On Thu, Jan 14, 2021 at 04:18:59PM +0100, Mickaël Salaün wrote: > This third patch series includes back three fix patches taken from the first > series (and cherry-picked from David Howells's tree [1]), and one cosmetic fix > from Alex Shi which helps avoid future conflicts. I also added some Acked-by > and improved comments. As requested, this series is based on v5.11-rc3. > > The goal of these patches is to add a new configuration option to enable the > root user to load signed keys in the blacklist keyring. This keyring is useful > to "untrust" certificates or files. Enabling to safely update this keyring > without recompiling the kernel makes it more usable. > > [1] https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes > > Previous patch series: > https://lore.kernel.org/lkml/20201211190330.2586116-1-mic@xxxxxxxxxxx/ > > Regards, > > Alex Shi (1): > certs/blacklist: fix kernel doc interface issue > > David Howells (1): > certs: Fix blacklist flag type confusion > > Mickaël Salaün (8): > certs: Fix blacklisted hexadecimal hash string check > PKCS#7: Fix missing include > certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID > certs: Make blacklist_vet_description() more strict > certs: Factor out the blacklist hash creation > certs: Check that builtin blacklist hashes are valid > certs: Allow root user to append signed hashes to the blacklist > keyring > tools/certs: Add print-cert-tbs-hash.sh > > MAINTAINERS | 2 + > certs/.gitignore | 1 + > certs/Kconfig | 10 + > certs/Makefile | 15 +- > certs/blacklist.c | 217 ++++++++++++++---- > certs/system_keyring.c | 5 +- > crypto/asymmetric_keys/x509_public_key.c | 3 +- > include/keys/system_keyring.h | 14 +- > include/linux/key.h | 1 + > include/linux/verification.h | 2 + > scripts/check-blacklist-hashes.awk | 37 +++ > security/integrity/ima/ima_mok.c | 4 +- > .../platform_certs/keyring_handler.c | 26 +-- > security/keys/key.c | 2 + > tools/certs/print-cert-tbs-hash.sh | 91 ++++++++ > 15 files changed, 345 insertions(+), 85 deletions(-) > create mode 100755 scripts/check-blacklist-hashes.awk > create mode 100755 tools/certs/print-cert-tbs-hash.sh > > > base-commit: 7c53f6b671f4aba70ff15e1b05148b10d58c2837 > -- > 2.30.0 > > Thank you. Unfortunately no time to review this anymore this week but I sanity checked that this applies cleanly now, so should be easy to get on testing this series next week: $ git-pw series apply 414691 Applying: certs/blacklist: fix kernel doc interface issue Applying: certs: Fix blacklisted hexadecimal hash string check Applying: PKCS#7: Fix missing include Applying: certs: Fix blacklist flag type confusion Applying: certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID Applying: certs: Make blacklist_vet_description() more strict Applying: certs: Factor out the blacklist hash creation Applying: certs: Check that builtin blacklist hashes are valid Applying: certs: Allow root user to append signed hashes to the blacklist keyring Applying: tools/certs: Add print-cert-tbs-hash.sh /Jarkko