mbox series

[v5,0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries

Message ID 20210122181054.32635-1-eric.snowberg@oracle.com (mailing list archive)
Headers show
Series Add EFI_CERT_X509_GUID support for dbx/mokx entries | expand

Message

Eric Snowberg Jan. 22, 2021, 6:10 p.m. UTC
This is the fifth patch series for adding support for 
EFI_CERT_X509_GUID entries [1].  It has been expanded to not only include
dbx entries but also entries in the mokx.  Additionally my series to
preload these certificate [2] has also been included.

This series is based on v5.11-rc4.

[1] https://patchwork.kernel.org/project/linux-security-module/patch/20200916004927.64276-1-eric.snowberg@oracle.com/
[2] https://lore.kernel.org/patchwork/cover/1315485/

Eric Snowberg (4):
  certs: Add EFI_CERT_X509_GUID support for dbx entries
  certs: Move load_system_certificate_list to a common function
  certs: Add ability to preload revocation certs
  integrity: Load mokx variables into the blacklist keyring

 certs/Kconfig                                 |  8 +++
 certs/Makefile                                | 20 ++++++-
 certs/blacklist.c                             | 49 ++++++++++++++++
 certs/blacklist.h                             | 12 ++++
 certs/common.c                                | 56 +++++++++++++++++++
 certs/common.h                                |  9 +++
 certs/revocation_certificates.S               | 21 +++++++
 certs/system_keyring.c                        | 55 +++---------------
 include/keys/system_keyring.h                 | 11 ++++
 scripts/Makefile                              |  1 +
 .../platform_certs/keyring_handler.c          | 11 ++++
 security/integrity/platform_certs/load_uefi.c | 20 ++++++-
 12 files changed, 222 insertions(+), 51 deletions(-)
 create mode 100644 certs/common.c
 create mode 100644 certs/common.h
 create mode 100644 certs/revocation_certificates.S


base-commit: 19c329f6808995b142b3966301f217c831e7cf31

Comments

David Howells Jan. 28, 2021, 3:16 p.m. UTC | #1
Which tree do you envision this going through?  EFI or keyrings - or are you
going to ask Linus to pull it directly?  I can pull it if it should go through
the keyrings tree.

David
Mimi Zohar Jan. 28, 2021, 3:27 p.m. UTC | #2
Hi David,

On Thu, 2021-01-28 at 15:16 +0000, David Howells wrote:
> Which tree do you envision this going through?  EFI or keyrings - or are you
> going to ask Linus to pull it directly?  I can pull it if it should go through
> the keyrings tree.

There's one more patch, yet to be posted, which updates
asymmetric_verify().  As long as you're willing to upstream all of the
patches, that's fine with me.

thanks!

Mimi
Mimi Zohar Jan. 28, 2021, 3:29 p.m. UTC | #3
On Thu, 2021-01-28 at 10:27 -0500, Mimi Zohar wrote:
> Hi David,
> 
> On Thu, 2021-01-28 at 15:16 +0000, David Howells wrote:
> > Which tree do you envision this going through?  EFI or keyrings - or are you
> > going to ask Linus to pull it directly?  I can pull it if it should go through
> > the keyrings tree.
> 
> There's one more patch, yet to be posted, which updates
> asymmetric_verify().  As long as you're willing to upstream all of the
> patches, that's fine with me.

Oops, wrong thread.  I thought this was Stefan's patch set.

Mimi
Eric Snowberg Jan. 28, 2021, 3:41 p.m. UTC | #4
> On Jan 28, 2021, at 8:16 AM, David Howells <dhowells@redhat.com> wrote:
> 
> Which tree do you envision this going through?  EFI or keyrings - or are you
> going to ask Linus to pull it directly?  I can pull it if it should go through
> the keyrings tree.

I was thinking it would go thru your tree, since a majority of the code
is contained within it.
David Howells Feb. 3, 2021, 4:26 p.m. UTC | #5
Eric Snowberg <eric.snowberg@oracle.com> wrote:

> This is the fifth patch series for adding support for 
> EFI_CERT_X509_GUID entries [1].  It has been expanded to not only include
> dbx entries but also entries in the mokx.  Additionally my series to
> preload these certificate [2] has also been included.

Okay, I've tentatively applied this to my keys-next branch.  However, it
conflicts minorly with Mickaël Salaün's patches that I've previously merged on
the same branch.  Can you have a look at the merge commit

	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d

	(the top patch of my keys-next branch)

to see if that is okay by both of you?  If so, can you give it a whirl?

Thanks,
David
Mickaël Salaün Feb. 3, 2021, 6:49 p.m. UTC | #6
This looks good to me, and it still works for my use case. Eric's
patchset only looks for asymmetric keys in the blacklist keyring, so
even if we use the same keyring we don't look for the same key types. My
patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
to be added by user space (if authenticated), but because Eric's
asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
be OK for his use case.  There should be no interference between the two
new features, but I find it a bit confusing to have such distinct use of
keys from the same keyring depending on their type.

