On 20/01/2021 06:23, Jarkko Sakkinen wrote: > On Thu, Jan 14, 2021 at 04:19:08PM +0100, Mickaël Salaün wrote: >> From: Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx> >> >> Add a kernel option SYSTEM_BLACKLIST_AUTH_UPDATE to enable the root user >> to dynamically add new keys to the blacklist keyring. This enables to >> invalidate new certificates, either from being loaded in a keyring, or >> from being trusted in a PKCS#7 certificate chain. This also enables to >> add new file hashes to be denied by the integrity infrastructure. >> >> Being able to untrust a certificate which could have normaly been >> trusted is a sensitive operation. This is why adding new hashes to the >> blacklist keyring is only allowed when these hashes are signed and >> vouched by the builtin trusted keyring. A blacklist hash is stored as a >> key description. The PKCS#7 signature of this description must be >> provided as the key payload. >> >> Marking a certificate as untrusted should be enforced while the system >> is running. It is then forbiden to remove such blacklist keys. >> >> Update blacklist keyring and blacklist key access rights: >> * allows the root user to search for a specific blacklisted hash, which >> make sense because the descriptions are already viewable; >> * forbids key update; >> * restricts kernel rights on the blacklist keyring to align with the >> root user rights. >> >> See the help in tools/certs/print-cert-tbs-hash.sh provided by a >> following commit. > > Please re-order patches in a way that print-cert-tbs-hash.sh is > available before this. That way we get rid of this useless remark. OK > >> Cc: David Howells <dhowells@xxxxxxxxxx> >> Cc: David Woodhouse <dwmw2@xxxxxxxxxxxxx> >> Signed-off-by: Mickaël Salaün <mic@xxxxxxxxxxxxxxxxxxx> > > /Jarkko >
