lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 3 Feb 2021 19:49:31 +0100
From:   Mickaël Salaün <mic@...ikod.net>
To:     David Howells <dhowells@...hat.com>,
        Eric Snowberg <eric.snowberg@...cle.com>
Cc:     dwmw2@...radead.org, jarkko@...nel.org,
        James.Bottomley@...senPartnership.com, masahiroy@...nel.org,
        michal.lkml@...kovi.net, jmorris@...ei.org, serge@...lyn.com,
        ardb@...nel.org, zohar@...ux.ibm.com, lszubowi@...hat.com,
        javierm@...hat.com, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-kbuild@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        Tyler Hicks <tyhicks@...ux.microsoft.com>
Subject: Re: Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries]

This looks good to me, and it still works for my use case. Eric's
patchset only looks for asymmetric keys in the blacklist keyring, so
even if we use the same keyring we don't look for the same key types. My
patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
to be added by user space (if authenticated), but because Eric's
asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
be OK for his use case.  There should be no interference between the two
new features, but I find it a bit confusing to have such distinct use of
keys from the same keyring depending on their type.

Regards,
 Mickaël


On 03/02/2021 17:26, David Howells wrote:
> 
> Eric Snowberg <eric.snowberg@...cle.com> wrote:
> 
>> This is the fifth patch series for adding support for 
>> EFI_CERT_X509_GUID entries [1].  It has been expanded to not only include
>> dbx entries but also entries in the mokx.  Additionally my series to
>> preload these certificate [2] has also been included.
> 
> Okay, I've tentatively applied this to my keys-next branch.  However, it
> conflicts minorly with Mickaël Salaün's patches that I've previously merged on
> the same branch.  Can you have a look at the merge commit
> 
> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d
> 
> 	(the top patch of my keys-next branch)
> 
> to see if that is okay by both of you?  If so, can you give it a whirl?
> 
> Thanks,
> David
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