Regards,
 Mickaël


On 03/02/2021 17:26, David Howells wrote:
> 
> Eric Snowberg <eric.snowberg@oracle.com> wrote:
> 
>> This is the fifth patch series for adding support for 
>> EFI_CERT_X509_GUID entries [1].  It has been expanded to not only include
>> dbx entries but also entries in the mokx.  Additionally my series to
>> preload these certificate [2] has also been included.
> 
> Okay, I've tentatively applied this to my keys-next branch.  However, it
> conflicts minorly with Mickaël Salaün's patches that I've previously merged on
> the same branch.  Can you have a look at the merge commit
> 
> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d
> 
> 	(the top patch of my keys-next branch)
> 
> to see if that is okay by both of you?  If so, can you give it a whirl?
> 
> Thanks,
> David
>
Eric Snowberg Feb. 4, 2021, 3:53 a.m. UTC | #7
> On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@digikod.net> wrote:
> 
> This looks good to me, and it still works for my use case. Eric's
> patchset only looks for asymmetric keys in the blacklist keyring, so
> even if we use the same keyring we don't look for the same key types. My
> patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
> to be added by user space (if authenticated), but because Eric's
> asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
> be OK for his use case.  There should be no interference between the two
> new features, but I find it a bit confusing to have such distinct use of
> keys from the same keyring depending on their type.

I agree, it is a bit confusing.  What is the thought of having a dbx 
keyring, similar to how the platform keyring works?

https://www.spinics.net/lists/linux-security-module/msg40262.html


> On 03/02/2021 17:26, David Howells wrote:
>> 
>> Eric Snowberg <eric.snowberg@oracle.com> wrote:
>> 
>>> This is the fifth patch series for adding support for 
>>> EFI_CERT_X509_GUID entries [1].  It has been expanded to not only include
>>> dbx entries but also entries in the mokx.  Additionally my series to
>>> preload these certificate [2] has also been included.
>> 
>> Okay, I've tentatively applied this to my keys-next branch.  However, it
>> conflicts minorly with Mickaël Salaün's patches that I've previously merged on
>> the same branch.  Can you have a look at the merge commit
>> 
>> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d
>> 
>> 	(the top patch of my keys-next branch)
>> 
>> to see if that is okay by both of you?  If so, can you give it a whirl?


I’m seeing a build error within blacklist_hashes_checked with
one of my configs.

The config is as follows:

$ grep CONFIG_SYSTEM_BLACKLIST_HASH_LIST .config
CONFIG_SYSTEM_BLACKLIST_HASH_LIST=“revocation_list"

$ cat certs/revocation_list
"tbs:1e125ea4f38acb7b29b0c495fd8e7602c2c3353b913811a9da3a2fb505c08a32”

make[1]: *** No rule to make target 'revocation_list', needed by 'certs/blacklist_hashes_checked'.  Stop.
Mickaël Salaün Feb. 4, 2021, 8:26 a.m. UTC | #8
On 04/02/2021 04:53, Eric Snowberg wrote:
> 
>> On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>
>> This looks good to me, and it still works for my use case. Eric's
>> patchset only looks for asymmetric keys in the blacklist keyring, so
>> even if we use the same keyring we don't look for the same key types. My
>> patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
>> to be added by user space (if authenticated), but because Eric's
>> asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
>> be OK for his use case.  There should be no interference between the two
>> new features, but I find it a bit confusing to have such distinct use of
>> keys from the same keyring depending on their type.
> 
> I agree, it is a bit confusing.  What is the thought of having a dbx 
> keyring, similar to how the platform keyring works?
> 
> https://www.spinics.net/lists/linux-security-module/msg40262.html
> 
> 
>> On 03/02/2021 17:26, David Howells wrote:
>>>
>>> Eric Snowberg <eric.snowberg@oracle.com> wrote:
>>>
>>>> This is the fifth patch series for adding support for 
>>>> EFI_CERT_X509_GUID entries [1].  It has been expanded to not only include
>>>> dbx entries but also entries in the mokx.  Additionally my series to
>>>> preload these certificate [2] has also been included.
>>>
>>> Okay, I've tentatively applied this to my keys-next branch.  However, it
>>> conflicts minorly with Mickaël Salaün's patches that I've previously merged on
>>> the same branch.  Can you have a look at the merge commit
>>>
>>> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d
>>>
>>> 	(the top patch of my keys-next branch)
>>>
>>> to see if that is okay by both of you?  If so, can you give it a whirl?
> 
> 
> I’m seeing a build error within blacklist_hashes_checked with
> one of my configs.
> 
> The config is as follows:
> 
> $ grep CONFIG_SYSTEM_BLACKLIST_HASH_LIST .config
> CONFIG_SYSTEM_BLACKLIST_HASH_LIST=“revocation_list"
> 
> $ cat certs/revocation_list
> "tbs:1e125ea4f38acb7b29b0c495fd8e7602c2c3353b913811a9da3a2fb505c08a32”
> 
> make[1]: *** No rule to make target 'revocation_list', needed by 'certs/blacklist_hashes_checked'.  Stop.

