On Mon, Nov 30, 2020 at 09:23:59AM +0100, Mickaël Salaün wrote: > > On 30/11/2020 03:40, Jarkko Sakkinen wrote: > > On Fri, Nov 20, 2020 at 07:04:17PM +0100, Mickaël Salaün wrote: > >> Hi, > >> > >> This patch series mainly add a new configuration option to enable the > >> root user to load signed keys in the blacklist keyring. This keyring is > >> useful to "untrust" certificates or files. Enabling to safely update > >> this keyring without recompiling the kernel makes it more usable. > > > > I apologize for latency. This cycle has been difficult because of > > final cuts with the huge SGX patch set. > > > > I did skim through this and did not see anything striking (but it > > was a quick look). > > > > What would be easiest way to smoke test the changes? > > An easy way to test it is to enable the second trusted keyring to > dynamically load certificates in the kernel. Then we can create a hash > of a valid certificate (but not loaded yet) and sign it as explained in > tools/certs/print-cert-tbs-hash.sh (patch 9/9). Once this hash is loaded > in the kernel, loading the blacklisted certificate will be denied. We > can also test it with a PKCS#7 signature chain, either with the > blacklist keyring itself, or with a signed dm-verity image. Thanks, looking into this once 5.11-rc1 is out. /Jarkko
