[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201130024011.GA24870@kernel.org>
Date: Mon, 30 Nov 2020 04:40:11 +0200
From: Jarkko Sakkinen <jarkko@...nel.org>
To: Mickaël Salaün <mic@...ikod.net>
Cc: David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
"David S . Miller" <davem@...emloft.net>,
Herbert Xu <herbert@...dor.apana.org.au>,
James Morris <jmorris@...ei.org>,
Mickaël Salaün <mic@...ux.microsoft.com>,
Mimi Zohar <zohar@...ux.ibm.com>,
"Serge E . Hallyn" <serge@...lyn.com>, keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-integrity@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH v1 0/9] Enable root to update the blacklist keyring
On Fri, Nov 20, 2020 at 07:04:17PM +0100, Mickaël Salaün wrote:
> Hi,
>
> This patch series mainly add a new configuration option to enable the
> root user to load signed keys in the blacklist keyring. This keyring is
> useful to "untrust" certificates or files. Enabling to safely update
> this keyring without recompiling the kernel makes it more usable.
I apologize for latency. This cycle has been difficult because of
final cuts with the huge SGX patch set.
I did skim through this and did not see anything striking (but it
was a quick look).
What would be easiest way to smoke test the changes?
> Regards,
>
> Mickaël Salaün (9):
> certs: Fix blacklisted hexadecimal hash string check
> certs: Make blacklist_vet_description() more strict
> certs: Factor out the blacklist hash creation
> certs: Check that builtin blacklist hashes are valid
> PKCS#7: Fix missing include
> certs: Fix blacklist flag type confusion
> certs: Allow root user to append signed hashes to the blacklist
> keyring
> certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID
> tools/certs: Add print-cert-tbs-hash.sh
>
> MAINTAINERS | 2 +
> certs/.gitignore | 1 +
> certs/Kconfig | 10 +
> certs/Makefile | 15 +-
> certs/blacklist.c | 210 +++++++++++++-----
> certs/system_keyring.c | 5 +-
> crypto/asymmetric_keys/x509_public_key.c | 3 +-
> include/keys/system_keyring.h | 14 +-
> include/linux/verification.h | 2 +
> scripts/check-blacklist-hashes.awk | 37 +++
> .../platform_certs/keyring_handler.c | 26 +--
> tools/certs/print-cert-tbs-hash.sh | 91 ++++++++
> 12 files changed, 335 insertions(+), 81 deletions(-)
> create mode 100755 scripts/check-blacklist-hashes.awk
> create mode 100755 tools/certs/print-cert-tbs-hash.sh
>
>
> base-commit: 09162bc32c880a791c6c0668ce0745cf7958f576
> --
> 2.29.2
>
>
/Jarkko
Powered by blists - more mailing lists