From patchwork Wed Nov 9 02:50:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Patchwork-Id: 13037109 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5A496C38A02 for ; Wed, 9 Nov 2022 02:50:38 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229530AbiKICuh (ORCPT ); Tue, 8 Nov 2022 21:50:37 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41812 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229867AbiKICuf (ORCPT ); Tue, 8 Nov 2022 21:50:35 -0500 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B62F1F9DD; Tue, 8 Nov 2022 18:50:34 -0800 (PST) From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=weissschuh.net; s=mail; t=1667962230; bh=sRBb1yoX5FkhrIkmhhnkMlMgMwZoHsWyWpPUUDhCe1A=; h=From:To:Cc:Subject:Date:From; b=ak7T7+oRpA3erDu1wQ3UgJ9+njLjl0ooywpMrO9E2TQReGV77M6io1GeUyqJ5PjKz KsFSLoEJBCcoKbzoaBQj2DZUdon7iKxJ3a1ecUWBtEl0Q8VwU1zB2MUSQh3oib1U4I Be939Vqs0G3jizW1V4dcRC4kcVxgKCxzow/spxBs= To: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , David Howells , David Woodhouse , Jarkko Sakkinen , Eric Snowberg Cc: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, Mark Pearson , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 0/3] certs: Prevent spurious errors on repeated blacklisting Date: Wed, 9 Nov 2022 03:50:16 +0100 Message-Id: <20221109025019.1855-1-linux@weissschuh.net> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1667962214; l=1370; s=20211113; h=from:subject; bh=sRBb1yoX5FkhrIkmhhnkMlMgMwZoHsWyWpPUUDhCe1A=; b=/FQehqL8oo8cDEvahT+bddamTe3EHhG1k4Xm2iu/e0fdzh+kZ3cQJr+iQWeiWRrEF0sxCWqO/6Z7 0noAI3i7CYaMUGKPSch6B469ssLVsPrwFF2X98m1zrCHluYkpWDD X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=9LP6KM4vD/8CwHW7nouRBhWLyQLcK1MkP6aTZbzUlj4= Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org When the blacklist keyring was changed to allow updates from the root user it gained an ->update() function that disallows all updates. When the a hash is blacklisted multiple times from the builtin or firmware-provided blacklist this spams prominent logs during boot: [ 0.890814] blacklist: Problem blacklisting hash (-13) This affects the firmware of various vendors. Reported have been at least: * Samsung: https://askubuntu.com/questions/1436856/ * Acer: https://ubuntuforums.org/showthread.php?t=2478840 * MSI: https://forum.archlabslinux.com/t/blacklist-problem-blacklisting-hash-13-errors-on-boot/6674/7 * Micro-Star: https://bbs.archlinux.org/viewtopic.php?id=278860 This series is an extension of the following single patch: https://lore.kernel.org/all/20221104014704.3469-1-linux@weissschuh.net/ Only the first patch has been marked for stable as otherwise the whole of key_create() would need to be applied to stable. Thomas Weißschuh (3): certs: log more information on blacklist error KEYS: Add key_create() certs: don't try to update blacklist keys certs/blacklist.c | 23 ++++--- include/linux/key.h | 8 +++ security/keys/key.c | 149 +++++++++++++++++++++++++++++++++----------- 3 files changed, 133 insertions(+), 47 deletions(-) base-commit: f141df371335645ce29a87d9683a3f79fba7fd67