It requires an absolute path. This is to align with other variables
using the config_filename macro: CONFIG_SYSTEM_TRUSTED_KEYS,
CONFIG_MODULE_SIG_KEY and now CONFIG_SYSTEM_REVOCATION_KEYS.
Cf. https://lore.kernel.org/lkml/1221725.1607515111@warthog.procyon.org.uk/

We may want to patch scripts/kconfig/streamline_config.pl for both
CONFIG_SYSTEM_REVOCATION_KEYS and CONFIG_SYSTEM_BLACKLIST_HASH_LIST, to
warn user (and exit with an error) if such files are not found.
David Howells Feb. 4, 2021, 9:11 a.m. UTC | #9
Eric Snowberg <eric.snowberg@oracle.com> wrote:

> > On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@digikod.net> wrote:
> > 
> > This looks good to me, and it still works for my use case. Eric's
> > patchset only looks for asymmetric keys in the blacklist keyring, so
> > even if we use the same keyring we don't look for the same key types. My
> > patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
> > to be added by user space (if authenticated), but because Eric's
> > asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
> > be OK for his use case.  There should be no interference between the two
> > new features, but I find it a bit confusing to have such distinct use of
> > keys from the same keyring depending on their type.
> 
> I agree, it is a bit confusing.  What is the thought of having a dbx 
> keyring, similar to how the platform keyring works?
> 
> https://www.spinics.net/lists/linux-security-module/msg40262.html

That would be fine by me.

David
Eric Snowberg Feb. 5, 2021, 12:24 a.m. UTC | #10
> On Feb 4, 2021, at 1:26 AM, Mickaël Salaün <mic@digikod.net> wrote:
> 
> 
> On 04/02/2021 04:53, Eric Snowberg wrote:
>> 
>>> On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>> 
>>> This looks good to me, and it still works for my use case. Eric's
>>> patchset only looks for asymmetric keys in the blacklist keyring, so
>>> even if we use the same keyring we don't look for the same key types. My
>>> patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
>>> to be added by user space (if authenticated), but because Eric's
>>> asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
>>> be OK for his use case.  There should be no interference between the two
>>> new features, but I find it a bit confusing to have such distinct use of
>>> keys from the same keyring depending on their type.
>> 
>> I agree, it is a bit confusing.  What is the thought of having a dbx 
>> keyring, similar to how the platform keyring works?
>> 
>> https://www.spinics.net/lists/linux-security-module/msg40262.html
>> 
>> 
>>> On 03/02/2021 17:26, David Howells wrote:
>>>> 
>>>> Eric Snowberg <eric.snowberg@oracle.com> wrote:
>>>> 
>>>>> This is the fifth patch series for adding support for 
>>>>> EFI_CERT_X509_GUID entries [1].  It has been expanded to not only include
>>>>> dbx entries but also entries in the mokx.  Additionally my series to
>>>>> preload these certificate [2] has also been included.
>>>> 
>>>> Okay, I've tentatively applied this to my keys-next branch.  However, it
>>>> conflicts minorly with Mickaël Salaün's patches that I've previously merged on
>>>> the same branch.  Can you have a look at the merge commit
>>>> 
>>>> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d
>>>> 
>>>> 	(the top patch of my keys-next branch)
>>>> 
>>>> to see if that is okay by both of you?  If so, can you give it a whirl?
>> 
>> 
>> I’m seeing a build error within blacklist_hashes_checked with
>> one of my configs.
>> 
>> The config is as follows:
>> 
>> $ grep CONFIG_SYSTEM_BLACKLIST_HASH_LIST .config
>> CONFIG_SYSTEM_BLACKLIST_HASH_LIST=“revocation_list"
>> 
>> $ cat certs/revocation_list
>> "tbs:1e125ea4f38acb7b29b0c495fd8e7602c2c3353b913811a9da3a2fb505c08a32”
>> 
>> make[1]: *** No rule to make target 'revocation_list', needed by 'certs/blacklist_hashes_checked'.  Stop.
> 
> It requires an absolute path.

Ok, if I use an absolute path now with CONFIG_SYSTEM_BLACKLIST_HASH_LIST 
it works.

> This is to align with other variables
> using the config_filename macro: CONFIG_SYSTEM_TRUSTED_KEYS,
> CONFIG_MODULE_SIG_KEY and now CONFIG_SYSTEM_REVOCATION_KEYS.

I just did a quick test with CONFIG_SYSTEM_TRUSTED_KEYS. It looks like we 
can use either a relative or absolute path with CONFIG_SYSTEM_TRUSTED_KEYS. 
Shouldn’t this be consistent?

