From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.5 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4BDF2C4361B for ; Fri, 4 Dec 2020 15:39:15 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 125CB22B30 for ; Fri, 4 Dec 2020 15:39:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730559AbgLDPjO (ORCPT ); Fri, 4 Dec 2020 10:39:14 -0500 Received: from mail.kernel.org ([198.145.29.99]:40336 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730395AbgLDPjO (ORCPT ); Fri, 4 Dec 2020 10:39:14 -0500 Date: Fri, 4 Dec 2020 17:38:27 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1607096313; bh=iTThFfM4EWdfNqRekI8Xw/sXCVHPS1MXBYIjkuMK8Ks=; h=From:To:Cc:Subject:References:In-Reply-To:From; b=V7vsQ1s4GxsMXkkDoUlNHfZPeXbbuLJCSXhMiX/9w+dV6iw6wiZ3Awxol5VI5w8Gf ka4Y+tRVd/7Z5/XJfmzYbh5+yFBGCpyADJntQIMPG6/KHcnqWqychZ6kf0ExzYWuPv Wm+pBJCRKkOW2OuEdKdoOFL8BNSY5UE398cBbF3OG6sDSRrXMOWvawYKDQy71EjXaR Omm6q+Q3QhzheEfyLUlc9Sk+c2oJxnXRTQGg+kYRUSJ30ZxFwMe9C2322Y0jXWk11p +88w85y3ZnG/KI6BekGYGf+JbNZzhEuBSOmADrfyxN2C/VDKXyfTsucMHaXJCbN2hV oCZ8Ek1o67aoA== From: Jarkko Sakkinen To: David Howells Cc: =?us-ascii?B?PT9VVEYtOD9RP01pY2thPWMzPWFibF9TYWxhPWMzPWJjbj89?= , David Woodhouse , "David S . Miller" , Herbert Xu , James Morris , =?us-ascii?B?PT9VVEYtOD9RP01pY2thPWMzPWFibF9TYWxhPWMzPWJjbj89?= , Mimi Zohar , "Serge E . Hallyn" , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: Re: [PATCH v1 0/9] Enable root to update the blacklist keyring Message-ID: <20201204153827.GB6337@kernel.org> References: <80fb0eae-8321-5ae2-8d50-eabbe86981da@digikod.net> <20201120180426.922572-1-mic@digikod.net> <20201130024011.GA24870@kernel.org> <113544.1607090496@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <113544.1607090496@warthog.procyon.org.uk> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 04, 2020 at 02:01:36PM +0000, David Howells wrote: > Mickaël Salaün wrote: > > > > What would be easiest way to smoke test the changes? > > > > An easy way to test it is to enable the second trusted keyring to > > dynamically load certificates in the kernel. Then we can create a hash > > of a valid certificate (but not loaded yet) and sign it as explained in > > tools/certs/print-cert-tbs-hash.sh (patch 9/9). Once this hash is loaded > > in the kernel, loading the blacklisted certificate will be denied. We > > can also test it with a PKCS#7 signature chain, either with the > > blacklist keyring itself, or with a signed dm-verity image. > > It might also be possible to use the pkcs#7 test key type > (CONFIG_PKCS7_TEST_KEY) to aid in that. > > David Thanks, note taken. /Jarkko