Re: [PATCH 04/12] certs: Create blacklist keyring earlier

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2023-10-03 at 11:37 +0300, Ilpo Järvinen wrote:
> On Thu, 28 Sep 2023, Lukas Wunner wrote:
> 
> > The upcoming support for PCI device authentication with CMA-SPDM
> > (PCIe r6.1 sec 6.31) requires parsing X.509 certificates upon
> > device enumeration, which happens in a subsys_initcall().
> > 
> > Parsing X.509 certificates accesses the blacklist keyring:
> > x509_cert_parse()
> >   x509_get_sig_params()
> >     is_hash_blacklisted()
> >       keyring_search()
> > 
> > So far the keyring is created much later in a device_initcall(). 
> > Avoid
> > a NULL pointer dereference on access to the keyring by creating it
> > one
> > initcall level earlier than PCI device enumeration, i.e. in an
> > arch_initcall().
> > 
> > Signed-off-by: Lukas Wunner <lukas@xxxxxxxxx>
> > ---
> >  certs/blacklist.c | 4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > diff --git a/certs/blacklist.c b/certs/blacklist.c
> > index 675dd7a8f07a..34185415d451 100644
> > --- a/certs/blacklist.c
> > +++ b/certs/blacklist.c
> > @@ -311,7 +311,7 @@ static int restrict_link_for_blacklist(struct
> > key *dest_keyring,
> >   * Initialise the blacklist
> >   *
> >   * The blacklist_init() function is registered as an initcall via
> > - * device_initcall().  As a result if the blacklist_init()
> > function fails for
> > + * arch_initcall().  As a result if the blacklist_init() function
> > fails for
> >   * any reason the kernel continues to execute.  While cleanly
> > returning -ENODEV
> >   * could be acceptable for some non-critical kernel parts, if the
> > blacklist
> >   * keyring fails to load it defeats the certificate/key based deny
> > list for
> > @@ -356,7 +356,7 @@ static int __init blacklist_init(void)
> >  /*
> >   * Must be initialised before we try and load the keys into the
> > keyring.
> >   */
> > -device_initcall(blacklist_init);
> > +arch_initcall(blacklist_init);
> >  
> >  #ifdef CONFIG_SYSTEM_REVOCATION_LIST
> >  /*
> > 
> 
> Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@xxxxxxxxxxxxxxx>
Reviewed-by: Wilfred Mallawa <wilfred.mallawa@xxxxxxx>
> 





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]
  Powered by Linux