From: Jarkko Sakkinen <jarkko@kernel.org>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: "David Howells" <dhowells@redhat.com>,
"David Woodhouse" <dwmw2@infradead.org>,
"David S . Miller" <davem@davemloft.net>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"James Morris" <jmorris@namei.org>,
"Mickaël Salaün" <mic@linux.microsoft.com>,
"Mimi Zohar" <zohar@linux.ibm.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v1 0/9] Enable root to update the blacklist keyring
Date: Mon, 30 Nov 2020 04:40:11 +0200 [thread overview]
Message-ID: <20201130024011.GA24870@kernel.org> (raw)
In-Reply-To: <20201120180426.922572-1-mic@digikod.net>
On Fri, Nov 20, 2020 at 07:04:17PM +0100, Mickaël Salaün wrote:
> Hi,
>
> This patch series mainly add a new configuration option to enable the
> root user to load signed keys in the blacklist keyring. This keyring is
> useful to "untrust" certificates or files. Enabling to safely update
> this keyring without recompiling the kernel makes it more usable.
I apologize for latency. This cycle has been difficult because of
final cuts with the huge SGX patch set.
I did skim through this and did not see anything striking (but it
was a quick look).
What would be easiest way to smoke test the changes?
> Regards,
>
> Mickaël Salaün (9):
> certs: Fix blacklisted hexadecimal hash string check
> certs: Make blacklist_vet_description() more strict
> certs: Factor out the blacklist hash creation
> certs: Check that builtin blacklist hashes are valid
> PKCS#7: Fix missing include
> certs: Fix blacklist flag type confusion
> certs: Allow root user to append signed hashes to the blacklist
> keyring
> certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID
> tools/certs: Add print-cert-tbs-hash.sh
>
> MAINTAINERS | 2 +
> certs/.gitignore | 1 +
> certs/Kconfig | 10 +
> certs/Makefile | 15 +-
> certs/blacklist.c | 210 +++++++++++++-----
> certs/system_keyring.c | 5 +-
> crypto/asymmetric_keys/x509_public_key.c | 3 +-
> include/keys/system_keyring.h | 14 +-
> include/linux/verification.h | 2 +
> scripts/check-blacklist-hashes.awk | 37 +++
> .../platform_certs/keyring_handler.c | 26 +--
> tools/certs/print-cert-tbs-hash.sh | 91 ++++++++
> 12 files changed, 335 insertions(+), 81 deletions(-)
> create mode 100755 scripts/check-blacklist-hashes.awk
> create mode 100755 tools/certs/print-cert-tbs-hash.sh
>
>
> base-commit: 09162bc32c880a791c6c0668ce0745cf7958f576
> --
> 2.29.2
>
>
/Jarkko
next prev parent reply other threads:[~2020-11-30 2:41 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-20 18:04 [PATCH v1 0/9] Enable root to update the blacklist keyring Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 2/9] certs: Make blacklist_vet_description() more strict Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 3/9] certs: Factor out the blacklist hash creation Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 4/9] certs: Check that builtin blacklist hashes are valid Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 5/9] PKCS#7: Fix missing include Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 6/9] certs: Fix blacklist flag type confusion Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 7/9] certs: Allow root user to append signed hashes to the blacklist keyring Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 8/9] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID Mickaël Salaün
2020-11-20 18:04 ` [PATCH v1 9/9] tools/certs: Add print-cert-tbs-hash.sh Mickaël Salaün
2020-11-30 2:40 ` Jarkko Sakkinen [this message]
2020-11-30 8:23 ` [PATCH v1 0/9] Enable root to update the blacklist keyring Mickaël Salaün
2020-12-02 16:44 ` Jarkko Sakkinen
2020-12-04 14:01 ` David Howells
2020-12-04 15:38 ` Jarkko Sakkinen
2020-12-04 14:05 ` [PATCH v1 1/9] certs: Fix blacklisted hexadecimal hash string check David Howells
2020-12-04 14:48 ` Mickaël Salaün
2020-12-04 14:06 ` [PATCH v1 5/9] PKCS#7: Fix missing include David Howells
2020-12-04 14:58 ` Mickaël Salaün
2020-12-04 14:09 ` [PATCH v1 2/9] certs: Make blacklist_vet_description() more strict David Howells
2020-12-04 14:59 ` Mickaël Salaün
2020-12-11 18:35 ` Mickaël Salaün
2020-12-04 14:11 ` [PATCH v1 8/9] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID David Howells
2020-12-09 11:58 ` [PATCH v1 4/9] certs: Check that builtin blacklist hashes are valid David Howells
2020-12-11 18:32 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201130024011.GA24870@kernel.org \
--to=jarkko@kernel.org \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mic@digikod.net \
--cc=mic@linux.microsoft.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).