[v4,00/10] Enable root to update the blacklist keyring

Message ID	20210121155513.539519-1-mic@digikod.net (mailing list archive)
Headers	show Return-Path: <linux-security-module-owner@kernel.org> From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net> To: David Howells <dhowells@redhat.com>, David Woodhouse <dwmw2@infradead.org>, Jarkko Sakkinen <jarkko@kernel.org> Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>, "David S . Miller" <davem@davemloft.net>, Herbert Xu <herbert@gondor.apana.org.au>, James Morris <jmorris@namei.org>, =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@linux.microsoft.com>, Mimi Zohar <zohar@linux.ibm.com>, "Serge E . Hallyn" <serge@hallyn.com>, Tyler Hicks <tyhicks@linux.microsoft.com>, keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v4 00/10] Enable root to update the blacklist keyring Date: Thu, 21 Jan 2021 16:55:03 +0100 Message-Id: <20210121155513.539519-1-mic@digikod.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Enable root to update the blacklist keyring \| expand [v4,00/10] Enable root to update the blacklist keyring [v4,01/10] tools/certs: Add print-cert-tbs-hash.sh [v4,02/10] certs: Check that builtin blacklist hashes are valid [v4,03/10] certs: Fix blacklisted hexadecimal hash string check [v4,04/10] certs: Fix blacklist flag type confusion [v4,05/10] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID [v4,06/10] certs: Make blacklist_vet_description() more strict [v4,07/10] certs/blacklist: fix kernel doc interface issue [v4,08/10] certs: Factor out the blacklist hash creation [v4,09/10] PKCS#7: Fix missing include [v4,10/10] certs: Allow root user to append signed hashes to the blacklist keyring

Message ID

20210121155513.539519-1-mic@digikod.net (mailing list archive)

Headers

From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>
To: David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        Jarkko Sakkinen <jarkko@kernel.org>
Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>,
 "David S . Miller" <davem@davemloft.net>,
 Herbert Xu <herbert@gondor.apana.org.au>, James Morris <jmorris@namei.org>,
	=?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@linux.microsoft.com>,
 Mimi Zohar <zohar@linux.ibm.com>, "Serge E . Hallyn" <serge@hallyn.com>,
 Tyler Hicks <tyhicks@linux.microsoft.com>, keyrings@vger.kernel.org,
 linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org,
 linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: [PATCH v4 00/10] Enable root to update the blacklist keyring
Date: Thu, 21 Jan 2021 16:55:03 +0100
Message-Id: <20210121155513.539519-1-mic@digikod.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Enable root to update the blacklist keyring | expand

Message

Mickaël Salaün Jan. 21, 2021, 3:55 p.m. UTC

This fourth patch series mainly reorder patches and add more
documentation as requested by Jarkko.  This series is based on
v5.11-rc4.

The goal of these patches is to add a new configuration option to enable the
root user to load signed keys in the blacklist keyring.  This keyring is useful
to "untrust" certificates or files.  Enabling to safely update this keyring
without recompiling the kernel makes it more usable.

Previous patch series:
https://lore.kernel.org/lkml/20210114151909.2344974-1-mic@digikod.net/

Regards,

Alex Shi (1):
  certs/blacklist: fix kernel doc interface issue

David Howells (1):
  certs: Fix blacklist flag type confusion

Mickaël Salaün (8):
  tools/certs: Add print-cert-tbs-hash.sh
  certs: Check that builtin blacklist hashes are valid
  certs: Fix blacklisted hexadecimal hash string check
  certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID
  certs: Make blacklist_vet_description() more strict
  certs: Factor out the blacklist hash creation
  PKCS#7: Fix missing include
  certs: Allow root user to append signed hashes to the blacklist
    keyring

 MAINTAINERS                                   |   2 +
 certs/.gitignore                              |   1 +
 certs/Kconfig                                 |  17 +-
 certs/Makefile                                |  15 +-
 certs/blacklist.c                             | 217 ++++++++++++++----
 certs/system_keyring.c                        |   5 +-
 crypto/asymmetric_keys/x509_public_key.c      |   3 +-
 include/keys/system_keyring.h                 |  14 +-
 include/linux/key.h                           |   1 +
 include/linux/verification.h                  |   2 +
 scripts/check-blacklist-hashes.awk            |  37 +++
 security/integrity/ima/ima_mok.c              |   4 +-
 .../platform_certs/keyring_handler.c          |  26 +--
 security/keys/key.c                           |   2 +
 tools/certs/print-cert-tbs-hash.sh            |  91 ++++++++
 15 files changed, 350 insertions(+), 87 deletions(-)
 create mode 100755 scripts/check-blacklist-hashes.awk
 create mode 100755 tools/certs/print-cert-tbs-hash.sh


base-commit: 19c329f6808995b142b3966301f217c831e7cf31

Comments

David Howells Jan. 28, 2021, 4:52 p.m. UTC | #1

Hi Mickaël,

I could pull your patches (unless Jarkko wants to), but can you please drop
the patches that are also in my keys-misc branch lest one or other (or both)
of our branches get dropped in the next merge window due to conflicts?

Ideally, can you base your branch on my keys-misc branch?

Thanks,
David

Mickaël Salaün Jan. 28, 2021, 5:38 p.m. UTC | #2

On 28/01/2021 17:52, David Howells wrote:
> 
> Hi Mickaël,
Hi David,

> 
> I could pull your patches (unless Jarkko wants to), but can you please drop
> the patches that are also in my keys-misc branch lest one or other (or both)
> of our branches get dropped in the next merge window due to conflicts?
> 
> Ideally, can you base your branch on my keys-misc branch?

Sure, I'm rebasing and testing a new patch series.

> 
> Thanks,
> David
>

Mickaël Salaün Jan. 28, 2021, 6 p.m. UTC | #3

I noticed that commits in your branch are not up to date with latest
Jarkoo reviews on my patches (see changes since v2). There is no
conflict if you replace conflicting patches from your branch by patches
from this series. Could you replace your duplicate commits with this
patch series?

On 28/01/2021 18:38, Mickaël Salaün wrote:
> 
> 
> On 28/01/2021 17:52, David Howells wrote:
>>
>> Hi Mickaël,
> Hi David,
> 
>>
>> I could pull your patches (unless Jarkko wants to), but can you please drop
>> the patches that are also in my keys-misc branch lest one or other (or both)
>> of our branches get dropped in the next merge window due to conflicts?
>>
>> Ideally, can you base your branch on my keys-misc branch?
> 
> Sure, I'm rebasing and testing a new patch series.
> 
>>
>> Thanks,
>> David
>>

Jarkko Sakkinen Jan. 30, 2021, 7:39 p.m. UTC | #4

On Thu, 2021-01-28 at 16:52 +0000, David Howells wrote:
> 
> Hi Mickaël,
> 
> I could pull your patches (unless Jarkko wants to), but can you please drop
> the patches that are also in my keys-misc branch lest one or other (or both)
> of our branches get dropped in the next merge window due to conflicts?
> 
> Ideally, can you base your branch on my keys-misc branch?

David, please pull :-)

If possible add to all:

Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

Was a chaotic week. My test environment was broken until Wed because
of issues with BuildRoot (that I reported and BR devs were able to
reproduce related to LINUX_OVERRIDE_SRCDIR).

> Thanks,
> David

/Jarkko