> Cf. https://lore.kernel.org/lkml/1221725.1607515111@warthog.procyon.org.uk/
> 
> We may want to patch scripts/kconfig/streamline_config.pl for both
> CONFIG_SYSTEM_REVOCATION_KEYS and CONFIG_SYSTEM_BLACKLIST_HASH_LIST, to
> warn user (and exit with an error) if such files are not found.
Mickaël Salaün Feb. 5, 2021, 10:27 a.m. UTC | #11
On 05/02/2021 01:24, Eric Snowberg wrote:
> 
>> On Feb 4, 2021, at 1:26 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>
>>
>> On 04/02/2021 04:53, Eric Snowberg wrote:
>>>
>>>> On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>>>
>>>> This looks good to me, and it still works for my use case. Eric's
>>>> patchset only looks for asymmetric keys in the blacklist keyring, so
>>>> even if we use the same keyring we don't look for the same key types. My
>>>> patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
>>>> to be added by user space (if authenticated), but because Eric's
>>>> asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
>>>> be OK for his use case.  There should be no interference between the two
>>>> new features, but I find it a bit confusing to have such distinct use of
>>>> keys from the same keyring depending on their type.
>>>
>>> I agree, it is a bit confusing.  What is the thought of having a dbx 
>>> keyring, similar to how the platform keyring works?
>>>
>>> https://www.spinics.net/lists/linux-security-module/msg40262.html
>>>
>>>
>>>> On 03/02/2021 17:26, David Howells wrote:
>>>>>
>>>>> Eric Snowberg <eric.snowberg@oracle.com> wrote:
>>>>>
>>>>>> This is the fifth patch series for adding support for 
>>>>>> EFI_CERT_X509_GUID entries [1].  It has been expanded to not only include
>>>>>> dbx entries but also entries in the mokx.  Additionally my series to
>>>>>> preload these certificate [2] has also been included.
>>>>>
>>>>> Okay, I've tentatively applied this to my keys-next branch.  However, it
>>>>> conflicts minorly with Mickaël Salaün's patches that I've previously merged on
>>>>> the same branch.  Can you have a look at the merge commit
>>>>>
>>>>> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d
>>>>>
>>>>> 	(the top patch of my keys-next branch)
>>>>>
>>>>> to see if that is okay by both of you?  If so, can you give it a whirl?
>>>
>>>
>>> I’m seeing a build error within blacklist_hashes_checked with
>>> one of my configs.
>>>
>>> The config is as follows:
>>>
>>> $ grep CONFIG_SYSTEM_BLACKLIST_HASH_LIST .config
>>> CONFIG_SYSTEM_BLACKLIST_HASH_LIST=“revocation_list"
>>>
>>> $ cat certs/revocation_list
>>> "tbs:1e125ea4f38acb7b29b0c495fd8e7602c2c3353b913811a9da3a2fb505c08a32”
>>>
>>> make[1]: *** No rule to make target 'revocation_list', needed by 'certs/blacklist_hashes_checked'.  Stop.
>>
>> It requires an absolute path.
> 
> Ok, if I use an absolute path now with CONFIG_SYSTEM_BLACKLIST_HASH_LIST 
> it works.
> 
>> This is to align with other variables
>> using the config_filename macro: CONFIG_SYSTEM_TRUSTED_KEYS,
>> CONFIG_MODULE_SIG_KEY and now CONFIG_SYSTEM_REVOCATION_KEYS.
> 
> I just did a quick test with CONFIG_SYSTEM_TRUSTED_KEYS. It looks like we 
> can use either a relative or absolute path with CONFIG_SYSTEM_TRUSTED_KEYS. 
> Shouldn’t this be consistent?

CONFIG_SYSTEM_TRUSTED_KEYS (and similar config) works with relative path
to $(srctree) not $(srctree)/certs as in your example.

We can make CONFIG_SYSTEM_BLACKLIST_HASH_LIST works with $(srctree) with
this patch:

diff --git a/certs/Makefile b/certs/Makefile
index eb45407ff282..92a233eaa926 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -14,6 +14,8 @@ $(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST))

 $(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked

+CFLAGS_blacklist_hashes.o += -I$(srctree)
+
 targets += blacklist_hashes_checked


