From: Eric Snowberg <eric.snowberg@oracle.com>
To: "Mickaël Salaün" <mic@digikod.net>
Cc: David Howells <dhowells@redhat.com>,
dwmw2@infradead.org, Jarkko Sakkinen <jarkko@kernel.org>,
James.Bottomley@HansenPartnership.com, masahiroy@kernel.org,
michal.lkml@markovi.net, jmorris@namei.org, serge@hallyn.com,
ardb@kernel.org, Mimi Zohar <zohar@linux.ibm.com>,
lszubowi@redhat.com, javierm@redhat.com,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-kbuild@vger.kernel.org,
linux-security-module@vger.kernel.org,
Tyler Hicks <tyhicks@linux.microsoft.com>
Subject: Re: Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries]
Date: Thu, 4 Feb 2021 17:24:36 -0700 [thread overview]
Message-ID: <BFC930B3-7994-4C5B-A8EF-1DD1C73F5750@oracle.com> (raw)
In-Reply-To: <7924ce4c-ea94-9540-0730-bddae7c6af07@digikod.net>
> On Feb 4, 2021, at 1:26 AM, Mickaël Salaün <mic@digikod.net> wrote:
>
>
> On 04/02/2021 04:53, Eric Snowberg wrote:
>>
>>> On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>>
>>> This looks good to me, and it still works for my use case. Eric's
>>> patchset only looks for asymmetric keys in the blacklist keyring, so
>>> even if we use the same keyring we don't look for the same key types. My
>>> patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
>>> to be added by user space (if authenticated), but because Eric's
>>> asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
>>> be OK for his use case. There should be no interference between the two
>>> new features, but I find it a bit confusing to have such distinct use of
>>> keys from the same keyring depending on their type.
>>
>> I agree, it is a bit confusing. What is the thought of having a dbx
>> keyring, similar to how the platform keyring works?
>>
>> https://www.spinics.net/lists/linux-security-module/msg40262.html
>>
>>
>>> On 03/02/2021 17:26, David Howells wrote:
>>>>
>>>> Eric Snowberg <eric.snowberg@oracle.com> wrote:
>>>>
>>>>> This is the fifth patch series for adding support for
>>>>> EFI_CERT_X509_GUID entries [1]. It has been expanded to not only include
>>>>> dbx entries but also entries in the mokx. Additionally my series to
>>>>> preload these certificate [2] has also been included.
>>>>
>>>> Okay, I've tentatively applied this to my keys-next branch. However, it
>>>> conflicts minorly with Mickaël Salaün's patches that I've previously merged on
>>>> the same branch. Can you have a look at the merge commit
>>>>
>>>> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d
>>>>
>>>> (the top patch of my keys-next branch)
>>>>
>>>> to see if that is okay by both of you? If so, can you give it a whirl?
>>
>>
>> I’m seeing a build error within blacklist_hashes_checked with
>> one of my configs.
>>
>> The config is as follows:
>>
>> $ grep CONFIG_SYSTEM_BLACKLIST_HASH_LIST .config
>> CONFIG_SYSTEM_BLACKLIST_HASH_LIST=“revocation_list"
>>
>> $ cat certs/revocation_list
>> "tbs:1e125ea4f38acb7b29b0c495fd8e7602c2c3353b913811a9da3a2fb505c08a32”
>>
>> make[1]: *** No rule to make target 'revocation_list', needed by 'certs/blacklist_hashes_checked'. Stop.
>
> It requires an absolute path.
Ok, if I use an absolute path now with CONFIG_SYSTEM_BLACKLIST_HASH_LIST
it works.
> This is to align with other variables
> using the config_filename macro: CONFIG_SYSTEM_TRUSTED_KEYS,
> CONFIG_MODULE_SIG_KEY and now CONFIG_SYSTEM_REVOCATION_KEYS.
I just did a quick test with CONFIG_SYSTEM_TRUSTED_KEYS. It looks like we
can use either a relative or absolute path with CONFIG_SYSTEM_TRUSTED_KEYS.
Shouldn’t this be consistent?
> Cf. https://lore.kernel.org/lkml/1221725.1607515111@warthog.procyon.org.uk/
>
> We may want to patch scripts/kconfig/streamline_config.pl for both
> CONFIG_SYSTEM_REVOCATION_KEYS and CONFIG_SYSTEM_BLACKLIST_HASH_LIST, to
> warn user (and exit with an error) if such files are not found.
next prev parent reply other threads:[~2021-02-05 0:26 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-22 18:10 [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries Eric Snowberg
2021-01-22 18:10 ` [PATCH v5 1/4] certs: Add EFI_CERT_X509_GUID support for dbx entries Eric Snowberg
2021-01-28 3:54 ` Nayna
2021-01-28 4:11 ` Eric Snowberg
2021-01-28 15:35 ` Nayna
2021-01-28 15:58 ` David Howells
2021-01-29 1:56 ` Eric Snowberg
2021-01-22 18:10 ` [PATCH v5 2/4] certs: Move load_system_certificate_list to a common function Eric Snowberg
2021-01-22 18:10 ` [PATCH v5 3/4] certs: Add ability to preload revocation certs Eric Snowberg
2021-01-22 18:10 ` [PATCH v5 4/4] integrity: Load mokx variables into the blacklist keyring Eric Snowberg
2021-01-28 15:16 ` [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries David Howells
2021-01-28 15:27 ` Mimi Zohar
2021-01-28 15:29 ` Mimi Zohar
2021-01-28 15:41 ` Eric Snowberg
2021-02-03 16:26 ` Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries] David Howells
2021-02-03 18:49 ` Mickaël Salaün
2021-02-04 3:53 ` Eric Snowberg
2021-02-04 8:26 ` Mickaël Salaün
2021-02-05 0:24 ` Eric Snowberg [this message]
2021-02-05 10:27 ` Mickaël Salaün
2021-02-06 1:14 ` Eric Snowberg
2021-02-06 18:30 ` Mickaël Salaün
2021-02-08 23:05 ` Eric Snowberg
2021-02-09 21:53 ` Mickaël Salaün
2021-02-10 12:07 ` Mickaël Salaün
2021-02-09 13:14 ` David Howells
2021-02-09 13:59 ` Mickaël Salaün
2021-02-09 16:46 ` David Howells
2021-02-12 11:49 ` Jarkko Sakkinen
2021-02-04 9:11 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=BFC930B3-7994-4C5B-A8EF-1DD1C73F5750@oracle.com \
--to=eric.snowberg@oracle.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=ardb@kernel.org \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jarkko@kernel.org \
--cc=javierm@redhat.com \
--cc=jmorris@namei.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kbuild@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lszubowi@redhat.com \
--cc=masahiroy@kernel.org \
--cc=mic@digikod.net \
--cc=michal.lkml@markovi.net \
--cc=serge@hallyn.com \
--cc=tyhicks@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).