From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E73C9C64E8A for ; Wed, 2 Dec 2020 16:45:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 81339221E9 for ; Wed, 2 Dec 2020 16:45:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730436AbgLBQpF (ORCPT ); Wed, 2 Dec 2020 11:45:05 -0500 Received: from mail.kernel.org ([198.145.29.99]:53822 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727754AbgLBQpF (ORCPT ); Wed, 2 Dec 2020 11:45:05 -0500 Date: Wed, 2 Dec 2020 18:44:17 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1606927464; bh=jyurRGL89zzdslzCJsMEO78yjlUO+ENETbmWC5gauAc=; h=From:To:Cc:Subject:References:In-Reply-To:From; b=Fk8es+TSPwGkya5e2AaTkaSRdMxTZ/9U3Pdp7qR/WPLqbNG/7UUvszEQLuBBh6d09 sQxfzKmjOn7GDzmHsHKEIrI6vH+NcBCXVZdNoja1Nu1DZLbBJr9v8hYT8OXGWXkdjJ QXjcmV/kBBJoUFnjq/wRlvq5WsN94bImYkr++tPE= From: Jarkko Sakkinen To: =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= Cc: David Howells , David Woodhouse , "David S . Miller" , Herbert Xu , James Morris , =?iso-8859-1?Q?Micka=EBl_Sala=FCn?= , Mimi Zohar , "Serge E . Hallyn" , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH v1 0/9] Enable root to update the blacklist keyring Message-ID: <20201202164417.GA91162@kernel.org> References: <20201120180426.922572-1-mic@digikod.net> <20201130024011.GA24870@kernel.org> <80fb0eae-8321-5ae2-8d50-eabbe86981da@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <80fb0eae-8321-5ae2-8d50-eabbe86981da@digikod.net> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Nov 30, 2020 at 09:23:59AM +0100, Mickaël Salaün wrote: > > On 30/11/2020 03:40, Jarkko Sakkinen wrote: > > On Fri, Nov 20, 2020 at 07:04:17PM +0100, Mickaël Salaün wrote: > >> Hi, > >> > >> This patch series mainly add a new configuration option to enable the > >> root user to load signed keys in the blacklist keyring. This keyring is > >> useful to "untrust" certificates or files. Enabling to safely update > >> this keyring without recompiling the kernel makes it more usable. > > > > I apologize for latency. This cycle has been difficult because of > > final cuts with the huge SGX patch set. > > > > I did skim through this and did not see anything striking (but it > > was a quick look). > > > > What would be easiest way to smoke test the changes? > > An easy way to test it is to enable the second trusted keyring to > dynamically load certificates in the kernel. Then we can create a hash > of a valid certificate (but not loaded yet) and sign it as explained in > tools/certs/print-cert-tbs-hash.sh (patch 9/9). Once this hash is loaded > in the kernel, loading the blacklisted certificate will be denied. We > can also test it with a PKCS#7 signature chain, either with the > blacklist keyring itself, or with a signed dm-verity image. Thanks, looking into this once 5.11-rc1 is out. /Jarkko