> 
>> Cf. https://lore.kernel.org/lkml/1221725.1607515111@warthog.procyon.org.uk/
>>
>> We may want to patch scripts/kconfig/streamline_config.pl for both
>> CONFIG_SYSTEM_REVOCATION_KEYS and CONFIG_SYSTEM_BLACKLIST_HASH_LIST, to
>> warn user (and exit with an error) if such files are not found.
>
Eric Snowberg Feb. 6, 2021, 1:14 a.m. UTC | #12
> On Feb 5, 2021, at 3:27 AM, Mickaël Salaün <mic@digikod.net> wrote:
> 
> 
> On 05/02/2021 01:24, Eric Snowberg wrote:
>> 
>>> On Feb 4, 2021, at 1:26 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>> 
>>> 
>>> On 04/02/2021 04:53, Eric Snowberg wrote:
>>>> 
>>>>> On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>>>> 
>>>>> This looks good to me, and it still works for my use case. Eric's
>>>>> patchset only looks for asymmetric keys in the blacklist keyring, so
>>>>> even if we use the same keyring we don't look for the same key types. My
>>>>> patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
>>>>> to be added by user space (if authenticated), but because Eric's
>>>>> asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
>>>>> be OK for his use case.  There should be no interference between the two
>>>>> new features, but I find it a bit confusing to have such distinct use of
>>>>> keys from the same keyring depending on their type.
>>>> 
>>>> I agree, it is a bit confusing.  What is the thought of having a dbx 
>>>> keyring, similar to how the platform keyring works?
>>>> 
>>>> https://www.spinics.net/lists/linux-security-module/msg40262.html
>>>> 
>>>> 
>>>>> On 03/02/2021 17:26, David Howells wrote:
>>>>>> 
>>>>>> Eric Snowberg <eric.snowberg@oracle.com> wrote:
>>>>>> 
>>>>>>> This is the fifth patch series for adding support for 
>>>>>>> EFI_CERT_X509_GUID entries [1].  It has been expanded to not only include
>>>>>>> dbx entries but also entries in the mokx.  Additionally my series to
>>>>>>> preload these certificate [2] has also been included.
>>>>>> 
>>>>>> Okay, I've tentatively applied this to my keys-next branch.  However, it
>>>>>> conflicts minorly with Mickaël Salaün's patches that I've previously merged on
>>>>>> the same branch.  Can you have a look at the merge commit
>>>>>> 
>>>>>> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d
>>>>>> 
>>>>>> 	(the top patch of my keys-next branch)
>>>>>> 
>>>>>> to see if that is okay by both of you?  If so, can you give it a whirl?
>>>> 
>>>> 
>>>> I’m seeing a build error within blacklist_hashes_checked with
>>>> one of my configs.
>>>> 
>>>> The config is as follows:
>>>> 
>>>> $ grep CONFIG_SYSTEM_BLACKLIST_HASH_LIST .config
>>>> CONFIG_SYSTEM_BLACKLIST_HASH_LIST=“revocation_list"
>>>> 
>>>> $ cat certs/revocation_list
>>>> "tbs:1e125ea4f38acb7b29b0c495fd8e7602c2c3353b913811a9da3a2fb505c08a32”
>>>> 
>>>> make[1]: *** No rule to make target 'revocation_list', needed by 'certs/blacklist_hashes_checked'.  Stop.
>>> 
>>> It requires an absolute path.
>> 
>> Ok, if I use an absolute path now with CONFIG_SYSTEM_BLACKLIST_HASH_LIST 
>> it works.
>> 
>>> This is to align with other variables
>>> using the config_filename macro: CONFIG_SYSTEM_TRUSTED_KEYS,
>>> CONFIG_MODULE_SIG_KEY and now CONFIG_SYSTEM_REVOCATION_KEYS.
>> 
>> I just did a quick test with CONFIG_SYSTEM_TRUSTED_KEYS. It looks like we 
>> can use either a relative or absolute path with CONFIG_SYSTEM_TRUSTED_KEYS. 
>> Shouldn’t this be consistent?
> 
> CONFIG_SYSTEM_TRUSTED_KEYS (and similar config) works with relative path
> to $(srctree) not $(srctree)/certs as in your example.

Correct, I had "certs" in my relative path.

> We can make CONFIG_SYSTEM_BLACKLIST_HASH_LIST works with $(srctree) with
> this patch:
> 
> diff --git a/certs/Makefile b/certs/Makefile
> index eb45407ff282..92a233eaa926 100644
> --- a/certs/Makefile
> +++ b/certs/Makefile
> @@ -14,6 +14,8 @@ $(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST))
> 
> $(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked
> 
> +CFLAGS_blacklist_hashes.o += -I$(srctree)
> +
> targets += blacklist_hashes_checked

After applying this patch, CONFIG_SYSTEM_BLACKLIST_HASH_LIST now works
like the other filename macros.  It seems like this would be a good
addition.

I have done some additional testing, I am seeing a regression. The blacklist 
keyring is no longer picking up any of the hashes from the dbx during boot. 
I backed out the merge with my changes  (fdbbe7ceeb95090d09c33ce0497e0394c82aa33d) 
and still see the regression.  I then backed out Mickaël merge
(5bf1adccf5c41dbdd51d1f4de220d335d9548598) and it fixes the regression.

