* [PATCH v1 0/1] Explain panic() calls for keyring initialization
@ 2022-03-21 17:45 Mickaël Salaün
2022-03-21 17:45 ` [PATCH v1 1/1] certs: Explain the rational to call panic() Mickaël Salaün
2022-03-21 18:29 ` [PATCH v1 0/1] Explain panic() calls for keyring initialization David Woodhouse
0 siblings, 2 replies; 8+ messages in thread
From: Mickaël Salaün @ 2022-03-21 17:45 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: Mickaël Salaün, David Howells, David S . Miller,
David Woodhouse, Eric Snowberg, Paul Moore, keyrings,
linux-crypto, linux-kernel
As suggested by Jarkko and explained by Paul, let's document the panic()
calls from the blacklist keyring initialization. This series applies on
top of commit 50c486fe3108 ("certs: Allow root user to append signed hashes to the
blacklist keyring"). This can smoothly be rebased on top of Jarkko's
next branch.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/commit/?id=50c486fe310890c134b5cb36cf9a4135475a6074
Regards,
Mickaël Salaün (1):
certs: Explain the rational to call panic()
certs/blacklist.c | 8 ++++++++
1 file changed, 8 insertions(+)
base-commit: 50c486fe310890c134b5cb36cf9a4135475a6074
--
2.35.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH v1 1/1] certs: Explain the rational to call panic()
2022-03-21 17:45 [PATCH v1 0/1] Explain panic() calls for keyring initialization Mickaël Salaün
@ 2022-03-21 17:45 ` Mickaël Salaün
2022-03-21 18:23 ` Paul Moore
2022-03-21 18:29 ` [PATCH v1 0/1] Explain panic() calls for keyring initialization David Woodhouse
1 sibling, 1 reply; 8+ messages in thread
From: Mickaël Salaün @ 2022-03-21 17:45 UTC (permalink / raw)
To: Jarkko Sakkinen
Cc: Mickaël Salaün, David Howells, David S . Miller,
David Woodhouse, Eric Snowberg, Paul Moore, keyrings,
linux-crypto, linux-kernel, Mickaël Salaün
From: Mickaël Salaün <mic@linux.microsoft.com>
The blacklist_init() function calls panic() for memory allocation
errors. This change documents the reason why we don't return -ENODEV.
Suggested-by: Paul Moore <paul@paul-moore.com> [1]
Requested-by: Jarkko Sakkinen <jarkko@kernel.org> [1]
Link: https://lore.kernel.org/r/YjeW2r6Wv55Du0bJ@iki.fi [1]
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Link: https://lore.kernel.org/r/20220321174548.510516-2-mic@digikod.net
---
certs/blacklist.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/certs/blacklist.c b/certs/blacklist.c
index 486ce0dd8e9c..ac26bcf9b9a5 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -307,6 +307,14 @@ static int restrict_link_for_blacklist(struct key *dest_keyring,
/*
* Initialise the blacklist
+ *
+ * The blacklist_init() function is registered as an initcall via
+ * device_initcall(). As a result the functionality doesn't load and the
+ * kernel continues on executing. While cleanly returning -ENODEV could be
+ * acceptable for some non-critical kernel parts, if the blacklist keyring
+ * fails to load it defeats the certificate/key based deny list for signed
+ * modules. If a critical piece of security functionality that users expect to
+ * be present fails to initialize, panic()ing is likely the right thing to do.
*/
static int __init blacklist_init(void)
{
--
2.35.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH v1 1/1] certs: Explain the rational to call panic()
2022-03-21 17:45 ` [PATCH v1 1/1] certs: Explain the rational to call panic() Mickaël Salaün
@ 2022-03-21 18:23 ` Paul Moore
2022-03-21 23:53 ` Jarkko Sakkinen
2022-03-22 10:53 ` Mickaël Salaün
0 siblings, 2 replies; 8+ messages in thread
From: Paul Moore @ 2022-03-21 18:23 UTC (permalink / raw)
To: Mickaël Salaün
Cc: Jarkko Sakkinen, David Howells, David S . Miller,
David Woodhouse, Eric Snowberg, keyrings, linux-crypto,
linux-kernel, Mickaël Salaün
On Mon, Mar 21, 2022 at 1:45 PM Mickaël Salaün <mic@digikod.net> wrote:
>
> From: Mickaël Salaün <mic@linux.microsoft.com>
>
> The blacklist_init() function calls panic() for memory allocation
> errors. This change documents the reason why we don't return -ENODEV.
