lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <af0d6881-76c0-f570-0c5b-f664e261c4cf@digikod.net>
Date:   Fri, 4 Nov 2022 18:03:53 +0100
From:   Mickaël Salaün <mic@...ikod.net>
To:     Thomas Weißschuh <thomas@...ch.de>,
        Jarkko Sakkinen <jarkko@...nel.org>,
        David Howells <dhowells@...hat.com>,
        David Woodhouse <dwmw2@...radead.org>, keyrings@...r.kernel.org
Cc:     linux-kernel@...r.kernel.org,
        Mark Pearson <markpearson@...ovo.com>,
        keyrings@...r.kernel.org,
        linux-security-module <linux-security-module@...r.kernel.org>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>
Subject: Re: [BUG] blacklist: Problem blacklisting hash (-13) during boot

Hi,

Thanks for this report. These error messages seem correct but I don't 
see any legitimate reason for the firmware to store duplicate 
blacklisted hashes.

According to the blacklist_init() function, the "blacklisting failed" 
message could be improved to explain that only a set of hashes failed, 
and why they failed. However, despite this message, this should work as 
expected and should not generate any issue.

Did you contact Lenovo to report this issue (i.e. duplicate hashes in 
their firmware)?

Could you please provide the list of duplicate hashes?

Regards,
  Mickaël


On 15/10/2022 05:16, Thomas Weißschuh wrote:
> Hi,
> 
> Since 5.19 during boot I see lots of the following entries in dmesg:
> 
> blacklist: Problem blacklisting hash (-13)
> 
> This happens because the firmware contains duplicate blacklist entries.
> As commit 6364d106e041 [0] modified the "blacklist" keyring to reject updates
> this now leads to the spurious error messages.
> 
> The machine is a Thinkpad X1 Cargon Gen9 with BIOS revision 1.56 and firmware
> revision 1.33.
> 
> [0] 6364d106e041 ("certs: Allow root user to append signed hashes to the blacklist keyring")

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