Re: [PATCH v1 0/9] Enable root to update the blacklist keyring
From: Jarkko Sakkinen
Date: Sun Nov 29 2020 - 21:41:38 EST
On Fri, Nov 20, 2020 at 07:04:17PM +0100, Mickaël Salaün wrote:
> Hi,
>
> This patch series mainly add a new configuration option to enable the
> root user to load signed keys in the blacklist keyring. This keyring is
> useful to "untrust" certificates or files. Enabling to safely update
> this keyring without recompiling the kernel makes it more usable.
I apologize for latency. This cycle has been difficult because of
final cuts with the huge SGX patch set.
I did skim through this and did not see anything striking (but it
was a quick look).
What would be easiest way to smoke test the changes?
> Regards,
>
> Mickaël Salaün (9):
> certs: Fix blacklisted hexadecimal hash string check
> certs: Make blacklist_vet_description() more strict
> certs: Factor out the blacklist hash creation
> certs: Check that builtin blacklist hashes are valid
> PKCS#7: Fix missing include
> certs: Fix blacklist flag type confusion
> certs: Allow root user to append signed hashes to the blacklist
> keyring
> certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID
> tools/certs: Add print-cert-tbs-hash.sh
>
> MAINTAINERS | 2 +
> certs/.gitignore | 1 +
> certs/Kconfig | 10 +
> certs/Makefile | 15 +-
> certs/blacklist.c | 210 +++++++++++++-----
> certs/system_keyring.c | 5 +-
> crypto/asymmetric_keys/x509_public_key.c | 3 +-
> include/keys/system_keyring.h | 14 +-
> include/linux/verification.h | 2 +
> scripts/check-blacklist-hashes.awk | 37 +++
> .../platform_certs/keyring_handler.c | 26 +--
> tools/certs/print-cert-tbs-hash.sh | 91 ++++++++
> 12 files changed, 335 insertions(+), 81 deletions(-)
> create mode 100755 scripts/check-blacklist-hashes.awk
> create mode 100755 tools/certs/print-cert-tbs-hash.sh
>
>
> base-commit: 09162bc32c880a791c6c0668ce0745cf7958f576
> --
> 2.29.2
>
>
/Jarkko