[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1bb01e6c-3829-6af4-b2c5-5dc82bd75b72@lenovo.com>
Date: Tue, 7 Mar 2023 08:45:38 -0500
From: Mark Pearson <markpearson@...ovo.com>
To: Jeremy Kerr <jk@...econstruct.com.au>,
Thomas Weißschuh <thomas@...ch.de>,
Mickaël Salaün <mic@...ikod.net>
CC: Jarkko Sakkinen <jarkko@...nel.org>,
David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
<keyrings@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
linux-security-module <linux-security-module@...r.kernel.org>,
"linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>
Subject: Re: [External] Re: [BUG] blacklist: Problem blacklisting hash (-13)
during boot
Hi all,
On 2/27/23 09:36, Jeremy Kerr wrote:
> Hi Mark,
>
>
>> I've been looking at this and the FW team are claiming that it's not
>> caused by duplicate entries in the dbx table, which is honestly a bit
>> confusing.
>>
>> We've been doing some more digging - but is there a possibility this
>> is caused by something else?
> I can't quite trace where the EACCES is coming from, I can't see any
> obvious causes there - the blacklist key type doesn't have an ->update
> operation, and the assoc_array insert doesn't look like it would fail.
>
> However: if I delete one of the duplicate keys using the bios UI, then
> the number of errors logged decreases by one.
>
Got to the bottom of this, after a longer exercise than it should have
been. I have some answers.
The entries are indeed duplicated in our DBX. The reason for this is the
FW team took three different DBX list published by UEFI forum in
different time series and combined them. They did this as they found
some distinct hashes in previously published ones and chose to combine
them for safety/completeness sake.
I haven't myself dug into the revocation lists hosted on
https://uefi.org/revocationlistfile but it sounds like there was some
churn there? The FW team agreed that duplicates should not have been
created.
The FW team have pushed back on doing another update for this generation
of platforms. Updating the DBX to make these changes, particularly
removing entries, will apparently be difficult. I prodded a bit into the
details but given the issue is essentially cosmetic I do understand
their concerns (the last DBX update caused enough issues...I'm not sure
I want to go through it again in a hurry).
They have said they will fix the tables for future platforms.
Hope that helps
Mark
Powered by blists - more mailing lists