Re: Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries]

Eric Snowberg eric.snowberg at oracle.com
Mon Feb 8 23:05:01 UTC 2021 

> On Feb 6, 2021, at 11:30 AM, Mickaël Salaün <mic at digikod.net> wrote:
> 
> On 06/02/2021 02:14, Eric Snowberg wrote:
> 
>> I have done some additional testing, I am seeing a regression. The blacklist 
>> keyring is no longer picking up any of the hashes from the dbx during boot. 
>> I backed out the merge with my changes  (fdbbe7ceeb95090d09c33ce0497e0394c82aa33d) 
>> and still see the regression.  I then backed out Mickaël merge
>> (5bf1adccf5c41dbdd51d1f4de220d335d9548598) and it fixes the regression.
>> 
>> On a x86 with the updated dbx from uefi.org, I’d expect to see 234 bin hash entries
>> in the blacklist keyring.  With the current merged code, there is none.
> 
> Hum, I missed a part in refactoring (commit
> f78e50c8f750c0ac6767ac1ed006360cf77c56c4). :/
> Could you please test the following patch?
> 
> diff --git a/certs/blacklist.c b/certs/blacklist.c
> index 07c592ae5307..f998a2e85ddc 100644
> --- a/certs/blacklist.c
> +++ b/certs/blacklist.c
> @@ -197,13 +197,16 @@ int mark_hash_blacklisted(const u8 *hash, size_t
> hash_len,
>                enum blacklist_hash_type hash_type)
> {
>        const char *buffer;
> +       int err;
> 
>        buffer = get_raw_hash(hash, hash_len, hash_type);
>        if (IS_ERR(buffer))
>                return PTR_ERR(buffer);
> +       err = mark_raw_hash_blacklisted(buffer);
>        kfree(buffer);
> -       return 0;
> +       return err;
> }

I applied this patch, it works better, but there is still a regression. 
Most of the hashes show up in the blacklist keyring now.  However some 
do not, here is what I see in the log during boot:

[    2.321876] blacklist: Problem blacklisting hash (-13)
[    2.322729] blacklist: Problem blacklisting hash (-13)
[    2.323549] blacklist: Problem blacklisting hash (-13)
[    2.324369] blacklist: Problem blacklisting hash (-13)

> Is it possible to test these kind of dbx blacklist with Qemu?

Yes, just use OVMF.

More information about the Linux-security-module-archive mailing list