From patchwork Mon Jul 12 17:03:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 12371725 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C07E7C07E9C for ; Mon, 12 Jul 2021 17:03:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id A1C756127C for ; Mon, 12 Jul 2021 17:03:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234870AbhGLRG2 (ORCPT ); Mon, 12 Jul 2021 13:06:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35852 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234898AbhGLRG1 (ORCPT ); Mon, 12 Jul 2021 13:06:27 -0400 Received: from smtp-bc0a.mail.infomaniak.ch (smtp-bc0a.mail.infomaniak.ch [IPv6:2001:1600:4:17::bc0a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 55CFCC0613DD for ; Mon, 12 Jul 2021 10:03:39 -0700 (PDT) Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4GNqpw1W3mzMpxcH; Mon, 12 Jul 2021 19:03:36 +0200 (CEST) Received: from localhost (unknown [23.97.221.149]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4GNqpt2yXqzlh8TM; Mon, 12 Jul 2021 19:03:34 +0200 (CEST) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: David Howells , David Woodhouse , Jarkko Sakkinen Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , "David S . Miller" , Eric Snowberg , Herbert Xu , James Morris , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Mimi Zohar , "Serge E . Hallyn" , Tyler Hicks , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v8 0/5] Enable root to update the blacklist keyring Date: Mon, 12 Jul 2021 19:03:08 +0200 Message-Id: <20210712170313.884724-1-mic@digikod.net> X-Mailer: git-send-email 2.32.0 MIME-Version: 1.0 Precedence: bulk List-ID: Hi, This new patch series is a rebase on v5.14-rc1 . David or Jarkko, if it's still OK with you, could you please push this to linux-next? I successfully tested this patch series with the 211 entries from https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin The goal of these patches is to add a new configuration option to enable the root user to load signed keys in the blacklist keyring. This keyring is useful to "untrust" certificates or files. Enabling to safely update this keyring without recompiling the kernel makes it more usable. Previous patch series: https://lore.kernel.org/lkml/20210312171232.2681989-1-mic@digikod.net/ Regards, Mickaël Salaün (5): tools/certs: Add print-cert-tbs-hash.sh certs: Check that builtin blacklist hashes are valid certs: Make blacklist_vet_description() more strict certs: Factor out the blacklist hash creation certs: Allow root user to append signed hashes to the blacklist keyring MAINTAINERS | 2 + certs/.gitignore | 1 + certs/Kconfig | 17 +- certs/Makefile | 17 +- certs/blacklist.c | 218 ++++++++++++++---- crypto/asymmetric_keys/x509_public_key.c | 3 +- include/keys/system_keyring.h | 14 +- scripts/check-blacklist-hashes.awk | 37 +++ .../platform_certs/keyring_handler.c | 26 +-- tools/certs/print-cert-tbs-hash.sh | 91 ++++++++ 10 files changed, 346 insertions(+), 80 deletions(-) create mode 100755 scripts/check-blacklist-hashes.awk create mode 100755 tools/certs/print-cert-tbs-hash.sh base-commit: e73f0f0ee7541171d89f2e2491130c7771ba58d3 Acked-by: Jarkko Sakkinen