On a x86 with the updated dbx from uefi.org, I’d expect to see 234 bin hash entries
in the blacklist keyring.  With the current merged code, there is none.
Mickaël Salaün Feb. 6, 2021, 6:30 p.m. UTC | #13
On 06/02/2021 02:14, Eric Snowberg wrote:
> 
>> On Feb 5, 2021, at 3:27 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>
>>
>> On 05/02/2021 01:24, Eric Snowberg wrote:
>>>
>>>> On Feb 4, 2021, at 1:26 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>>>
>>>>
>>>> On 04/02/2021 04:53, Eric Snowberg wrote:
>>>>>
>>>>>> On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>>>>>
>>>>>> This looks good to me, and it still works for my use case. Eric's
>>>>>> patchset only looks for asymmetric keys in the blacklist keyring, so
>>>>>> even if we use the same keyring we don't look for the same key types. My
>>>>>> patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
>>>>>> to be added by user space (if authenticated), but because Eric's
>>>>>> asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
>>>>>> be OK for his use case.  There should be no interference between the two
>>>>>> new features, but I find it a bit confusing to have such distinct use of
>>>>>> keys from the same keyring depending on their type.
>>>>>
>>>>> I agree, it is a bit confusing.  What is the thought of having a dbx 
>>>>> keyring, similar to how the platform keyring works?
>>>>>
>>>>> https://www.spinics.net/lists/linux-security-module/msg40262.html
>>>>>
>>>>>
>>>>>> On 03/02/2021 17:26, David Howells wrote:
>>>>>>>
>>>>>>> Eric Snowberg <eric.snowberg@oracle.com> wrote:
>>>>>>>
>>>>>>>> This is the fifth patch series for adding support for 
>>>>>>>> EFI_CERT_X509_GUID entries [1].  It has been expanded to not only include
>>>>>>>> dbx entries but also entries in the mokx.  Additionally my series to
>>>>>>>> preload these certificate [2] has also been included.
>>>>>>>
>>>>>>> Okay, I've tentatively applied this to my keys-next branch.  However, it
>>>>>>> conflicts minorly with Mickaël Salaün's patches that I've previously merged on
>>>>>>> the same branch.  Can you have a look at the merge commit
>>>>>>>
>>>>>>> 	https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d
>>>>>>>
>>>>>>> 	(the top patch of my keys-next branch)
>>>>>>>
>>>>>>> to see if that is okay by both of you?  If so, can you give it a whirl?
>>>>>
>>>>>
>>>>> I’m seeing a build error within blacklist_hashes_checked with
>>>>> one of my configs.
>>>>>
>>>>> The config is as follows:
>>>>>
>>>>> $ grep CONFIG_SYSTEM_BLACKLIST_HASH_LIST .config
>>>>> CONFIG_SYSTEM_BLACKLIST_HASH_LIST=“revocation_list"
>>>>>
>>>>> $ cat certs/revocation_list
>>>>> "tbs:1e125ea4f38acb7b29b0c495fd8e7602c2c3353b913811a9da3a2fb505c08a32”
>>>>>
>>>>> make[1]: *** No rule to make target 'revocation_list', needed by 'certs/blacklist_hashes_checked'.  Stop.
>>>>
>>>> It requires an absolute path.
>>>
>>> Ok, if I use an absolute path now with CONFIG_SYSTEM_BLACKLIST_HASH_LIST 
>>> it works.
>>>
>>>> This is to align with other variables
>>>> using the config_filename macro: CONFIG_SYSTEM_TRUSTED_KEYS,
>>>> CONFIG_MODULE_SIG_KEY and now CONFIG_SYSTEM_REVOCATION_KEYS.
>>>
>>> I just did a quick test with CONFIG_SYSTEM_TRUSTED_KEYS. It looks like we 
>>> can use either a relative or absolute path with CONFIG_SYSTEM_TRUSTED_KEYS. 
>>> Shouldn’t this be consistent?
>>
>> CONFIG_SYSTEM_TRUSTED_KEYS (and similar config) works with relative path
>> to $(srctree) not $(srctree)/certs as in your example.
> 
> Correct, I had "certs" in my relative path.
> 
>> We can make CONFIG_SYSTEM_BLACKLIST_HASH_LIST works with $(srctree) with
>> this patch:
>>
>> diff --git a/certs/Makefile b/certs/Makefile
>> index eb45407ff282..92a233eaa926 100644
>> --- a/certs/Makefile
>> +++ b/certs/Makefile
>> @@ -14,6 +14,8 @@ $(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST))
>>
>> $(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked
>>
>> +CFLAGS_blacklist_hashes.o += -I$(srctree)
>> +
>> targets += blacklist_hashes_checked
> 
> After applying this patch, CONFIG_SYSTEM_BLACKLIST_HASH_LIST now works
> like the other filename macros.  It seems like this would be a good
> addition.

I'll send a patch with this.

> 
> I have done some additional testing, I am seeing a regression. The blacklist 
> keyring is no longer picking up any of the hashes from the dbx during boot. 
> I backed out the merge with my changes  (fdbbe7ceeb95090d09c33ce0497e0394c82aa33d) 
> and still see the regression.  I then backed out Mickaël merge
> (5bf1adccf5c41dbdd51d1f4de220d335d9548598) and it fixes the regression.
> 
> On a x86 with the updated dbx from uefi.org, I’d expect to see 234 bin hash entries
> in the blacklist keyring.  With the current merged code, there is none.

Hum, I missed a part in refactoring (commit
f78e50c8f750c0ac6767ac1ed006360cf77c56c4). :/
Could you please test the following patch?

diff --git a/certs/blacklist.c b/certs/blacklist.c
index 07c592ae5307..f998a2e85ddc 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -197,13 +197,16 @@ int mark_hash_blacklisted(const u8 *hash, size_t
hash_len,
                enum blacklist_hash_type hash_type)
 {
        const char *buffer;
+       int err;

        buffer = get_raw_hash(hash, hash_len, hash_type);
        if (IS_ERR(buffer))
                return PTR_ERR(buffer);
+       err = mark_raw_hash_blacklisted(buffer);
        kfree(buffer);
-       return 0;
+       return err;
 }


