lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <BFC930B3-7994-4C5B-A8EF-1DD1C73F5750@oracle.com>
Date:   Thu, 4 Feb 2021 17:24:36 -0700
From:   Eric Snowberg <eric.snowberg@...cle.com>
To:     Mickaël Salaün <mic@...ikod.net>
Cc:     David Howells <dhowells@...hat.com>, dwmw2@...radead.org,
        Jarkko Sakkinen <jarkko@...nel.org>,
        James.Bottomley@...senPartnership.com, masahiroy@...nel.org,
        michal.lkml@...kovi.net, jmorris@...ei.org, serge@...lyn.com,
        ardb@...nel.org, Mimi Zohar <zohar@...ux.ibm.com>,
        lszubowi@...hat.com, javierm@...hat.com, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-kbuild@...r.kernel.org,
        linux-security-module@...r.kernel.org,
        Tyler Hicks <tyhicks@...ux.microsoft.com>
Subject: Re: Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries]


> On Feb 4, 2021, at 1:26 AM, Mickaël Salaün <mic@...ikod.net> wrote:
> 
> 
> On 04/02/2021 04:53, Eric Snowberg wrote:
>> 
>>> On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@...ikod.net> wrote:
>>> 
>>> This looks good to me, and it still works for my use case. Eric's
>>> patchset only looks for asymmetric keys in the blacklist keyring, so
>>> even if we use the same keyring we don't look for the same key types. My
>>> patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
>>> to be added by user space (if authenticated), but because Eric's
>>> asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
>>> be OK for his use case.  There should be no interference between the two
>>> new features, but I find it a bit confusing to have such distinct use of
>>> keys from the same keyring depending on their type.
>> 
>> I agree, it is a bit confusing.  What is the thought of having a dbx 
>> keyring, similar to how the platform keyring works?
>> 
>> https://www.spinics.net/lists/linux-security-module/msg40262.html
>> 
>> 
>>> On 03/02/2021 17:26, David Howells wrote:
>>>> 
>>>> Eric Snowberg <eric.snowberg@...cle.com> wrote:
>>>> 
>>>>> This is the fifth patch series for adding support for 
>>>>> EFI_CERT_X509_GUID entries [1].  It has been expanded to not only include
>>>>> dbx entries but also entries in the mokx.  Additionally my series to
>>>>> preload these certificate [2] has also been included.
>>>> 
>>>> Okay, I've tentatively applied this to my keys-next branch.  However, it
>>>> conflicts minorly with Mickaël Salaün's patches that I've previously merged on
>>>> the same branch.  Can you have a look at the merge commit
>>>> 
>>>> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d
>>>> 
>>>> 	(the top patch of my keys-next branch)
>>>> 
>>>> to see if that is okay by both of you?  If so, can you give it a whirl?
>> 
>> 
>> I’m seeing a build error within blacklist_hashes_checked with
>> one of my configs.
>> 
>> The config is as follows:
>> 
>> $ grep CONFIG_SYSTEM_BLACKLIST_HASH_LIST .config
>> CONFIG_SYSTEM_BLACKLIST_HASH_LIST=“revocation_list"
>> 
>> $ cat certs/revocation_list
>> "tbs:1e125ea4f38acb7b29b0c495fd8e7602c2c3353b913811a9da3a2fb505c08a32”
>> 
>> make[1]: *** No rule to make target 'revocation_list', needed by 'certs/blacklist_hashes_checked'.  Stop.
> 
> It requires an absolute path.

Ok, if I use an absolute path now with CONFIG_SYSTEM_BLACKLIST_HASH_LIST 
it works.

> This is to align with other variables
> using the config_filename macro: CONFIG_SYSTEM_TRUSTED_KEYS,
> CONFIG_MODULE_SIG_KEY and now CONFIG_SYSTEM_REVOCATION_KEYS.

I just did a quick test with CONFIG_SYSTEM_TRUSTED_KEYS. It looks like we 
can use either a relative or absolute path with CONFIG_SYSTEM_TRUSTED_KEYS. 
Shouldn’t this be consistent?

> Cf. https://lore.kernel.org/lkml/1221725.1607515111@warthog.procyon.org.uk/
> 
> We may want to patch scripts/kconfig/streamline_config.pl for both
> CONFIG_SYSTEM_REVOCATION_KEYS and CONFIG_SYSTEM_BLACKLIST_HASH_LIST, to
> warn user (and exit with an error) if such files are not found.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