> referenced by blacklist.c:128 (certs/blacklist.c:128)
>>             blacklist.o:(is_key_on_revocation_list) in archive certs/built-in.a
>> 
>> Make CONFIG_SYSTEM_DATA_VERIFICATION a dependency for validate_trust.
>> 
>> Reported-by: kernel test robot <lkp@intel.com>
>> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> 
> I wonder if it's better to provide a separate config option for the revocation
> list, say:
> 
> 	config SYSTEM_REVOCATION_LIST
> 		bool "Add revocation certs to the blacklist keyring"
> 		depends on SYSTEM_BLACKLIST_KEYRING
> 		depends on PKCS7_MESSAGE_PARSER
> 		help
> 		  ...
> 
> and use that in blacklist.c.
> 
> In keys/system_keyring.h, is_key_on_revocation_list() can then be defaulted to
> return 0 if that is disabled.

I tried something like that in the past.  The problem I ran into is someone 
could create a config with PKCS7_MESSAGE_PARSER=m.  Then pkcs7_validate_trust 
would give an undefined reference error. 

SYSTEM_DATA_VERIFICATION was the only thing I could find that guaranteed 
everything was available.  I supposed I could do:

	config SYSTEM_REVOCATION_LIST
		bool "Add revocation certs to the blacklist keyring"
		depends on SYSTEM_BLACKLIST_KEYRING
		depends on SYSTEM_DATA_VERIFICATION
		help
		  …

Would you rather I do that instead?

> Btw, I've just noticed that add_key_to_revocation_list() and
> is_key_on_revocation_list() lack kernel doc comments.

I’ll prepare a patch to add the kernel-doc comments.
David Howells Feb. 24, 2021, 10:51 a.m. UTC | #3
How about these changes?

I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support.

I've also added kerneldoc comments and moved the functions so that they're not
in the middle of the blacklist-specific stuff.

I'm not sure uefi_revocation_list_x509() needs conditionalising as the
optimiser should just inline it if SYSTEM_REVOCATION_LIST=n (assuming __init
doesn't disable inlining).

David
---
diff --git a/certs/Kconfig b/certs/Kconfig
index c94e93d8bccf..76e469b56a77 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST
 	  wrapper to incorporate the list into the kernel.  Each <hash> should
 	  be a string of hex digits.
 
+config SYSTEM_REVOCATION_LIST
+	bool "Provide system-wide ring of revocation certificates"
+	depends on SYSTEM_BLACKLIST_KEYRING
+	depends on PKCS7_MESSAGE_PARSER=y
+	help
+	  If set, this allows revocation certificates to be stored in the
+	  blacklist keyring and implements a hook whereby a PKCS#7 message can
+	  be checked to see if it matches such a certificate.
+
 endmenu
diff --git a/certs/blacklist.c b/certs/blacklist.c
index e9f5fc632f0d..2b8644123d5f 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -101,38 +101,6 @@ int mark_hash_blacklisted(const char *hash)
 	return 0;
 }
 
-int add_key_to_revocation_list(const char *data, size_t size)
-{
-	key_ref_t key;
-
-	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
-				   "asymmetric",
-				   NULL,
-				   data,
-				   size,
-				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
-				   KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
-
-	if (IS_ERR(key)) {
-		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
-		return PTR_ERR(key);
-	}
-
-	return 0;
-}
-
-int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
-{
-	int ret;
-
-	ret = validate_trust(pkcs7, blacklist_keyring);
-
-	if (ret == 0)
-		return -EKEYREJECTED;
-
-	return -ENOKEY;
-}
-
 /**
  * is_hash_blacklisted - Determine if a hash is blacklisted
  * @hash: The hash to be checked as a binary blob
@@ -177,6 +145,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len)
 }
 EXPORT_SYMBOL_GPL(is_binary_blacklisted);
 