Is it possible to test these kind of dbx blacklist with Qemu?
Eric Snowberg Feb. 8, 2021, 11:05 p.m. UTC | #14
> On Feb 6, 2021, at 11:30 AM, Mickaël Salaün <mic@digikod.net> wrote:
> 
> On 06/02/2021 02:14, Eric Snowberg wrote:
> 
>> I have done some additional testing, I am seeing a regression. The blacklist 
>> keyring is no longer picking up any of the hashes from the dbx during boot. 
>> I backed out the merge with my changes  (fdbbe7ceeb95090d09c33ce0497e0394c82aa33d) 
>> and still see the regression.  I then backed out Mickaël merge
>> (5bf1adccf5c41dbdd51d1f4de220d335d9548598) and it fixes the regression.
>> 
>> On a x86 with the updated dbx from uefi.org, I’d expect to see 234 bin hash entries
>> in the blacklist keyring.  With the current merged code, there is none.
> 
> Hum, I missed a part in refactoring (commit
> f78e50c8f750c0ac6767ac1ed006360cf77c56c4). :/
> Could you please test the following patch?
> 
> diff --git a/certs/blacklist.c b/certs/blacklist.c
> index 07c592ae5307..f998a2e85ddc 100644
> --- a/certs/blacklist.c
> +++ b/certs/blacklist.c
> @@ -197,13 +197,16 @@ int mark_hash_blacklisted(const u8 *hash, size_t
> hash_len,
>                enum blacklist_hash_type hash_type)
> {
>        const char *buffer;
> +       int err;
> 
>        buffer = get_raw_hash(hash, hash_len, hash_type);
>        if (IS_ERR(buffer))
>                return PTR_ERR(buffer);
> +       err = mark_raw_hash_blacklisted(buffer);
>        kfree(buffer);
> -       return 0;
> +       return err;
> }

I applied this patch, it works better, but there is still a regression. 
Most of the hashes show up in the blacklist keyring now.  However some 
do not, here is what I see in the log during boot:

[    2.321876] blacklist: Problem blacklisting hash (-13)
[    2.322729] blacklist: Problem blacklisting hash (-13)
[    2.323549] blacklist: Problem blacklisting hash (-13)
[    2.324369] blacklist: Problem blacklisting hash (-13)

> Is it possible to test these kind of dbx blacklist with Qemu?

Yes, just use OVMF.
David Howells Feb. 9, 2021, 1:14 p.m. UTC | #15
Hi Eric, Mickaël,

Do we have a consensus on this?  From what's written here, I don't think I can
ask Linus to pull the merge of your two branches.  I feel that I probably need
to push Eric's first as that fixes a CVE if I can't offer a merge.

David
Mickaël Salaün Feb. 9, 2021, 1:59 p.m. UTC | #16
Hi David,

The only commit causing issues is commit f78e50c8f750 ("certs: Factor
out the blacklist hash creation"). I think my last patch fix the issue,
and I'm testing with the UEFI DBX, but I don't understand why this
change would have an impact. In the meantime you can push Eric's commits
first, I'll adapt my changes.

 Mickaël


On 09/02/2021 14:14, David Howells wrote:
> 
> Hi Eric, Mickaël,
> 
> Do we have a consensus on this?  From what's written here, I don't think I can
> ask Linus to pull the merge of your two branches.  I feel that I probably need
> to push Eric's first as that fixes a CVE if I can't offer a merge.
> 
> David
>
David Howells Feb. 9, 2021, 4:46 p.m. UTC | #17
Mickaël Salaün <mic@digikod.net> wrote:

> The only commit causing issues is commit f78e50c8f750 ("certs: Factor
> out the blacklist hash creation"). I think my last patch fix the issue,
> and I'm testing with the UEFI DBX, but I don't understand why this
> change would have an impact. In the meantime you can push Eric's commits
> first, I'll adapt my changes.

Okay.  In that case, I've dropped your branch from my keys-next branch for the
moment and remerged Eric's branch.

David
Mickaël Salaün Feb. 9, 2021, 9:53 p.m. UTC | #18
On 09/02/2021 00:05, Eric Snowberg wrote:
> 
>> On Feb 6, 2021, at 11:30 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>
>> On 06/02/2021 02:14, Eric Snowberg wrote:
>>
>>> I have done some additional testing, I am seeing a regression. The blacklist 
>>> keyring is no longer picking up any of the hashes from the dbx during boot. 
>>> I backed out the merge with my changes  (fdbbe7ceeb95090d09c33ce0497e0394c82aa33d) 
>>> and still see the regression.  I then backed out Mickaël merge
>>> (5bf1adccf5c41dbdd51d1f4de220d335d9548598) and it fixes the regression.
>>>
>>> On a x86 with the updated dbx from uefi.org, I’d expect to see 234 bin hash entries
>>> in the blacklist keyring.  With the current merged code, there is none.
>>
>> Hum, I missed a part in refactoring (commit
>> f78e50c8f750c0ac6767ac1ed006360cf77c56c4). :/
>> Could you please test the following patch?
>>
>> diff --git a/certs/blacklist.c b/certs/blacklist.c
>> index 07c592ae5307..f998a2e85ddc 100644
>> --- a/certs/blacklist.c
>> +++ b/certs/blacklist.c
>> @@ -197,13 +197,16 @@ int mark_hash_blacklisted(const u8 *hash, size_t
>> hash_len,
>>                enum blacklist_hash_type hash_type)
>> {
>>        const char *buffer;
>> +       int err;
>>
>>        buffer = get_raw_hash(hash, hash_len, hash_type);
>>        if (IS_ERR(buffer))
>>                return PTR_ERR(buffer);
>> +       err = mark_raw_hash_blacklisted(buffer);
>>        kfree(buffer);
>> -       return 0;
>> +       return err;
>> }
> 
> I applied this patch, it works better, but there is still a regression. 
> Most of the hashes show up in the blacklist keyring now.  However some 
> do not, here is what I see in the log during boot:
> 
> [    2.321876] blacklist: Problem blacklisting hash (-13)
> [    2.322729] blacklist: Problem blacklisting hash (-13)
> [    2.323549] blacklist: Problem blacklisting hash (-13)
> [    2.324369] blacklist: Problem blacklisting hash (-13)
> 
>> Is it possible to test these kind of dbx blacklist with Qemu?
> 
> Yes, just use OVMF. 
> 

