[BUG] blacklist: Problem blacklisting hash (-13) during boot

Mickaël Salaün mic at digikod.net
Fri Nov 4 17:03:53 UTC 2022


Hi,

Thanks for this report. These error messages seem correct but I don't 
see any legitimate reason for the firmware to store duplicate 
blacklisted hashes.

According to the blacklist_init() function, the "blacklisting failed" 
message could be improved to explain that only a set of hashes failed, 
and why they failed. However, despite this message, this should work as 
expected and should not generate any issue.

Did you contact Lenovo to report this issue (i.e. duplicate hashes in 
their firmware)?

Could you please provide the list of duplicate hashes?

Regards,
  Mickaël


On 15/10/2022 05:16, Thomas Weißschuh wrote:
> Hi,
> 
> Since 5.19 during boot I see lots of the following entries in dmesg:
> 
> blacklist: Problem blacklisting hash (-13)
> 
> This happens because the firmware contains duplicate blacklist entries.
> As commit 6364d106e041 [0] modified the "blacklist" keyring to reject updates
> this now leads to the spurious error messages.
> 
> The machine is a Thinkpad X1 Cargon Gen9 with BIOS revision 1.56 and firmware
> revision 1.33.
> 
> [0] 6364d106e041 ("certs: Allow root user to append signed hashes to the blacklist keyring")



More information about the Linux-security-module-archive mailing list