[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <af0d6881-76c0-f570-0c5b-f664e261c4cf@digikod.net>
Date: Fri, 4 Nov 2022 18:03:53 +0100
From: Mickaël Salaün <mic@...ikod.net>
To: Thomas Weißschuh <thomas@...ch.de>,
Jarkko Sakkinen <jarkko@...nel.org>,
David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>, keyrings@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
Mark Pearson <markpearson@...ovo.com>,
keyrings@...r.kernel.org,
linux-security-module <linux-security-module@...r.kernel.org>,
"linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>
Subject: Re: [BUG] blacklist: Problem blacklisting hash (-13) during boot
Hi,
Thanks for this report. These error messages seem correct but I don't
see any legitimate reason for the firmware to store duplicate
blacklisted hashes.
According to the blacklist_init() function, the "blacklisting failed"
message could be improved to explain that only a set of hashes failed,
and why they failed. However, despite this message, this should work as
expected and should not generate any issue.
Did you contact Lenovo to report this issue (i.e. duplicate hashes in
their firmware)?
Could you please provide the list of duplicate hashes?
Regards,
Mickaël
On 15/10/2022 05:16, Thomas Weißschuh wrote:
> Hi,
>
> Since 5.19 during boot I see lots of the following entries in dmesg:
>
> blacklist: Problem blacklisting hash (-13)
>
> This happens because the firmware contains duplicate blacklist entries.
> As commit 6364d106e041 [0] modified the "blacklist" keyring to reject updates
> this now leads to the spurious error messages.
>
> The machine is a Thinkpad X1 Cargon Gen9 with BIOS revision 1.56 and firmware
> revision 1.33.
>
> [0] 6364d106e041 ("certs: Allow root user to append signed hashes to the blacklist keyring")
Powered by blists - more mailing lists