* Re: [PATCH v5 0/5] Enable root to update the blacklist keyring [not found] <20210128191705.3568820-1-mic@digikod.net> @ 2021-01-30 20:41 ` Jarkko Sakkinen 2021-02-01 13:07 ` David Howells 1 sibling, 0 replies; 5+ messages in thread From: Jarkko Sakkinen @ 2021-01-30 20:41 UTC (permalink / raw) To: Mickaël Salaün, David Howells, David Woodhouse Cc: David S . Miller, Herbert Xu, James Morris, Mickaël Salaün, Mimi Zohar, Serge E . Hallyn, Tyler Hicks, keyrings, linux-crypto, linux-integrity, linux-kernel, linux-security-module On Thu, 2021-01-28 at 20:17 +0100, Mickaël Salaün wrote: > This fifth patch series is a rebase on David Howells's keys-misc branch. > The fix patches are already in this branch and then removed from this > series, other patches are unchanged. > > The goal of these patches is to add a new configuration option to enable the > root user to load signed keys in the blacklist keyring. This keyring is useful > to "untrust" certificates or files. Enabling to safely update this keyring > without recompiling the kernel makes it more usable. > > Previous patch series: > https://lore.kernel.org/lkml/20210121155513.539519-1-mic@digikod.net/ > > Regards, > > Mickaël Salaün (5): > tools/certs: Add print-cert-tbs-hash.sh > certs: Check that builtin blacklist hashes are valid > certs: Make blacklist_vet_description() more strict > certs: Factor out the blacklist hash creation > certs: Allow root user to append signed hashes to the blacklist > keyring > > MAINTAINERS | 2 + > certs/.gitignore | 1 + > certs/Kconfig | 17 +- > certs/Makefile | 15 +- > certs/blacklist.c | 207 ++++++++++++++---- > crypto/asymmetric_keys/x509_public_key.c | 3 +- > include/keys/system_keyring.h | 14 +- > scripts/check-blacklist-hashes.awk | 37 ++++ > .../platform_certs/keyring_handler.c | 26 +-- > tools/certs/print-cert-tbs-hash.sh | 91 ++++++++ > 10 files changed, 336 insertions(+), 77 deletions(-) > create mode 100755 scripts/check-blacklist-hashes.awk > create mode 100755 tools/certs/print-cert-tbs-hash.sh > > > base-commit: 8f0bfc25c907f38e7f9dc498e8f43000d77327ef I tested these, so you both reviewed-by and tested-by from side to all. /Jarkko ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v5 0/5] Enable root to update the blacklist keyring [not found] <20210128191705.3568820-1-mic@digikod.net> 2021-01-30 20:41 ` [PATCH v5 0/5] Enable root to update the blacklist keyring Jarkko Sakkinen @ 2021-02-01 13:07 ` David Howells 2021-02-01 16:48 ` Mickaël Salaün 1 sibling, 1 reply; 5+ messages in thread From: David Howells @ 2021-02-01 13:07 UTC (permalink / raw) To: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= Cc: dhowells, David Woodhouse, Jarkko Sakkinen, David S . Miller, Herbert Xu, James Morris, =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?=, Mimi Zohar, Serge E . Hallyn, Tyler Hicks, keyrings, linux-crypto, linux-integrity, linux-kernel, linux-security-module Hi Mickaël, Do you have a public branch somewhere I can pull from? David ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v5 0/5] Enable root to update the blacklist keyring 2021-02-01 13:07 ` David Howells @ 2021-02-01 16:48 ` Mickaël Salaün 2021-02-01 16:51 ` Mickaël Salaün 2021-02-01 17:08 ` David Howells 0 siblings, 2 replies; 5+ messages in thread From: Mickaël Salaün @ 2021-02-01 16:48 UTC (permalink / raw) To: David Howells Cc: David Woodhouse, Jarkko Sakkinen, David S . Miller, Herbert Xu, James Morris, Mickaël Salaün, Mimi Zohar, Serge E . Hallyn, Tyler Hicks, keyrings, linux-crypto, linux-integrity, linux-kernel, linux-security-module Hi, Yes, you can pull this patchset from here: https://github.com/l0kod/linux branch dyn-auth-blacklist-v5 (commit 33b94bcd56843b4235c6ba4a44157b3c5a8792f1). Mickaël On 01/02/2021 14:07, David Howells wrote: > > Hi Mickaël, > > Do you have a public branch somewhere I can pull from? > > David > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v5 0/5] Enable root to update the blacklist keyring 2021-02-01 16:48 ` Mickaël Salaün @ 2021-02-01 16:51 ` Mickaël Salaün 2021-02-01 17:08 ` David Howells 1 sibling, 0 replies; 5+ messages in thread From: Mickaël Salaün @ 2021-02-01 16:51 UTC (permalink / raw) To: David Howells Cc: David Woodhouse, Jarkko Sakkinen, David S . Miller, Herbert Xu, James Morris, Mickaël Salaün, Mimi Zohar, Serge E . Hallyn, Tyler Hicks, keyrings, linux-crypto, linux-integrity, linux-kernel, linux-security-module It doesn't contain Jarkko's Tested-by and Reviewed-by tags though. On 01/02/2021 17:48, Mickaël Salaün wrote: > Hi, > > Yes, you can pull this patchset from here: > https://github.com/l0kod/linux branch dyn-auth-blacklist-v5 (commit > 33b94bcd56843b4235c6ba4a44157b3c5a8792f1). > > Mickaël > > > On 01/02/2021 14:07, David Howells wrote: >> >> Hi Mickaël, >> >> Do you have a public branch somewhere I can pull from? >> >> David >> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v5 0/5] Enable root to update the blacklist keyring 2021-02-01 16:48 ` Mickaël Salaün 2021-02-01 16:51 ` Mickaël Salaün @ 2021-02-01 17:08 ` David Howells 1 sibling, 0 replies; 5+ messages in thread From: David Howells @ 2021-02-01 17:08 UTC (permalink / raw) To: =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?= Cc: dhowells, David Woodhouse, Jarkko Sakkinen, David S . Miller, Herbert Xu, James Morris, =?UTF-8?Q?Micka=c3=abl_Sala=c3=bcn?=, Mimi Zohar, Serge E . Hallyn, Tyler Hicks, keyrings, linux-crypto, linux-integrity, linux-kernel, linux-security-module Mickaël Salaün <mic@digikod.net> wrote: > It doesn't contain Jarkko's Tested-by and Reviewed-by tags though. I can add that in the merge. David ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-02-01 17:10 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <20210128191705.3568820-1-mic@digikod.net> 2021-01-30 20:41 ` [PATCH v5 0/5] Enable root to update the blacklist keyring Jarkko Sakkinen 2021-02-01 13:07 ` David Howells 2021-02-01 16:48 ` Mickaël Salaün 2021-02-01 16:51 ` Mickaël Salaün 2021-02-01 17:08 ` David Howells
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).