lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <YAmcFk9r8sUvT7U4@kernel.org>
Date:   Thu, 21 Jan 2021 17:21:58 +0200
From:   Jarkko Sakkinen <jarkko@...nel.org>
To:     Mickaël Salaün <mic@...ikod.net>
Cc:     David Howells <dhowells@...hat.com>,
        David Woodhouse <dwmw2@...radead.org>,
        "David S . Miller" <davem@...emloft.net>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        James Morris <jmorris@...ei.org>,
        Mickaël Salaün <mic@...ux.microsoft.com>,
        Mimi Zohar <zohar@...ux.ibm.com>,
        "Serge E . Hallyn" <serge@...lyn.com>, keyrings@...r.kernel.org,
        linux-crypto@...r.kernel.org, linux-integrity@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org
Subject: Re: [PATCH v3 08/10] certs: Check that builtin blacklist hashes are
 valid

On Thu, Jan 21, 2021 at 10:18:20AM +0100, Mickaël Salaün wrote:
> 
> On 21/01/2021 00:53, Jarkko Sakkinen wrote:
> > On Wed, Jan 20, 2021 at 12:57:55PM +0100, Mickaël Salaün wrote:
> >>
> >> On 20/01/2021 06:19, Jarkko Sakkinen wrote:
> >>> On Thu, Jan 14, 2021 at 04:19:07PM +0100, Mickaël Salaün wrote:
> >>>> From: Mickaël Salaün <mic@...ux.microsoft.com>
> >>>>
> >>>> Add and use a check-blacklist-hashes.awk script to make sure that the
> >>>> builtin blacklist hashes will be approved by the run time blacklist
> >>>> description checks.  This is useful to debug invalid hash formats, and
> >>>> it make sure that previous hashes which could have been loaded in the
> >>>> kernel (but ignored) are now noticed and deal with by the user.
> >>>>
> >>>> Cc: David Howells <dhowells@...hat.com>
> >>>> Cc: David Woodhouse <dwmw2@...radead.org>
> >>>> Signed-off-by: Mickaël Salaün <mic@...ux.microsoft.com>
> >>>> Acked-by: Jarkko Sakkinen <jarkko@...nel.org>
> >>>
> >>> I get this with a self-signed cert:
> >>>
> >>> certs/Makefile:18: *** target pattern contains no '%'.  Stop.
> >>>
> >>> CONFIG_SYSTEM_BLACKLIST_HASH_LIST="tbs:8eed1340eef37c1dc84d996406ad05c7dbb3eade19132d688408ca2f63904869"
> >>
> >> As said in the Kconfig documentation for
> >> CONFIG_SYSTEM_BLACKLIST_HASH_LIST, you need to provide a file with the
> >> list, not to set the string directly in the configuration variable. This
> >> patch series didn't change this behavior. The same kind of macros are
> >> used for CONFIG_MODULE_SIG_KEY.
> > 
> > OK, the documentation just states that:
> > 
> > "Hashes to be preloaded into the system blacklist keyring"
> > 
> > No mention about a file. I'd add a patch to update this documentation.
> 
> I was referring to the full description:
> 
> config SYSTEM_BLACKLIST_HASH_LIST
> 	string "Hashes to be preloaded into the system blacklist keyring"
> 	depends on SYSTEM_BLACKLIST_KEYRING
> 	help
> 	  If set, this option should be the filename of a list of hashes in the
> 	  form "<hash>", "<hash>", ... .  This will be included into a C
> 	  wrapper to incorporate the list into the kernel.  Each <hash> should
> 	  be a string of hex digits.
> 
> …but the short description doesn't mention filename.

Aah.

Anyway, I'll test the next version. Now all should be clear how
to approach that. Thanks.

/Jarkko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