>
> Suggested-by: Paul Moore <paul@paul-moore.com> [1]
> Requested-by: Jarkko Sakkinen <jarkko@kernel.org> [1]
> Link: https://lore.kernel.org/r/YjeW2r6Wv55Du0bJ@iki.fi [1]
> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
> Link: https://lore.kernel.org/r/20220321174548.510516-2-mic@digikod.net
> ---
> certs/blacklist.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
I would suggest changing the second sentence as shown below, but
otherwise it looks good to me.
Reviewed-by: Paul Moore <paul@paul-moore.com>
> diff --git a/certs/blacklist.c b/certs/blacklist.c
> index 486ce0dd8e9c..ac26bcf9b9a5 100644
> --- a/certs/blacklist.c
> +++ b/certs/blacklist.c
> @@ -307,6 +307,14 @@ static int restrict_link_for_blacklist(struct key *dest_keyring,
>
> /*
> * Initialise the blacklist
> + *
> + * The blacklist_init() function is registered as an initcall via
> + * device_initcall(). As a result the functionality doesn't load and the
"As a result if the blacklist_init() function fails for any reason the
kernel continues to execute."
> + * kernel continues on executing. While cleanly returning -ENODEV could be
> + * acceptable for some non-critical kernel parts, if the blacklist keyring
> + * fails to load it defeats the certificate/key based deny list for signed
> + * modules. If a critical piece of security functionality that users expect to
> + * be present fails to initialize, panic()ing is likely the right thing to do.
> */
> static int __init blacklist_init(void)
> {
--
paul-moore.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1 0/1] Explain panic() calls for keyring initialization
2022-03-21 17:45 [PATCH v1 0/1] Explain panic() calls for keyring initialization Mickaël Salaün
2022-03-21 17:45 ` [PATCH v1 1/1] certs: Explain the rational to call panic() Mickaël Salaün
@ 2022-03-21 18:29 ` David Woodhouse
2022-03-22 10:55 ` Mickaël Salaün
1 sibling, 1 reply; 8+ messages in thread
From: David Woodhouse @ 2022-03-21 18:29 UTC (permalink / raw)
To: Mickaël Salaün, Jarkko Sakkinen
Cc: David Howells, David S . Miller, Eric Snowberg, Paul Moore,
keyrings, linux-crypto, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 385 bytes --]
On Mon, 2022-03-21 at 18:45 +0100, Mickaël Salaün wrote:
>
> Mickaël Salaün (1):
> certs: Explain the rational to call panic()
Nit: "rationale". Even in Simplified English, I believe "rational" is a
completely different word.
> certs/blacklist.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
Also, isn't it about time we changed this to call it a denylist?
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 5965 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1 1/1] certs: Explain the rational to call panic()
2022-03-21 18:23 ` Paul Moore
@ 2022-03-21 23:53 ` Jarkko Sakkinen
2022-03-22 10:54 ` Mickaël Salaün
2022-03-22 10:53 ` Mickaël Salaün
1 sibling, 1 reply; 8+ messages in thread
From: Jarkko Sakkinen @ 2022-03-21 23:53 UTC (permalink / raw)
To: Paul Moore
Cc: Mickaël Salaün, David Howells, David S . Miller,
David Woodhouse, Eric Snowberg, keyrings, linux-crypto,
linux-kernel, Mickaël Salaün
On Mon, Mar 21, 2022 at 02:23:54PM -0400, Paul Moore wrote:
> On Mon, Mar 21, 2022 at 1:45 PM Mickaël Salaün <mic@digikod.net> wrote:
> >
> > From: Mickaël Salaün <mic@linux.microsoft.com>
> >
> > The blacklist_init() function calls panic() for memory allocation
> > errors. This change documents the reason why we don't return -ENODEV.
