From patchwork Wed Apr 20 03:10:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Jarkko Sakkinen X-Patchwork-Id: 12819712 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 39EB3C433F5 for ; Wed, 20 Apr 2022 03:12:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242646AbiDTDO6 (ORCPT ); Tue, 19 Apr 2022 23:14:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45042 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239231AbiDTDO6 (ORCPT ); Tue, 19 Apr 2022 23:14:58 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6D39612AF2; Tue, 19 Apr 2022 20:12:11 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id F2252616BA; Wed, 20 Apr 2022 03:12:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id F3A92C385A7; Wed, 20 Apr 2022 03:12:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1650424330; bh=Z5A8KlK9YEUt/DZ98fQJQCZ64hHMli/Zer7k5Vx667E=; h=Date:From:To:Cc:Subject:From; b=TQVXBTawNSgo8k0bE1cnoSn+6ejUPzSwOA2fWQwzCHSWinZNA6tR99/jxHRC+jXrG 3B/ZKGGoKhyoI8nuwozpEGJ78Bwnlwoi9zrHREEYUIi1C0zBDmHTfhPUT4WoWmMVmF KDjxEPm8mlOPe3/QtTygidQD9RLHepuMlj8OiH9D9sJNEur7k/Nlik6gs3awmMlyUD fSFm4tmPYNf0Eij51R6k3KjmmDJBNpHOomRXsJmss5D+ipSvxiE/JJOAQk0LBFDU1k KGNmhmfxaMnuJWYYMF3+r8n3FrmVp3GjG67qSqjjTW3f9sAlOTpwX6Hnz8PU5xS/oz AoneKOmc9TQ0Q== Date: Wed, 20 Apr 2022 06:10:59 +0300 From: Jarkko Sakkinen To: Linus Torvalds Cc: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, keyrings@vger.kernel.org, James Morris , David Howells , Peter Huewe , Jason Gunthorpe , =?iso-8859-1?q?Micka=EBl_Sala=FCn?= Subject: [GIT PULL] TPM DEVICE DRIVER updates for tpmdd-next-v5.18-rc4 Message-ID: MIME-Version: 1.0 Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: keyrings@vger.kernel.org Hi, Mickaël's patches to add signed hash to the blacklist keyring that were left out from the original v5.18 PR. They should be safe to include to rc4 as they've been in circulation for ages, and have been tested throughly. BR, Jarkko The following changes since commit b7f73403a3e922c20bb278ba3cfcc3c61930d82a: Merge tag 'spi-fix-v5.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi (2022-04-19 10:30:43 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git/ tags/tpmdd-next-v5.18-rc4 for you to fetch changes up to fad7eba9464e58146ccc458afcf6f0667b5b27f8: certs: Explain the rationale to call panic() (2022-04-19 22:11:56 +0300) ---------------------------------------------------------------- tpmdd updates for Linux v5.18-rc4 ---------------------------------------------------------------- Mickaël Salaün (6): tools/certs: Add print-cert-tbs-hash.sh certs: Factor out the blacklist hash creation certs: Make blacklist_vet_description() more strict certs: Check that builtin blacklist hashes are valid certs: Allow root user to append signed hashes to the blacklist keyring certs: Explain the rationale to call panic() MAINTAINERS | 2 + certs/.gitignore | 1 + certs/Kconfig | 17 +- certs/Makefile | 14 +- certs/blacklist.c | 227 ++++++++++++++++----- crypto/asymmetric_keys/x509_public_key.c | 3 +- include/keys/system_keyring.h | 14 +- scripts/check-blacklist-hashes.awk | 37 ++++ .../integrity/platform_certs/keyring_handler.c | 26 +-- tools/certs/print-cert-tbs-hash.sh | 91 +++++++++ 10 files changed, 352 insertions(+), 80 deletions(-) create mode 100755 scripts/check-blacklist-hashes.awk create mode 100755 tools/certs/print-cert-tbs-hash.sh Reviewed-by: David Howells