lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 7 Mar 2023 08:45:38 -0500
From:   Mark Pearson <markpearson@...ovo.com>
To:     Jeremy Kerr <jk@...econstruct.com.au>,
        Thomas Weißschuh <thomas@...ch.de>,
        Mickaël Salaün <mic@...ikod.net>
CC:     Jarkko Sakkinen <jarkko@...nel.org>,
        David Howells <dhowells@...hat.com>,
        David Woodhouse <dwmw2@...radead.org>,
        <keyrings@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        linux-security-module <linux-security-module@...r.kernel.org>,
        "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>
Subject: Re: [External] Re: [BUG] blacklist: Problem blacklisting hash (-13)
 during boot

Hi all,

On 2/27/23 09:36, Jeremy Kerr wrote:
> Hi Mark,
>
>
>> I've been looking at this and the FW team are claiming that it's not
>> caused by duplicate entries in the dbx table, which is honestly a bit
>> confusing.
>>
>> We've been doing some more digging - but is there a possibility this
>> is caused by something else?
> I can't quite trace where the EACCES is coming from, I can't see any
> obvious causes there - the blacklist key type doesn't have an ->update
> operation, and the assoc_array insert doesn't look like it would fail.
>
> However: if I delete one of the duplicate keys using the bios UI, then
> the number of errors logged decreases by one.
>
Got to the bottom of this, after a longer exercise than it should have 
been. I have some answers.

The entries are indeed duplicated in our DBX. The reason for this is the 
FW team took three different DBX list published by UEFI forum in 
different time series and combined them. They did this as they found 
some distinct hashes in previously published ones and chose to combine 
them for safety/completeness sake.

I haven't myself dug into the revocation lists hosted on 
https://uefi.org/revocationlistfile but it sounds like there was some 
churn there? The FW team agreed that duplicates should not have been 
created.

The FW team have pushed back on doing another update for this generation 
of platforms. Updating the DBX to make these changes, particularly 
removing entries, will apparently be difficult. I prodded a bit into the 
details but given the issue is essentially cosmetic I do understand 
their concerns (the last DBX update caused enough issues...I'm not sure 
I want to go through it again in a hurry).

They have said they will fix the tables for future platforms.

Hope that helps

Mark

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