Re: Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries]

From: Eric Snowberg <eric.snowberg@oracle.com>
To: "Mickaël Salaün" <mic@digikod.net>,
	"David Howells" <dhowells@redhat.com>
Cc: dwmw2@infradead.org, Jarkko Sakkinen <jarkko@kernel.org>,
	James.Bottomley@HansenPartnership.com, masahiroy@kernel.org,
	michal.lkml@markovi.net, jmorris@namei.org, serge@hallyn.com,
	ardb@kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
	lszubowi@redhat.com, javierm@redhat.com,
	keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-kbuild@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	Tyler Hicks <tyhicks@linux.microsoft.com>
Subject: Re: Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries]
Date: Wed, 3 Feb 2021 20:53:49 -0700	[thread overview]
Message-ID: <A5B5DEC0-E47A-4C3D-8E79-AF37B6C2E565@oracle.com> (raw)
In-Reply-To: <10e6616e-0598-9f33-2de9-4a5268bba586@digikod.net>

> On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@digikod.net> wrote:
> 
> This looks good to me, and it still works for my use case. Eric's
> patchset only looks for asymmetric keys in the blacklist keyring, so
> even if we use the same keyring we don't look for the same key types. My
> patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
> to be added by user space (if authenticated), but because Eric's
> asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
> be OK for his use case.  There should be no interference between the two
> new features, but I find it a bit confusing to have such distinct use of
> keys from the same keyring depending on their type.

I agree, it is a bit confusing.  What is the thought of having a dbx 
keyring, similar to how the platform keyring works?

https://www.spinics.net/lists/linux-security-module/msg40262.html

> On 03/02/2021 17:26, David Howells wrote:
>> 
>> Eric Snowberg <eric.snowberg@oracle.com> wrote:
>> 
>>> This is the fifth patch series for adding support for 
>>> EFI_CERT_X509_GUID entries [1].  It has been expanded to not only include
>>> dbx entries but also entries in the mokx.  Additionally my series to
>>> preload these certificate [2] has also been included.
>> 
>> Okay, I've tentatively applied this to my keys-next branch.  However, it
>> conflicts minorly with Mickaël Salaün's patches that I've previously merged on
>> the same branch.  Can you have a look at the merge commit
>> 
>> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d
>> 
>> 	(the top patch of my keys-next branch)
>> 
>> to see if that is okay by both of you?  If so, can you give it a whirl?

I’m seeing a build error within blacklist_hashes_checked with
one of my configs.

The config is as follows:

$ grep CONFIG_SYSTEM_BLACKLIST_HASH_LIST .config
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=“revocation_list"

$ cat certs/revocation_list
"tbs:1e125ea4f38acb7b29b0c495fd8e7602c2c3353b913811a9da3a2fb505c08a32”

make[1]: *** No rule to make target 'revocation_list', needed by 'certs/blacklist_hashes_checked'.  Stop.