+#ifdef CONFIG_SYSTEM_REVOCATION_LIST
+/**
+ * add_key_to_revocation_list - Add a revocation certificate to the blacklist
+ * @data: The data blob containing the certificate
+ * @size: The size of data blob
+ */
+int add_key_to_revocation_list(const char *data, size_t size)
+{
+	key_ref_t key;
+
+	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
+				   "asymmetric",
+				   NULL,
+				   data,
+				   size,
+				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
+				   KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
+
+	if (IS_ERR(key)) {
+		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
+		return PTR_ERR(key);
+	}
+
+	return 0;
+}
+
+/**
+ * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
+ * @pkcs7: The PKCS#7 message to check
+ */
+int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
+{
+	int ret;
+
+	ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
+
+	if (ret == 0)
+		return -EKEYREJECTED;
+
+	return -ENOKEY;
+}
+#endif
+
 /*
  * Initialise the blacklist
  */
diff --git a/certs/blacklist.h b/certs/blacklist.h
index 420bb7c86e07..51b320cf8574 100644
--- a/certs/blacklist.h
+++ b/certs/blacklist.h
@@ -3,13 +3,3 @@
 #include <crypto/pkcs7.h>
 
 extern const char __initconst *const blacklist_hashes[];
-
-#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
-#define validate_trust pkcs7_validate_trust
-#else
-static inline int validate_trust(struct pkcs7_message *pkcs7,
-				 struct key *trust_keyring)
-{
-	return -ENOKEY;
-}
-#endif
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 61f98739e8b1..875e002a4180 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -34,11 +34,9 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
 extern struct pkcs7_message *pkcs7;
 #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
 extern int mark_hash_blacklisted(const char *hash);
-extern int add_key_to_revocation_list(const char *data, size_t size);
 extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
 			       const char *type);
 extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
-extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
 #else
 static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
 				      const char *type)
@@ -50,6 +48,12 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
 {
 	return 0;
 }
+#endif
+
+#ifdef CONFIG_SYSTEM_REVOCATION_LIST
+extern int add_key_to_revocation_list(const char *data, size_t size);
+extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
+#else
 static inline int add_key_to_revocation_list(const char *data, size_t size)
 {
 	return 0;
Mickaël Salaün Feb. 24, 2021, 11:56 a.m. UTC | #4
On 24/02/2021 11:51, David Howells wrote:
> How about these changes?
> 
> I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support.
> 
> I've also added kerneldoc comments and moved the functions so that they're not
> in the middle of the blacklist-specific stuff.
> 
> I'm not sure uefi_revocation_list_x509() needs conditionalising as the
> optimiser should just inline it if SYSTEM_REVOCATION_LIST=n (assuming __init
> doesn't disable inlining).
> 
> David
> ---
> diff --git a/certs/Kconfig b/certs/Kconfig
> index c94e93d8bccf..76e469b56a77 100644
> --- a/certs/Kconfig
> +++ b/certs/Kconfig
> @@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST
>  	  wrapper to incorporate the list into the kernel.  Each <hash> should
>  	  be a string of hex digits.
>  
> +config SYSTEM_REVOCATION_LIST
> +	bool "Provide system-wide ring of revocation certificates"
> +	depends on SYSTEM_BLACKLIST_KEYRING
> +	depends on PKCS7_MESSAGE_PARSER=y

The function verify_pkcs7_message_sig() (which is patched) is only
available if CONFIG_SYSTEM_DATA_VERIFICATION is defined. I suggest to
use the same dependencies as for my dynamic authenticated blacklist
keyring patchset.


> +	help
> +	  If set, this allows revocation certificates to be stored in the
> +	  blacklist keyring and implements a hook whereby a PKCS#7 message can
> +	  be checked to see if it matches such a certificate.
> +
>  endmenu
> diff --git a/certs/blacklist.c b/certs/blacklist.c
> index e9f5fc632f0d..2b8644123d5f 100644
> --- a/certs/blacklist.c
> +++ b/certs/blacklist.c
> @@ -101,38 +101,6 @@ int mark_hash_blacklisted(const char *hash)
>  	return 0;
>  }
>  
> -int add_key_to_revocation_list(const char *data, size_t size)
> -{
> -	key_ref_t key;
> -
> -	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
> -				   "asymmetric",
> -				   NULL,
> -				   data,
> -				   size,
> -				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
> -				   KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
> -
> -	if (IS_ERR(key)) {
> -		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
> -		return PTR_ERR(key);
> -	}
> -
> -	return 0;
> -}
> -
> -int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
> -{
> -	int ret;
> -
> -	ret = validate_trust(pkcs7, blacklist_keyring);
> -
> -	if (ret == 0)
> -		return -EKEYREJECTED;
> -
> -	return -ENOKEY;
> -}
> -
>  /**
>   * is_hash_blacklisted - Determine if a hash is blacklisted
>   * @hash: The hash to be checked as a binary blob

Could you please not move those functions? It makes the patch more
readable and avoids merge conflicts (e.g. with the dynamic authenticated
blacklist keyring patchset). Thanks.


