> On Feb 4, 2021, at 1:26 AM, Mickaël Salaün <mic@xxxxxxxxxxx> wrote: > > > On 04/02/2021 04:53, Eric Snowberg wrote: >> >>> On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@xxxxxxxxxxx> wrote: >>> >>> This looks good to me, and it still works for my use case. Eric's >>> patchset only looks for asymmetric keys in the blacklist keyring, so >>> even if we use the same keyring we don't look for the same key types. My >>> patchset only allows blacklist keys (i.e. hashes, not asymmetric keys) >>> to be added by user space (if authenticated), but because Eric's >>> asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should >>> be OK for his use case. There should be no interference between the two >>> new features, but I find it a bit confusing to have such distinct use of >>> keys from the same keyring depending on their type. >> >> I agree, it is a bit confusing. What is the thought of having a dbx >> keyring, similar to how the platform keyring works? >> >> https://www.spinics.net/lists/linux-security-module/msg40262.html >> >> >>> On 03/02/2021 17:26, David Howells wrote: >>>> >>>> Eric Snowberg <eric.snowberg@xxxxxxxxxx> wrote: >>>> >>>>> This is the fifth patch series for adding support for >>>>> EFI_CERT_X509_GUID entries [1]. It has been expanded to not only include >>>>> dbx entries but also entries in the mokx. Additionally my series to >>>>> preload these certificate [2] has also been included. >>>> >>>> Okay, I've tentatively applied this to my keys-next branch. However, it >>>> conflicts minorly with Mickaël Salaün's patches that I've previously merged on >>>> the same branch. Can you have a look at the merge commit >>>> >>>> https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/commit/?h=keys-next&id=fdbbe7ceeb95090d09c33ce0497e0394c82aa33d >>>> >>>> (the top patch of my keys-next branch) >>>> >>>> to see if that is okay by both of you? If so, can you give it a whirl? >> >> >> I’m seeing a build error within blacklist_hashes_checked with >> one of my configs. >> >> The config is as follows: >> >> $ grep CONFIG_SYSTEM_BLACKLIST_HASH_LIST .config >> CONFIG_SYSTEM_BLACKLIST_HASH_LIST=“revocation_list" >> >> $ cat certs/revocation_list >> "tbs:1e125ea4f38acb7b29b0c495fd8e7602c2c3353b913811a9da3a2fb505c08a32” >> >> make[1]: *** No rule to make target 'revocation_list', needed by 'certs/blacklist_hashes_checked'. Stop. > > It requires an absolute path. Ok, if I use an absolute path now with CONFIG_SYSTEM_BLACKLIST_HASH_LIST it works. > This is to align with other variables > using the config_filename macro: CONFIG_SYSTEM_TRUSTED_KEYS, > CONFIG_MODULE_SIG_KEY and now CONFIG_SYSTEM_REVOCATION_KEYS. I just did a quick test with CONFIG_SYSTEM_TRUSTED_KEYS. It looks like we can use either a relative or absolute path with CONFIG_SYSTEM_TRUSTED_KEYS. Shouldn’t this be consistent? > Cf. https://lore.kernel.org/lkml/1221725.1607515111@xxxxxxxxxxxxxxxxxxxxxx/ > > We may want to patch scripts/kconfig/streamline_config.pl for both > CONFIG_SYSTEM_REVOCATION_KEYS and CONFIG_SYSTEM_BLACKLIST_HASH_LIST, to > warn user (and exit with an error) if such files are not found.
