[PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid

Mickaël Salaün mic at digikod.net
Wed Jan 20 11:57:55 UTC 2021


On 20/01/2021 06:19, Jarkko Sakkinen wrote:
> On Thu, Jan 14, 2021 at 04:19:07PM +0100, Mickaël Salaün wrote:
>> From: Mickaël Salaün <mic at linux.microsoft.com>
>>
>> Add and use a check-blacklist-hashes.awk script to make sure that the
>> builtin blacklist hashes will be approved by the run time blacklist
>> description checks.  This is useful to debug invalid hash formats, and
>> it make sure that previous hashes which could have been loaded in the
>> kernel (but ignored) are now noticed and deal with by the user.
>>
>> Cc: David Howells <dhowells at redhat.com>
>> Cc: David Woodhouse <dwmw2 at infradead.org>
>> Signed-off-by: Mickaël Salaün <mic at linux.microsoft.com>
>> Acked-by: Jarkko Sakkinen <jarkko at kernel.org>
> 
> I get this with a self-signed cert:
> 
> certs/Makefile:18: *** target pattern contains no '%'.  Stop.
> 
> CONFIG_SYSTEM_BLACKLIST_HASH_LIST="tbs:8eed1340eef37c1dc84d996406ad05c7dbb3eade19132d688408ca2f63904869"

As said in the Kconfig documentation for
CONFIG_SYSTEM_BLACKLIST_HASH_LIST, you need to provide a file with the
list, not to set the string directly in the configuration variable. This
patch series didn't change this behavior. The same kind of macros are
used for CONFIG_MODULE_SIG_KEY.

> 
> I used the script in 10/10 to test this, which is another
> reamark: the patches are in invalid order, as you need to
> apply 10/10 before you can test  8/10.

I'll move patch 10/10 earlier but this kind of formatting was already
required (but silently ignored) for this option to be really taken into
account. Only the kernel code was available to understand how to
effectively create such hash.

> 
> /Jarkko
> 



More information about the Linux-security-module-archive mailing list