> @@ -177,6 +145,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len)
>  }
>  EXPORT_SYMBOL_GPL(is_binary_blacklisted);
>  
> +#ifdef CONFIG_SYSTEM_REVOCATION_LIST
> +/**
> + * add_key_to_revocation_list - Add a revocation certificate to the blacklist
> + * @data: The data blob containing the certificate
> + * @size: The size of data blob
> + */
> +int add_key_to_revocation_list(const char *data, size_t size)
> +{
> +	key_ref_t key;
> +
> +	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
> +				   "asymmetric",
> +				   NULL,
> +				   data,
> +				   size,
> +				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
> +				   KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
> +
> +	if (IS_ERR(key)) {
> +		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
> +		return PTR_ERR(key);
> +	}
> +
> +	return 0;
> +}
> +
> +/**
> + * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
> + * @pkcs7: The PKCS#7 message to check
> + */
> +int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
> +{
> +	int ret;
> +
> +	ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
> +
> +	if (ret == 0)
> +		return -EKEYREJECTED;
> +
> +	return -ENOKEY;
> +}
> +#endif
> +
>  /*
>   * Initialise the blacklist
>   */
> diff --git a/certs/blacklist.h b/certs/blacklist.h
> index 420bb7c86e07..51b320cf8574 100644
> --- a/certs/blacklist.h
> +++ b/certs/blacklist.h
> @@ -3,13 +3,3 @@
>  #include <crypto/pkcs7.h>
>  
>  extern const char __initconst *const blacklist_hashes[];
> -
> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> -#define validate_trust pkcs7_validate_trust
> -#else
> -static inline int validate_trust(struct pkcs7_message *pkcs7,
> -				 struct key *trust_keyring)
> -{
> -	return -ENOKEY;
> -}
> -#endif
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 61f98739e8b1..875e002a4180 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -34,11 +34,9 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
>  extern struct pkcs7_message *pkcs7;
>  #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
>  extern int mark_hash_blacklisted(const char *hash);
> -extern int add_key_to_revocation_list(const char *data, size_t size);
>  extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
>  			       const char *type);
>  extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
> -extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
>  #else
>  static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
>  				      const char *type)
> @@ -50,6 +48,12 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
>  {
>  	return 0;
>  }
> +#endif
> +
> +#ifdef CONFIG_SYSTEM_REVOCATION_LIST
> +extern int add_key_to_revocation_list(const char *data, size_t size);
> +extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
> +#else
>  static inline int add_key_to_revocation_list(const char *data, size_t size)
>  {
>  	return 0;
>
David Howells Feb. 24, 2021, 12:40 p.m. UTC | #5
Mickaël Salaün <mic@digikod.net> wrote:

> > +config SYSTEM_REVOCATION_LIST
> > +	bool "Provide system-wide ring of revocation certificates"
> > +	depends on SYSTEM_BLACKLIST_KEYRING
> > +	depends on PKCS7_MESSAGE_PARSER=y
> 
> The function verify_pkcs7_message_sig() (which is patched) is only
> available if CONFIG_SYSTEM_DATA_VERIFICATION is defined.

That shouldn't matter, at least from a building point of view, since
verify_pkcs7_message_sig() uses the new facility rather than being a
dependency of it - and there's a fallback in place in case you don't want
SYSTEM_REVOCATION_LIST.  Note that SYSTEM_DATA_VERIFICATION also doesn't
depend on or select SYSTEM_BLACKLIST_KEYRING - it will use it if it's enabled,
but not otherwise.

> I suggest to use the same dependencies as for my dynamic authenticated
> blacklist keyring patchset.

