From patchwork Fri Nov 18 04:03:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Patchwork-Id: 22097 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp767263wrr; Thu, 17 Nov 2022 20:11:54 -0800 (PST) X-Google-Smtp-Source: AA0mqf6Iv6WS7F/Q6npbOinTCNi1Vo9fzraCRJHCRRlmotvnuJII+1Y/k1xtLb4z39yEbNBsik+C X-Received: by 2002:a17:906:8a6d:b0:7ad:d18f:c2d6 with SMTP id hy13-20020a1709068a6d00b007add18fc2d6mr4579794ejc.271.1668744714366; Thu, 17 Nov 2022 20:11:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668744714; cv=none; d=google.com; s=arc-20160816; b=FRWMFdIRHKMDHlTwye34td2lv46zYBm6gh++l42nDSVHV4YvII8Ukfkhw3RWdieV1w rckiRLu3lwREERiyZxoMDjwTBY2EqsQbf6VtQPlSuYlVj2v8cTWTIcbyOgLF+EkwrN6F GAEoNgvBvusbfoM4nazOLquLUl5aefXzodR/LVAtOTTL8e0YmHfAGmCEqtJ6piHpnOyY W+mjen7ToLchzG//ZDxEN1ylHJO3skKSaCMJVE0l+sB7xBJ7gcjVpdwZ1HdJsxF0vIbZ wNnQDJUNjg1YppmpVDfxPp4feu2T8VirgbCEnmqp1zeq21doVGuaEVoW8V0p5dfnIUpG ejHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:dkim-signature :from; bh=6HI/uGGRJj9B1sWInzLCe7m/kL5/v/quC4iAG/wSBQs=; b=czu+KrSF8VsZo9pWiKM8p721/AD7NjeVMWyOR7/Gkk2wUh5bJQXgcpTqAl5dJLIRi2 dTSi/R/Sloga+R5PLLByjYxE1hg803WnVOdLGoh6G3ZTOwhTTcIxgXXfWMjdC7fhlgqX 7EafvLX9PMME8Y4+LnzH4c0s0J58Qo+aZ17ZY468h1aujoIHZoi/ZkL2znjsXRx2ZPEL fIPOj+ufmiL97WR88OJVsp0ppoLEKMYdRSX4zLh7n4C2tJw1hWN+GF+FVYjt0mFD41ML tJAKkxgIB1U0e9wp+YoFjRdrSbhpQspL7kvT2ttnXOM0YSUpCqQy5Vp3pbCEVT4qJxWq BONg== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@weissschuh.net header.s=mail header.b=LGhsJnfL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g40-20020a056402322800b004591f959c3bsi2112655eda.427.2022.11.17.20.11.29; Thu, 17 Nov 2022 20:11:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@weissschuh.net header.s=mail header.b=LGhsJnfL; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241021AbiKREFo (ORCPT + 99 others); Thu, 17 Nov 2022 23:05:44 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54702 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241081AbiKREEt (ORCPT ); Thu, 17 Nov 2022 23:04:49 -0500 Received: from todd.t-8ch.de (todd.t-8ch.de [IPv6:2a01:4f8:c010:41de::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DBAFD326F5 for ; Thu, 17 Nov 2022 20:04:37 -0800 (PST) From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=weissschuh.net; s=mail; t=1668744275; bh=P/SxYrzIDdEyGtP2C7/8aV4gnstE9Djts92CSEamDqg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LGhsJnfLe8kJSopHA7/MaHb4q5Q8CqAWSKTSOkQQE9L/WlUY2AaPzncPaEJsdc/0G LFynYr1APxAyOrYQxvJKeqg2Y9dciSqUq15c0yGo/QEk28P2VXX/EJxngwSMBATS+0 +jmug/2mV1tZC4mAKwoRLS8YuZjCDrRRQm9VSezo= To: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , David Howells , David Woodhouse , Jarkko Sakkinen , Eric Snowberg Cc: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, Mark Pearson , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 1/3] certs: log hash value on blacklist error Date: Fri, 18 Nov 2022 05:03:41 +0100 Message-Id: <20221118040343.2958-2-linux@weissschuh.net> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221118040343.2958-1-linux@weissschuh.net> References: <20221118040343.2958-1-linux@weissschuh.net> MIME-Version: 1.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1668744217; l=1006; i=linux@weissschuh.net; s=20211113; h=from:subject; bh=P/SxYrzIDdEyGtP2C7/8aV4gnstE9Djts92CSEamDqg=; b=wAaNSCu5g8hAafN2wCdcLQkehdyg+hECJ2kV43YgMZiDa+w0E7D8Jpy4P/iIuBZvrEBflMpL7Y9L ZSI0/RSAB4PmKBJpq/2dgHHR9Ia9MwKDzHfd9EUajCiWN6brQCAG X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=9LP6KM4vD/8CwHW7nouRBhWLyQLcK1MkP6aTZbzUlj4= X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749805657556659620?