On Wed, Nov 09, 2022 at 03:50:19AM +0100, Thomas Weißschuh wrote: > When the same key is blacklisted repeatedly we don't want to log an Who is "we"? > error. These duplicates can be provided by buggy firmware. Instead of > spamming the bootlog with errors we use a warning that can still be seen > by OEMs when testing. > > Also extend BLACKLIST_KEY_PERM as otherwise the EACCES will shadow the > EEXIST. How? I.e. please state how you extend it, and why new need the extra bits. > Link: https://lore.kernel.org/all/c8c65713-5cda-43ad-8018-20f2e32e4432@xxxxxxxx/ > Link: https://lore.kernel.org/all/20221104014704.3469-1-linux@xxxxxxxxxxxxxx/ > Signed-off-by: Thomas Weißschuh <linux@xxxxxxxxxxxxxx> > --- > certs/blacklist.c | 23 +++++++++++++---------- > 1 file changed, 13 insertions(+), 10 deletions(-) > > diff --git a/certs/blacklist.c b/certs/blacklist.c > index 6e260c4b6a19..ac8e3166b6d7 100644 > --- a/certs/blacklist.c > +++ b/certs/blacklist.c > @@ -26,7 +26,7 @@ > */ > #define MAX_HASH_LEN 128 > > -#define BLACKLIST_KEY_PERM (KEY_POS_SEARCH | KEY_POS_VIEW | \ > +#define BLACKLIST_KEY_PERM (KEY_POS_WRITE | KEY_POS_SEARCH | KEY_POS_VIEW | \ > KEY_USR_SEARCH | KEY_USR_VIEW) > > static const char tbs_prefix[] = "tbs"; > @@ -183,16 +183,19 @@ static int mark_raw_hash_blacklisted(const char *hash) > { > key_ref_t key; > > - key = key_create_or_update(make_key_ref(blacklist_keyring, true), > - "blacklist", > - hash, > - NULL, > - 0, > - BLACKLIST_KEY_PERM, > - KEY_ALLOC_NOT_IN_QUOTA | > - KEY_ALLOC_BUILT_IN); > + key = key_create(make_key_ref(blacklist_keyring, true), > + "blacklist", > + hash, > + NULL, > + 0, > + BLACKLIST_KEY_PERM, > + KEY_ALLOC_NOT_IN_QUOTA | > + KEY_ALLOC_BUILT_IN); > if (IS_ERR(key)) { > - pr_err("Problem blacklisting hash %s: %pe\n", hash, key); > + if (PTR_ERR(key) == -EEXIST) > + pr_warn("Duplicate blacklisted hash %s\n", hash); > + else > + pr_err("Problem blacklisting hash %s: %pe\n", hash, key); > return PTR_ERR(key); > } > return 0; > -- > 2.38.1 > BR, Jarkko
