keyrings.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] integrity: add informational messages when revoking certs
@ 2021-05-12 11:03 Dimitri John Ledkov
  2021-05-18  8:57 ` [PATCH v2] " Dimitri John Ledkov
  0 siblings, 1 reply; 2+ messages in thread
From: Dimitri John Ledkov @ 2021-05-12 11:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Dimitri John Ledkov, keyrings, Eric Snowberg, Jarkko Sakkinen,
	David Woodhouse, David Howells

integrity_load_cert() prints messages of the source and cert details
when adding certs as trusted. Mirror those messages in
uefi_revocation_list_x509() when adding certs as revoked.

Sample dmesg with this change:

    integrity: Platform Keyring initialized
    integrity: Loading X.509 certificate: UEFI:db
    integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
    integrity: Revoking X.509 certificate: UEFI:MokListXRT (MOKvar table)
    blacklist: Revoked X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
    integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63'

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
cc: keyrings@vger.kernel.org
cc: Eric Snowberg <eric.snowberg@oracle.com>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: David Woodhouse <dwmw2@infradead.org>
cc: David Howells <dhowells@redhat.com>
---
 certs/blacklist.c                                   | 4 +++-
 security/integrity/platform_certs/keyring_handler.c | 1 +
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/certs/blacklist.c b/certs/blacklist.c
index c9a435b15af40..6a2afa84a5db9 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -172,7 +172,9 @@ int add_key_to_revocation_list(const char *data, size_t size)
 	if (IS_ERR(key)) {
 		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
 		return PTR_ERR(key);
-	}
+	} else
+		pr_notice("Revoked X.509 cert '%s'\n",
+			  key_ref_to_ptr(key)->description);
 
 	return 0;
 }
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
index 5604bd57c9907..9f85626702b2c 100644
--- a/security/integrity/platform_certs/keyring_handler.c
+++ b/security/integrity/platform_certs/keyring_handler.c
@@ -61,6 +61,7 @@ static __init void uefi_blacklist_binary(const char *source,
 static __init void uefi_revocation_list_x509(const char *source,
 					     const void *data, size_t len)
 {
+	pr_info("Revoking X.509 certificate: %s\n", source);
 	add_key_to_revocation_list(data, len);
 }
 
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [PATCH v2] integrity: add informational messages when revoking certs
  2021-05-12 11:03 [PATCH] integrity: add informational messages when revoking certs Dimitri John Ledkov
@ 2021-05-18  8:57 ` Dimitri John Ledkov
  0 siblings, 0 replies; 2+ messages in thread
From: Dimitri John Ledkov @ 2021-05-18  8:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Dimitri John Ledkov, keyrings, Eric Snowberg, Jarkko Sakkinen,
	David Woodhouse, David Howells

integrity_load_cert() prints messages of the source and cert details
when adding certs as trusted. Mirror those messages in
uefi_revocation_list_x509() when adding certs as revoked.

Sample dmesg with this change:

    integrity: Platform Keyring initialized
    integrity: Loading X.509 certificate: UEFI:db
    integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
    integrity: Revoking X.509 certificate: UEFI:MokListXRT (MOKvar table)
    blacklist: Revoked X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0'
    integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table)
    integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63'

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
cc: keyrings@vger.kernel.org
cc: Eric Snowberg <eric.snowberg@oracle.com>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: David Woodhouse <dwmw2@infradead.org>
cc: David Howells <dhowells@redhat.com>
---
 Changes since v1:
 - Correct C coding style add {} around second branch.

 certs/blacklist.c                                   | 3 +++
 security/integrity/platform_certs/keyring_handler.c | 1 +
 2 files changed, 4 insertions(+)

diff --git a/certs/blacklist.c b/certs/blacklist.c
index c9a435b15af4..9e8998868e3e 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -172,6 +172,9 @@ int add_key_to_revocation_list(const char *data, size_t size)
 	if (IS_ERR(key)) {
 		pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key));
 		return PTR_ERR(key);
+	} else {
+		pr_notice("Revoked X.509 cert '%s'\n",
+			  key_ref_to_ptr(key)->description);
 	}
 
 	return 0;
diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c
index 5604bd57c990..9f85626702b2 100644
--- a/security/integrity/platform_certs/keyring_handler.c
+++ b/security/integrity/platform_certs/keyring_handler.c
@@ -61,6 +61,7 @@ static __init void uefi_blacklist_binary(const char *source,
 static __init void uefi_revocation_list_x509(const char *source,
 					     const void *data, size_t len)
 {
+	pr_info("Revoking X.509 certificate: %s\n", source);
 	add_key_to_revocation_list(data, len);
 }
 
-- 
2.27.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-05-18  8:58 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-12 11:03 [PATCH] integrity: add informational messages when revoking certs Dimitri John Ledkov
2021-05-18  8:57 ` [PATCH v2] " Dimitri John Ledkov

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).