On Thu, Jan 14, 2021 at 04:19:08PM +0100, Mickaël Salaün wrote: > From: Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx> > > Add a kernel option SYSTEM_BLACKLIST_AUTH_UPDATE to enable the root user > to dynamically add new keys to the blacklist keyring. This enables to > invalidate new certificates, either from being loaded in a keyring, or > from being trusted in a PKCS#7 certificate chain. This also enables to > add new file hashes to be denied by the integrity infrastructure. > > Being able to untrust a certificate which could have normaly been > trusted is a sensitive operation. This is why adding new hashes to the > blacklist keyring is only allowed when these hashes are signed and > vouched by the builtin trusted keyring. A blacklist hash is stored as a > key description. The PKCS#7 signature of this description must be > provided as the key payload. > > Marking a certificate as untrusted should be enforced while the system > is running. It is then forbiden to remove such blacklist keys. > > Update blacklist keyring and blacklist key access rights: > * allows the root user to search for a specific blacklisted hash, which > make sense because the descriptions are already viewable; > * forbids key update; > * restricts kernel rights on the blacklist keyring to align with the > root user rights. > > See the help in tools/certs/print-cert-tbs-hash.sh provided by a > following commit. Please re-order patches in a way that print-cert-tbs-hash.sh is available before this. That way we get rid of this useless remark. > Cc: David Howells <dhowells@xxxxxxxxxx> > Cc: David Woodhouse <dwmw2@xxxxxxxxxxxxx> > Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx> /Jarkko