> >
> > Suggested-by: Paul Moore <paul@paul-moore.com> [1]
> > Requested-by: Jarkko Sakkinen <jarkko@kernel.org> [1]
> > Link: https://lore.kernel.org/r/YjeW2r6Wv55Du0bJ@iki.fi [1]
> > Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
> > Link: https://lore.kernel.org/r/20220321174548.510516-2-mic@digikod.net
> > ---
> > certs/blacklist.c | 8 ++++++++
> > 1 file changed, 8 insertions(+)
>
> I would suggest changing the second sentence as shown below, but
> otherwise it looks good to me.
>
> Reviewed-by: Paul Moore <paul@paul-moore.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Mickaël, I think since your patch set was not huge in the first place, I'm
considering making it part of rc2 pull request while I normally try to
avoid any features after rc1. It's anyway throughly tested, and generally
has been around for a *long time*. I've even tested it myself a few times.
Just trying to be responsible as a maintainer and if something does not
feel right, I don't try to pretend that "I get it", if you know what
I mean. This fully clarifies "not getting it" part :-)
Thanks!
BR, Jarkko
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1 1/1] certs: Explain the rational to call panic()
2022-03-21 18:23 ` Paul Moore
2022-03-21 23:53 ` Jarkko Sakkinen
@ 2022-03-22 10:53 ` Mickaël Salaün
1 sibling, 0 replies; 8+ messages in thread
From: Mickaël Salaün @ 2022-03-22 10:53 UTC (permalink / raw)
To: Paul Moore
Cc: Jarkko Sakkinen, David Howells, David S . Miller,
David Woodhouse, Eric Snowberg, keyrings, linux-crypto,
linux-kernel, Mickaël Salaün
On 21/03/2022 19:23, Paul Moore wrote:
> On Mon, Mar 21, 2022 at 1:45 PM Mickaël Salaün <mic@digikod.net> wrote:
>>
>> From: Mickaël Salaün <mic@linux.microsoft.com>
>>
>> The blacklist_init() function calls panic() for memory allocation
>> errors. This change documents the reason why we don't return -ENODEV.
>>
>> Suggested-by: Paul Moore <paul@paul-moore.com> [1]
>> Requested-by: Jarkko Sakkinen <jarkko@kernel.org> [1]
>> Link: https://lore.kernel.org/r/YjeW2r6Wv55Du0bJ@iki.fi [1]
>> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
>> Link: https://lore.kernel.org/r/20220321174548.510516-2-mic@digikod.net
>> ---
>> certs/blacklist.c | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>
> I would suggest changing the second sentence as shown below, but
> otherwise it looks good to me.
>
> Reviewed-by: Paul Moore <paul@paul-moore.com>
>
>> diff --git a/certs/blacklist.c b/certs/blacklist.c
>> index 486ce0dd8e9c..ac26bcf9b9a5 100644
>> --- a/certs/blacklist.c
>> +++ b/certs/blacklist.c
>> @@ -307,6 +307,14 @@ static int restrict_link_for_blacklist(struct key *dest_keyring,
>>
>> /*
>> * Initialise the blacklist
>> + *
>> + * The blacklist_init() function is registered as an initcall via
>> + * device_initcall(). As a result the functionality doesn't load and the
>
> "As a result if the blacklist_init() function fails for any reason the
> kernel continues to execute."
Thanks, I'll fix that.
>
>> + * kernel continues on executing. While cleanly returning -ENODEV could be
>> + * acceptable for some non-critical kernel parts, if the blacklist keyring
>> + * fails to load it defeats the certificate/key based deny list for signed
>> + * modules. If a critical piece of security functionality that users expect to
>> + * be present fails to initialize, panic()ing is likely the right thing to do.