My changes (with the fix) don't change the previous semantic. I just
tested without my changes and with my changes (and the fix), and I get
the same result: 184 bin hashes with
https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin

Could you please re-test and if there is still an issue bisect and share
the certificates causing this issue?

David, do you want me to send the two new patches or an updated full
patch series?
Mickaël Salaün Feb. 10, 2021, 12:07 p.m. UTC | #19
On 09/02/2021 22:53, Mickaël Salaün wrote:
> 
> On 09/02/2021 00:05, Eric Snowberg wrote:
>>
>>> On Feb 6, 2021, at 11:30 AM, Mickaël Salaün <mic@digikod.net> wrote:
>>>
>>> On 06/02/2021 02:14, Eric Snowberg wrote:
>>>
>>>> I have done some additional testing, I am seeing a regression. The blacklist 
>>>> keyring is no longer picking up any of the hashes from the dbx during boot. 
>>>> I backed out the merge with my changes  (fdbbe7ceeb95090d09c33ce0497e0394c82aa33d) 
>>>> and still see the regression.  I then backed out Mickaël merge
>>>> (5bf1adccf5c41dbdd51d1f4de220d335d9548598) and it fixes the regression.
>>>>
>>>> On a x86 with the updated dbx from uefi.org, I’d expect to see 234 bin hash entries
>>>> in the blacklist keyring.  With the current merged code, there is none.
>>>
>>> Hum, I missed a part in refactoring (commit
>>> f78e50c8f750c0ac6767ac1ed006360cf77c56c4). :/
>>> Could you please test the following patch?
>>>
>>> diff --git a/certs/blacklist.c b/certs/blacklist.c
>>> index 07c592ae5307..f998a2e85ddc 100644
>>> --- a/certs/blacklist.c
>>> +++ b/certs/blacklist.c
>>> @@ -197,13 +197,16 @@ int mark_hash_blacklisted(const u8 *hash, size_t
>>> hash_len,
>>>                enum blacklist_hash_type hash_type)
>>> {
>>>        const char *buffer;
>>> +       int err;
>>>
>>>        buffer = get_raw_hash(hash, hash_len, hash_type);
>>>        if (IS_ERR(buffer))
>>>                return PTR_ERR(buffer);
>>> +       err = mark_raw_hash_blacklisted(buffer);
>>>        kfree(buffer);
>>> -       return 0;
>>> +       return err;
>>> }
>>
>> I applied this patch, it works better, but there is still a regression. 
>> Most of the hashes show up in the blacklist keyring now.  However some 
>> do not, here is what I see in the log during boot:
>>
>> [    2.321876] blacklist: Problem blacklisting hash (-13)
>> [    2.322729] blacklist: Problem blacklisting hash (-13)
>> [    2.323549] blacklist: Problem blacklisting hash (-13)
>> [    2.324369] blacklist: Problem blacklisting hash (-13)
>>
>>> Is it possible to test these kind of dbx blacklist with Qemu?
>>
>> Yes, just use OVMF. 
>>
> 
> My changes (with the fix) don't change the previous semantic. I just
> tested without my changes and with my changes (and the fix), and I get
> the same result: 184 bin hashes with
> https://uefi.org/sites/default/files/resources/dbxupdate_x64.bin
> 
> Could you please re-test and if there is still an issue bisect and share
> the certificates causing this issue?
> 
> David, do you want me to send the two new patches or an updated full
> patch series?
> 

I found the issue and fixed it in a new patch series:
https://lore.kernel.org/lkml/20210210120410.471693-1-mic@digikod.net/
Jarkko Sakkinen Feb. 12, 2021, 11:49 a.m. UTC | #20
On Tue, Feb 09, 2021 at 01:14:06PM +0000, David Howells wrote:
> 
> Hi Eric, Mickaël,
> 
> Do we have a consensus on this?  From what's written here, I don't think I can
> ask Linus to pull the merge of your two branches.  I feel that I probably need
> to push Eric's first as that fixes a CVE if I can't offer a merge.
> 
> David

Would it be possible to compose a single unified patch set?

It's also somewhat distracting to review both separately.

/Jarkko