This, you mean?

	config SYSTEM_BLACKLIST_AUTH_UPDATE
		bool "Allow root to add signed blacklist keys"
		depends on SYSTEM_BLACKLIST_KEYRING
		depends on SYSTEM_DATA_VERIFICATION

I.e.:

	config SYSTEM_REVOCATION_LIST
		bool "Provide system-wide ring of revocation certificates"
		depends on SYSTEM_BLACKLIST_KEYRING
		depends on SYSTEM_DATA_VERIFICATION
		depends on PKCS7_MESSAGE_PARSER=y

I suppose you could argue the it that way since it's only used for that
purpose.  Note that it does need the PKCS7 dep since it explicitly uses that
code.

> Could you please not move those functions? It makes the patch more
> readable and avoids merge conflicts (e.g. with the dynamic authenticated
> blacklist keyring patchset). Thanks.

I would suggest merging these changes in so that the error is not found by
bisection.  But the functions really are mislocated:-/

David
Eric Snowberg Feb. 25, 2021, 4:03 a.m. UTC | #6
> On Feb 24, 2021, at 3:51 AM, David Howells <dhowells@redhat.com> wrote:
> 
> How about these changes?
> 
> I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support.

I believe this is ok.  However currently, whenever the kernel finds either a 
EFI_CERT_SHA256_GUID or EFI_CERT_X509_SHA256_GUID entry in the dbx, it loads 
it into the blacklist keyring.  Then anytime signature validation takes place, 
these entries are referenced.  If there is a match, the signature check fails.  
Now with the inclusion of EFI_CERT_X509_GUID, I question why we want to enable 
it thru a Kconfig option, when we don’t for the other two types.