>> */
>> static int __init blacklist_init(void)
>> {
>
> --
> paul-moore.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1 1/1] certs: Explain the rational to call panic()
2022-03-21 23:53 ` Jarkko Sakkinen
@ 2022-03-22 10:54 ` Mickaël Salaün
0 siblings, 0 replies; 8+ messages in thread
From: Mickaël Salaün @ 2022-03-22 10:54 UTC (permalink / raw)
To: Jarkko Sakkinen, Paul Moore
Cc: David Howells, David S . Miller, David Woodhouse, Eric Snowberg,
keyrings, linux-crypto, linux-kernel, Mickaël Salaün
On 22/03/2022 00:53, Jarkko Sakkinen wrote:
> On Mon, Mar 21, 2022 at 02:23:54PM -0400, Paul Moore wrote:
>> On Mon, Mar 21, 2022 at 1:45 PM Mickaël Salaün <mic@digikod.net> wrote:
>>>
>>> From: Mickaël Salaün <mic@linux.microsoft.com>
>>>
>>> The blacklist_init() function calls panic() for memory allocation
>>> errors. This change documents the reason why we don't return -ENODEV.
>>>
>>> Suggested-by: Paul Moore <paul@paul-moore.com> [1]
>>> Requested-by: Jarkko Sakkinen <jarkko@kernel.org> [1]
>>> Link: https://lore.kernel.org/r/YjeW2r6Wv55Du0bJ@iki.fi [1]
>>> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
>>> Link: https://lore.kernel.org/r/20220321174548.510516-2-mic@digikod.net
>>> ---
>>> certs/blacklist.c | 8 ++++++++
>>> 1 file changed, 8 insertions(+)
>>
>> I would suggest changing the second sentence as shown below, but
>> otherwise it looks good to me.
>>
>> Reviewed-by: Paul Moore <paul@paul-moore.com>
>
> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
>
> Mickaël, I think since your patch set was not huge in the first place, I'm
> considering making it part of rc2 pull request while I normally try to
> avoid any features after rc1. It's anyway throughly tested, and generally
> has been around for a *long time*. I've even tested it myself a few times.
>
> Just trying to be responsible as a maintainer and if something does not
> feel right, I don't try to pretend that "I get it", if you know what
> I mean. This fully clarifies "not getting it" part :-)
>
> Thanks!
Thanks Jarkko, I get it. ;)
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH v1 0/1] Explain panic() calls for keyring initialization
2022-03-21 18:29 ` [PATCH v1 0/1] Explain panic() calls for keyring initialization David Woodhouse
@ 2022-03-22 10:55 ` Mickaël Salaün
0 siblings, 0 replies; 8+ messages in thread
From: Mickaël Salaün @ 2022-03-22 10:55 UTC (permalink / raw)
To: David Woodhouse, Jarkko Sakkinen
Cc: David Howells, David S . Miller, Eric Snowberg, Paul Moore,
keyrings, linux-crypto, linux-kernel
On 21/03/2022 19:29, David Woodhouse wrote:
> On Mon, 2022-03-21 at 18:45 +0100, Mickaël Salaün wrote:
>>
>> Mickaël Salaün (1):
>> certs: Explain the rational to call panic()
>
> Nit: "rationale". Even in Simplified English, I believe "rational" is a
> completely different word.
Right, "rational" is an adjective.
>
>> certs/blacklist.c | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>
> Also, isn't it about time we changed this to call it a denylist?
>
It is important to note that this word is part of the kernel ABI because
of the keyring name.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2022-03-22 10:54 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-21 17:45 [PATCH v1 0/1] Explain panic() calls for keyring initialization Mickaël Salaün
2022-03-21 17:45 ` [PATCH v1 1/1] certs: Explain the rational to call panic() Mickaël Salaün
2022-03-21 18:23 ` Paul Moore
2022-03-21 23:53 ` Jarkko Sakkinen
2022-03-22 10:54 ` Mickaël Salaün
2022-03-22 10:53 ` Mickaël Salaün
2022-03-21 18:29 ` [PATCH v1 0/1] Explain panic() calls for keyring initialization David Woodhouse
2022-03-22 10:55 ` Mickaël Salaün
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.