[PATCH v7 5/5] certs: Allow root user to append signed hashes to the blacklist keyring

Eric Snowberg eric.snowberg at oracle.com
Mon Mar 15 16:59:16 UTC 2021

> On Mar 12, 2021, at 10:12 AM, Mickaël Salaün <mic at digikod.net> wrote:
> From: Mickaël Salaün <mic at linux.microsoft.com>
> Add a kernel option SYSTEM_BLACKLIST_AUTH_UPDATE to enable the root user
> to dynamically add new keys to the blacklist keyring.  This enables to
> invalidate new certificates, either from being loaded in a keyring, or
> from being trusted in a PKCS#7 certificate chain.  This also enables to
> add new file hashes to be denied by the integrity infrastructure.
> Being able to untrust a certificate which could have normaly been
> trusted is a sensitive operation.  This is why adding new hashes to the
> blacklist keyring is only allowed when these hashes are signed and
> vouched by the builtin trusted keyring.  A blacklist hash is stored as a
> key description.  The PKCS#7 signature of this description must be
> provided as the key payload.
> Marking a certificate as untrusted should be enforced while the system
> is running.  It is then forbiden to remove such blacklist keys.
> Update blacklist keyring, blacklist key and revoked certificate access rights:
> * allows the root user to search for a specific blacklisted hash, which
>  make sense because the descriptions are already viewable;
> * forbids key update (blacklist and asymmetric ones);
> * restricts kernel rights on the blacklist keyring to align with the
>  root user rights.
> See help in tools/certs/print-cert-tbs-hash.sh .
> Cc: David Howells <dhowells at redhat.com>
> Cc: David Woodhouse <dwmw2 at infradead.org>
> Cc: Eric Snowberg <eric.snowberg at oracle.com>
> Cc: Jarkko Sakkinen <jarkko at kernel.org>
> Signed-off-by: Mickaël Salaün <mic at linux.microsoft.com>
> Link: https://lore.kernel.org/r/20210312171232.2681989-6-mic@digikod.net

I tried testing this, it doesn’t work as I would expect.  
Here is my test setup:

Kernel built with two keys compiled into the builtin_trusted_keys keyring

Generated a tbs cert from one of the keys and signed it with the other key

As root, added the tbs cert hash to the blacklist keyring

Verified the tbs hash is in the blacklist keyring

Enabled lockdown to enforce kernel module signature checking

Signed a kernel module with the key I just blacklisted

Load the kernel module 

I’m seeing the kernel module load, I would expect this to fail, since the 
key is now blacklisted.  Or is this change just supposed to prevent new keys 
from being added in the future?

More information about the Linux-security-module-archive mailing list