| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7924ce4c-ea94-9540-0730-bddae7c6af07@digikod.net>
Date: Thu, 4 Feb 2021 09:26:19 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: Eric Snowberg <eric.snowberg@...cle.com>,
David Howells <dhowells@...hat.com>
Cc: dwmw2@...radead.org, Jarkko Sakkinen <jarkko@...nel.org>,
James.Bottomley@...senPartnership.com, masahiroy@...nel.org,
michal.lkml@...kovi.net, jmorris@...ei.org, serge@...lyn.com,
ardb@...nel.org, Mimi Zohar <zohar@...ux.ibm.com>,
lszubowi@...hat.com, javierm@...hat.com, keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-kbuild@...r.kernel.org,
linux-security-module@...r.kernel.org,
Tyler Hicks <tyhicks@...ux.microsoft.com>
Subject: Re: Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries]
On 04/02/2021 04:53, Eric Snowberg wrote:
>
>> On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@...ikod.net> wrote:
>>
>> This looks good to me, and it still works for my use case. Eric's
>> patchset only looks for asymmetric keys in the blacklist keyring, so
>> even if we use the same keyring we don't look for the same key types. My
>> patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
>> to be added by user space (if authenticated), but because Eric's
>> asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
>> be OK for his use case. There should be no interference between the two
>> new features, but I find it a bit confusing to have such distinct use of
>> keys from the same keyring depending on their type.
>
> I agree, it is a bit confusing. What is the thought of having a dbx
> keyring, similar to how the platform keyring works?
>
> https://www.spinics.net/lists/linux-security-module/msg40262.html
>
>
>> On 03/02/2021 17:26, David Howells wrote:
>>>
>>> Eric Snowberg <eric.snowberg@...cle.com> wrote:
>>>
>>>> This is the fifth patch series for adding support for
>>>> EFI_CERT_X509_GUID entries [1]. It has been expanded to not only include
>>>> dbx entries but also entries in the mokx. Additionally my series to
>>>> preload these certificate [2] has also been included.
>>>
>>> Okay, I've tentatively applied this to my keys-next branch. However, it
>>> conflicts minorly with Mickaël Salaün's patches that I've previously merged on
>>> the same branch. Can you have a look at the merge commit
>>>
>>> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d
>>>
>>> (the top patch of my keys-next branch)
>>>
>>> to see if that is okay by both of you? If so, can you give it a whirl?
>
>
> I’m seeing a build error within blacklist_hashes_checked with
> one of my configs.
>
> The config is as follows:
>
> $ grep CONFIG_SYSTEM_BLACKLIST_HASH_LIST .config
> CONFIG_SYSTEM_BLACKLIST_HASH_LIST=“revocation_list"
>
> $ cat certs/revocation_list
> "tbs:1e125ea4f38acb7b29b0c495fd8e7602c2c3353b913811a9da3a2fb505c08a32”
>
> make[1]: *** No rule to make target 'revocation_list', needed by 'certs/blacklist_hashes_checked'. Stop.
It requires an absolute path. This is to align with other variables
using the config_filename macro: CONFIG_SYSTEM_TRUSTED_KEYS,
CONFIG_MODULE_SIG_KEY and now CONFIG_SYSTEM_REVOCATION_KEYS.
Cf. https://lore.kernel.org/lkml/1221725.1607515111@warthog.procyon.org.uk/
We may want to patch scripts/kconfig/streamline_config.pl for both
CONFIG_SYSTEM_REVOCATION_KEYS and CONFIG_SYSTEM_BLACKLIST_HASH_LIST, to
warn user (and exit with an error) if such files are not found.
Powered by blists - more mailing lists