= X-GMAIL-MSGID: =?utf-8?q?1749805657556659620?= Without this information these logs are not actionable. For example on duplicate blacklisted hashes reported by the system firmware users should be able to report the erroneous hashes to their system vendors. While we are at it use the dedicated format string for ERR_PTR. Fixes: 6364d106e041 ("certs: Allow root user to append signed hashes to the blacklist keyring") Signed-off-by: Thomas Weißschuh --- certs/blacklist.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index 41f10601cc72..6e260c4b6a19 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -192,7 +192,7 @@ static int mark_raw_hash_blacklisted(const char *hash) KEY_ALLOC_NOT_IN_QUOTA | KEY_ALLOC_BUILT_IN); if (IS_ERR(key)) { - pr_err("Problem blacklisting hash (%ld)\n", PTR_ERR(key)); + pr_err("Problem blacklisting hash %s: %pe\n", hash, key); return PTR_ERR(key); } return 0; From patchwork Fri Nov 18 04:03:42 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Patchwork-Id: 22098 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp768678wrr; Thu, 17 Nov 2022 20:17:04 -0800 (PST) X-Google-Smtp-Source: AA0mqf4HQyoeNmr+vI/mKm0s0ErPph2fBh2TbNHRcXf/FL13JNlflP9sb3gX0/lU0hkwoITjK+Me X-Received: by 2002:a17:906:6093:b0:78d:b37c:83d9 with SMTP id t19-20020a170906609300b0078db37c83d9mr4438921ejj.637.1668745023881; Thu, 17 Nov 2022 20:17:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668745023; cv=none; d=google.com; s=arc-20160816; b=fFqCQ3KPepX/rk4xl58n2CxxTjpnCg+3Uc7uR5Yl7Mf81cqVNyD3GGEoymXd0p9alC xRXGwypgK9E+MAq414v/ZYIthIBkq0oU8p4/9dX5rzulaPckREba3P7D2vJygT9XoI9g 2HGaOC1qNlyi1iSU5hFDvofbbsURFQPdQONu8txRaIQ1+IceR5jQxm070HDxhh2iyNnm v7QlnCzB1yGsLWyl+PnD7zRPhWPGnM+VY1R+ZHl0miAhsE22vrTO+2IMSMSexspVd0RE KzsmcZ0LZsSStMMLM1jyg5Ie9cnGka+VPZyMhkxrehC25i1a4e7418iKoincLoI9GZU7 W2uw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:dkim-signature :from; bh=PVqnAbTpFQTAvXq1bevlnMojtrwO2XctMO4jODN3wI0=; b=l3/h5eHja/l34E+QoCGkFmz+Ac71cYHL+9HXMh69kQNZKETLq7ICPuAJ8yNJhOK2DL qEQ6Urm0Mr6xm2tgBlSYhHsCo9MiqcIf3J1MDILWVvTjFdn86N3sBcZs6QrDQGvhwORU AdzgXlli9D1QdnzU4yHYU20KJMb1Mum691Q7yOcFDHdyb6lfokH90tcLxu1vYd03/jpM DL1iOE2MzfT2QbW8ShjiSBnKpqMuHhsau4fqqA/s0NTPCY5LOtMrmxajDWPuii5ABZa6 r9UgpdvsqMZBBSChClxNVLWKuE6JpvKA4vDsh12OKEMDsQtwIo04uhAVQkpBpP6QlypC +d0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@weissschuh.net header.s=mail header.b=N27Om10M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id g40-20020a056402322800b004591f959c3bsi2112655eda.427.2022.11.17.20.16.39; Thu, 17 Nov 2022 20:17:03 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@weissschuh.net header.s=mail header.b=N27Om10M; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241091AbiKREF4 (ORCPT + 99 others); Thu, 17 Nov 2022 23:05:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54758 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240920AbiKREEv (ORCPT ); Thu, 17 Nov 2022 23:04:51 -0500 Received: from todd.t-8ch.de (todd.t-8ch.de [159.69.126.157]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCF8E97AAE; Thu, 17 Nov 2022 20:04:37 -0800 (PST) From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=weissschuh.net; s=mail; t=1668744275; bh=yyfGMKlvc3gICF5CIzWsPIqJezUznxAxV3j5FqFAvY4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=N27Om10MNyxoOaU+H1dNgfmWFlf1aYFCHqmltycFCxSJ1lbggSSF0znzrYTDKDkeS CfGd370vDYUrdp85qP8TBY7ha6mqwvrKwWOMSt64V4oWP7E0V9oytioQ8j1dVGSW+L AO677ej05tx5ko/vl2imgoi5elp8/DXBSDzPACT0= To: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , David Howells , David Woodhouse , Jarkko Sakkinen , Eric Snowberg Cc: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, Mark Pearson , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 2/3] KEYS: Add key_create() Date: Fri, 18 Nov 2022 05:03:42 +0100 Message-Id: <20221118040343.2958-3-linux@weissschuh.net> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221118040343.2958-1-linux@weissschuh.net> References: <20221118040343.2958-1-linux@weissschuh.net> MIME-Version: 1.