Message ID | 20221109025019.1855-1-linux@weissschuh.net |
---|---|
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp110256wru; Tue, 8 Nov 2022 19:15:47 -0800 (PST) X-Google-Smtp-Source: AMsMyM6sjo/WRw0lmuH08XSINNK4klAgc94+DbGQFTBFbvNlXxzCIWTO4MfWhiKuGmp5W9RBhGDn X-Received: by 2002:a17:906:974f:b0:7aa:f705:e580 with SMTP id o15-20020a170906974f00b007aaf705e580mr52886600ejy.530.1667963746791; Tue, 08 Nov 2022 19:15:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1667963746; cv=none; d=google.com; s=arc-20160816; b=jmcRgcLREWjdKaDhumAtt1nWPEt3SPPDnptixBaVYD1L+dq3y7jS738K6q3NsXkI9Q YAJWSHjcgszyU2NTVtvIn2uoaKET6e9ehda1W7aK9RSOpfK5k3LeMe7dh/3J9qwtjAOH 8fVFmOPwSt07k1MWVOcIoOgNtZ6KrZrPaQ5sKQrxIP1MHQugEHJnhUBVe9HFrZi4deow TElKGSjpGeRPekSytAlmfZdAGSDWcX9WMgzPTWszPgDgkzM6GKtZLa7/ej7RiqFSt9S9 Pg+4FFkLXgjJ2uTi9C99U2CSoC/Kud/PwYEpndZoZtiGEKaL1mGt5rt5c9nipHGPl8iE M3jg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:dkim-signature:from; bh=F+kD6EDtQlBlJQFLQ1uYfnmN5P1O0hgnOlmcx5MQYPA=; b=qYhihoFsTOqR5wOwsvhhH2iO/uGfEmPea74Ne7Br8+aSE5yFtTbSvRQyRyx++QZxRh JUTJEZbPBGcCo/JYkq4w/Bfnw909Zt6MvQwFO2OxAEb5r5GnaHJW/4qJW/mUsH8VRPEO I2xEcpbpxQbj3RB178FDhfUFhFjLpcW66rpStIBxuHylC0RS7Tv1nFwZoq/azyFCxSaq yZ7p5tIkqHsqS7VG1XnpKjM4xLWpg1eSINpbAT/huFT8pPjgF/KOX1I2pdsewvotCOK4 7YyxbJJJtAMs5WBBzllQyqzNRtq+oIle24WP1BUkbmHBbYg9fjU4oSRAiZyKprmiVuoU Mj/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@weissschuh.net header.s=mail header.b=ak7T7+oR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f13-20020a0564021e8d00b0045c98bb5359si18092589edf.590.2022.11.08.19.14.59; Tue, 08 Nov 2022 19:15:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@weissschuh.net header.s=mail header.b=ak7T7+oR; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230093AbiKICun (ORCPT <rfc822;dexuan.linux@gmail.com> + 99 others); Tue, 8 Nov 2022 21:50:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41812 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229867AbiKICuf (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Tue, 8 Nov 2022 21:50:35 -0500 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1B62F1F9DD; Tue, 8 Nov 2022 18:50:34 -0800 (PST) From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= <linux@weissschuh.net> DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=weissschuh.net; s=mail; t=1667962230; bh=sRBb1yoX5FkhrIkmhhnkMlMgMwZoHsWyWpPUUDhCe1A=; h=From:To:Cc:Subject:Date:From; b=ak7T7+oRpA3erDu1wQ3UgJ9+njLjl0ooywpMrO9E2TQReGV77M6io1GeUyqJ5PjKz KsFSLoEJBCcoKbzoaBQj2DZUdon7iKxJ3a1ecUWBtEl0Q8VwU1zB2MUSQh3oib1U4I Be939Vqs0G3jizW1V4dcRC4kcVxgKCxzow/spxBs= To: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= <mic@digikod.net>, David Howells <dhowells@redhat.com>, David Woodhouse <dwmw2@infradead.org>, Jarkko Sakkinen <jarkko@kernel.org>, Eric Snowberg <eric.snowberg@oracle.com> Cc: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= <linux@weissschuh.net>, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, Mark Pearson <markpearson@lenovo.com>, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 0/3] certs: Prevent spurious errors on repeated blacklisting Date: Wed, 9 Nov 2022 03:50:16 +0100 Message-Id: <20221109025019.1855-1-linux@weissschuh.net> X-Mailer: git-send-email 2.38.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Developer-Signature: v=1; a=ed25519-sha256; t=1667962214; l=1370; s=20211113; h=from:subject; bh=sRBb1yoX5FkhrIkmhhnkMlMgMwZoHsWyWpPUUDhCe1A=; b=/FQehqL8oo8cDEvahT+bddamTe3EHhG1k4Xm2iu/e0fdzh+kZ3cQJr+iQWeiWRrEF0sxCWqO/6Z7 0noAI3i7CYaMUGKPSch6B469ssLVsPrwFF2X98m1zrCHluYkpWDD X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=9LP6KM4vD/8CwHW7nouRBhWLyQLcK1MkP6aTZbzUlj4= Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1748986753360077558?= X-GMAIL-MSGID: =?utf-8?q?1748986753360077558?= |
Series |
certs: Prevent spurious errors on repeated blacklisting
|
|
Message
Thomas Weißschuh
Nov. 9, 2022, 2:50 a.m. UTC
When the blacklist keyring was changed to allow updates from the root user it gained an ->update() function that disallows all updates. When the a hash is blacklisted multiple times from the builtin or firmware-provided blacklist this spams prominent logs during boot: [ 0.890814] blacklist: Problem blacklisting hash (-13) This affects the firmware of various vendors. Reported have been at least: * Samsung: https://askubuntu.com/questions/1436856/ * Acer: https://ubuntuforums.org/showthread.php?t=2478840 * MSI: https://forum.archlabslinux.com/t/blacklist-problem-blacklisting-hash-13-errors-on-boot/6674/7 * Micro-Star: https://bbs.archlinux.org/viewtopic.php?id=278860 This series is an extension of the following single patch: https://lore.kernel.org/all/20221104014704.3469-1-linux@weissschuh.net/ Only the first patch has been marked for stable as otherwise the whole of key_create() would need to be applied to stable. Thomas Weißschuh (3): certs: log more information on blacklist error KEYS: Add key_create() certs: don't try to update blacklist keys certs/blacklist.c | 23 ++++--- include/linux/key.h | 8 +++ security/keys/key.c | 149 +++++++++++++++++++++++++++++++++----------- 3 files changed, 133 insertions(+), 47 deletions(-) base-commit: f141df371335645ce29a87d9683a3f79fba7fd67