> I've also added kerneldoc comments

Thanks

> and moved the functions so that they're not
> in the middle of the blacklist-specific stuff.
> 
> I'm not sure uefi_revocation_list_x509() needs conditionalising as the
> optimiser should just inline it if SYSTEM_REVOCATION_LIST=n (assuming __init
> doesn't disable inlining).
> 
> David
> ---
> diff --git a/certs/Kconfig b/certs/Kconfig
> index c94e93d8bccf..76e469b56a77 100644
> --- a/certs/Kconfig
> +++ b/certs/Kconfig
> @@ -83,4 +83,13 @@ config SYSTEM_BLACKLIST_HASH_LIST
> 	  wrapper to incorporate the list into the kernel.  Each <hash> should
> 	  be a string of hex digits.
> 
> +config SYSTEM_REVOCATION_LIST
> +	bool "Provide system-wide ring of revocation certificates”
> +	depends on SYSTEM_BLACKLIST_KEYRING
> +	depends on PKCS7_MESSAGE_PARSER=y
> +	help
> +	  If set, this allows revocation certificates to be stored in the
> +	  blacklist keyring and implements a hook whereby a PKCS#7 message can
> +	  be checked to see if it matches such a certificate.
> +
> endmenu
> diff --git a/certs/blacklist.c b/certs/blacklist.c
> index e9f5fc632f0d..2b8644123d5f 100644
> --- a/certs/blacklist.c
> +++ b/certs/blacklist.c
> @@ -101,38 +101,6 @@ int mark_hash_blacklisted(const char *hash)
> 	return 0;
> }
> 
> -int add_key_to_revocation_list(const char *data, size_t size)
> -{
> -	key_ref_t key;
> -
> -	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
> -				   "asymmetric",
> -				   NULL,
> -				   data,
> -				   size,
> -				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
> -				   KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
> -
> -	if (IS_ERR(key)) {
> -		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
> -		return PTR_ERR(key);
> -	}
> -
> -	return 0;
> -}
> -
> -int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
> -{
> -	int ret;
> -
> -	ret = validate_trust(pkcs7, blacklist_keyring);
> -
> -	if (ret == 0)
> -		return -EKEYREJECTED;
> -
> -	return -ENOKEY;
> -}
> -
> /**
>  * is_hash_blacklisted - Determine if a hash is blacklisted
>  * @hash: The hash to be checked as a binary blob
> @@ -177,6 +145,49 @@ int is_binary_blacklisted(const u8 *hash, size_t hash_len)
> }
> EXPORT_SYMBOL_GPL(is_binary_blacklisted);
> 
> +#ifdef CONFIG_SYSTEM_REVOCATION_LIST
> +/**
> + * add_key_to_revocation_list - Add a revocation certificate to the blacklist
> + * @data: The data blob containing the certificate
> + * @size: The size of data blob
> + */
> +int add_key_to_revocation_list(const char *data, size_t size)
> +{
> +	key_ref_t key;
> +
> +	key = key_create_or_update(make_key_ref(blacklist_keyring, true),
> +				   "asymmetric",
> +				   NULL,
> +				   data,
> +				   size,
> +				   ((KEY_POS_ALL & ~KEY_POS_SETATTR) | KEY_USR_VIEW),
> +				   KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN);
> +
> +	if (IS_ERR(key)) {
> +		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
> +		return PTR_ERR(key);
> +	}
> +
> +	return 0;
> +}
> +
> +/**
> + * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
> + * @pkcs7: The PKCS#7 message to check
> + */
> +int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
> +{
> +	int ret;
> +
> +	ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
> +
> +	if (ret == 0)
> +		return -EKEYREJECTED;
> +
> +	return -ENOKEY;
> +}
> +#endif
> +
> /*
>  * Initialise the blacklist
>  */
> diff --git a/certs/blacklist.h b/certs/blacklist.h
> index 420bb7c86e07..51b320cf8574 100644
> --- a/certs/blacklist.h
> +++ b/certs/blacklist.h
> @@ -3,13 +3,3 @@
> #include <crypto/pkcs7.h>
> 
> extern const char __initconst *const blacklist_hashes[];
> -
> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> -#define validate_trust pkcs7_validate_trust
> -#else
> -static inline int validate_trust(struct pkcs7_message *pkcs7,
> -				 struct key *trust_keyring)
> -{
> -	return -ENOKEY;
> -}
> -#endif
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index 61f98739e8b1..875e002a4180 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -34,11 +34,9 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
> extern struct pkcs7_message *pkcs7;
> #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING
> extern int mark_hash_blacklisted(const char *hash);
> -extern int add_key_to_revocation_list(const char *data, size_t size);
> extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
> 			       const char *type);
> extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
> -extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
> #else
> static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
> 				      const char *type)
> @@ -50,6 +48,12 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
> {
> 	return 0;
> }
> +#endif
> +
> +#ifdef CONFIG_SYSTEM_REVOCATION_LIST
> +extern int add_key_to_revocation_list(const char *data, size_t size);
> +extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
> +#else
> static inline int add_key_to_revocation_list(const char *data, size_t size)
> {
> 	return 0;
>
David Howells Feb. 25, 2021, 2:43 p.m. UTC | #7
Eric Snowberg <eric.snowberg@oracle.com> wrote:

> > I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support.
> 
> I believe this is ok.  However currently, whenever the kernel finds either a
> EFI_CERT_SHA256_GUID or EFI_CERT_X509_SHA256_GUID entry in the dbx, it loads
> it into the blacklist keyring.  Then anytime signature validation takes
> place, these entries are referenced.  If there is a match, the signature
> check fails.  Now with the inclusion of EFI_CERT_X509_GUID, I question why
> we want to enable it thru a Kconfig option, when we don’t for the other two
> types.

But we do.

mark_hash_blacklisted(), is_hash_blacklisted() and is_binary_blacklisted() do
nothing if CONFIG_SYSTEM_BLACKLIST_KEYRING=n.

David
diff mbox series

Patch

diff --git a/certs/blacklist.h b/certs/blacklist.h
index 420bb7c86e07..a86f0b52a033 100644
--- a/certs/blacklist.h
+++ b/certs/blacklist.h
@@ -4,7 +4,7 @@ 
 
 extern const char __initconst *const blacklist_hashes[];
 
-#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
+#if defined(CONFIG_INTEGRITY_PLATFORM_KEYRING) && defined(SYSTEM_DATA_VERIFICATION)
 #define validate_trust pkcs7_validate_trust
 #else
 static inline int validate_trust(struct pkcs7_message *pkcs7,