Hi,
This patch series mainly add a new configuration option to enable the
root user to load signed keys in the blacklist keyring. This keyring is
useful to "untrust" certificates or files. Enabling to safely update
this keyring without recompiling the kernel makes it more usable.
Regards,
Mickaël Salaün (9):
certs: Fix blacklisted hexadecimal hash string check
certs: Make blacklist_vet_description() more strict
certs: Factor out the blacklist hash creation
certs: Check that builtin blacklist hashes are valid
PKCS#7: Fix missing include
certs: Fix blacklist flag type confusion
certs: Allow root user to append signed hashes to the blacklist
keyring
certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID
tools/certs: Add print-cert-tbs-hash.sh
MAINTAINERS | 2 +
certs/.gitignore | 1 +
certs/Kconfig | 10 +
certs/Makefile | 15 +-
certs/blacklist.c | 210 +++++++++++++-----
certs/system_keyring.c | 5 +-
crypto/asymmetric_keys/x509_public_key.c | 3 +-
include/keys/system_keyring.h | 14 +-
include/linux/verification.h | 2 +
scripts/check-blacklist-hashes.awk | 37 +++
.../platform_certs/keyring_handler.c | 26 +--
tools/certs/print-cert-tbs-hash.sh | 91 ++++++++
12 files changed, 335 insertions(+), 81 deletions(-)
create mode 100755 scripts/check-blacklist-hashes.awk
create mode 100755 tools/certs/print-cert-tbs-hash.sh
base-commit: 09162bc32c880a791c6c0668ce0745cf7958f576
--
2.29.2
