Jarkko, David, what is the status of this patch series? Do you need help to test it? On 11/12/2020 20:03, Mickaël Salaün wrote: > Hi, > > This second patch series includes some minor fixes and remove the 4 fix > patches picked by David Howells. This patch series can then be applied > on top of > https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-fixes > > The goal of these patches is to add a new configuration option to enable > the root user to load signed keys in the blacklist keyring. This > keyring is useful to "untrust" certificates or files. Enabling to > safely update this keyring without recompiling the kernel makes it more > usable. > > Previous patch series: > https://lore.kernel.org/lkml/20201120180426.922572-1-mic@xxxxxxxxxxx/ > > Regards, > > Mickaël Salaün (5): > certs: Make blacklist_vet_description() more strict > certs: Factor out the blacklist hash creation > certs: Check that builtin blacklist hashes are valid > certs: Allow root user to append signed hashes to the blacklist > keyring > tools/certs: Add print-cert-tbs-hash.sh > > MAINTAINERS | 2 + > certs/.gitignore | 1 + > certs/Kconfig | 10 + > certs/Makefile | 15 +- > certs/blacklist.c | 202 ++++++++++++++---- > crypto/asymmetric_keys/x509_public_key.c | 3 +- > include/keys/system_keyring.h | 14 +- > scripts/check-blacklist-hashes.awk | 37 ++++ > .../platform_certs/keyring_handler.c | 26 +-- > tools/certs/print-cert-tbs-hash.sh | 91 ++++++++ > 10 files changed, 326 insertions(+), 75 deletions(-) > create mode 100755 scripts/check-blacklist-hashes.awk > create mode 100755 tools/certs/print-cert-tbs-hash.sh > > > base-commit: 1b91ea77dfeb2c5924ab940f2e43177c78a37d8f >