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1668744218; l=7565; i=linux@weissschuh.net; s=20211113; h=from:subject; bh=yyfGMKlvc3gICF5CIzWsPIqJezUznxAxV3j5FqFAvY4=; b=I8+qaq/Nyxj31fcck6KCqGiFYJ5i0kFEc86k2bRxZNfpGx2u5+BWh7RlfiHGXq/NcRUaPukcBrRf 8B10cbEWAX7fJa0bOJ1701sM0eD+H1qXEf21KdONy8ME01v/5GWC X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=9LP6KM4vD/8CwHW7nouRBhWLyQLcK1MkP6aTZbzUlj4= X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749805981809169105?= X-GMAIL-MSGID: =?utf-8?q?1749805981809169105?= This function works like key_create_or_update() but does not allow updating an existing key, instead returning -EEXIST. This new function will be used by the blacklist keyring to handle EEXIST errors specially by logging a different message with lower severity. Signed-off-by: Thomas Weißschuh --- include/linux/key.h | 8 +++ security/keys/key.c | 149 +++++++++++++++++++++++++++++++++----------- 2 files changed, 120 insertions(+), 37 deletions(-) diff --git a/include/linux/key.h b/include/linux/key.h index d27477faf00d..8dc7f7c3088b 100644 --- a/include/linux/key.h +++ b/include/linux/key.h @@ -386,6 +386,14 @@ extern int wait_for_key_construction(struct key *key, bool intr); extern int key_validate(const struct key *key); +extern key_ref_t key_create(key_ref_t keyring, + const char *type, + const char *description, + const void *payload, + size_t plen, + key_perm_t perm, + unsigned long flags); + extern key_ref_t key_create_or_update(key_ref_t keyring, const char *type, const char *description, diff --git a/security/keys/key.c b/security/keys/key.c index c45afdd1dfbb..f84bcd8457f4 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -788,38 +788,18 @@ static inline key_ref_t __key_update(key_ref_t key_ref, goto out; } -/** - * key_create_or_update - Update or create and instantiate a key. - * @keyring_ref: A pointer to the destination keyring with possession flag. - * @type: The type of key. - * @description: The searchable description for the key. - * @payload: The data to use to instantiate or update the key. - * @plen: The length of @payload. - * @perm: The permissions mask for a new key. - * @flags: The quota flags for a new key. - * - * Search the destination keyring for a key of the same description and if one - * is found, update it, otherwise create and instantiate a new one and create a - * link to it from that keyring. - * - * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be - * concocted. - * - * Returns a pointer to the new key if successful, -ENODEV if the key type - * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the - * caller isn't permitted to modify the keyring or the LSM did not permit - * creation of the key. - * - * On success, the possession flag from the keyring ref will be tacked on to - * the key ref before it is returned. +/* + * Create or potentially update a key. The combined logic behind + * key_create_or_update() and key_create() */ -key_ref_t key_create_or_update(key_ref_t keyring_ref, - const char *type, - const char *description, - const void *payload, - size_t plen, - key_perm_t perm, - unsigned long flags) +static key_ref_t __key_create_or_update(key_ref_t keyring_ref, + const char *type, + const char *description, + const void *payload, + size_t plen, + key_perm_t perm, + unsigned long flags, + bool allow_update) { struct keyring_index_key index_key = { .description = description, @@ -906,14 +886,23 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, goto error_link_end; } - /* if it's possible to update this type of key, search for an existing - * key of the same type and description in the destination keyring and - * update that instead if possible + /* if it's requested and possible to update this type of key, search + * for an existing key of the same type and description in the + * destination keyring and update that instead if possible */ - if (index_key.type->update) { + if (allow_update) { + if (index_key.type->update) { + key_ref = find_key_to_update(keyring_ref, &index_key); + if (key_ref) + goto found_matching_key; + } + } else { key_ref = find_key_to_update(keyring_ref, &index_key); - if (key_ref) - goto found_matching_key; + if (key_ref) { + key_ref_put(key_ref); + key_ref = ERR_PTR(-EEXIST); + goto error_link_end; + } } /* if the client doesn't provide, decide on the permissions we want */ @@ -985,8 +974,94 @@ key_ref_t key_create_or_update(key_ref_t keyring_ref, goto error_free_prep; } + +/** + * key_create_or_update - Update or create and instantiate a key. + * @keyring_ref: A pointer to the destination keyring with possession flag. + * @type: The type of key. + * @description: The searchable description for the key. + * @payload: The data to use to instantiate or update the key. + * @plen: The length of @payload. + * @perm: The permissions mask for a new key. + * @flags: The quota flags for a new key. + * + * Search the destination keyring for a key of the same description and if one + * is found, update it, otherwise create and instantiate a new one and create a + * link to it from that keyring. + * + * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be + * concocted. + * + * Returns a pointer to the new key if successful, -ENODEV if the key type + * wasn't available, -ENOTDIR if the keyring wasn't a keyring, -EACCES if the + * caller isn't permitted to modify the keyring or the LSM did not permit + * creation of the key. + * + * On success, the possession flag from the keyring ref will be tacked on to + * the key ref before it is returned. + */ +key_ref_t key_create_or_update(key_ref_t keyring_ref, + const char *type, + const char *description, + const void *payload, + size_t plen, + key_perm_t perm, + unsigned long flags) +{ + return __key_create_or_update(keyring_ref, + type, + description, + payload, + plen, + perm, + flags, + true); +} EXPORT_SYMBOL(key_create_or_update); +/** + * key_create - Create and instantiate a key. + * @keyring_ref: A pointer to the destination keyring with possession flag. + * @type: The type of key. + * @description: The searchable description for the key. + * @payload: The data to use to instantiate or update the key. + * @plen: The length of @payload. + * @perm: The permissions mask for a new key. + * @flags: The quota flags for a new key. + * + * Create and instantiate a new key and link to it from the destination keyring. + * + * If perm is KEY_PERM_UNDEF then an appropriate key permissions mask will be + * concocted. + * + * Returns a pointer to the new key if successful, -EEXIST if a key with the + * same description already exists, -ENODEV if the key type wasn't available, + * -ENOTDIR if the keyring wasn't a keyring, -EACCES if the caller isn't + * permitted to modify the keyring or the LSM did not permit creation of the + * key. + * + * On success, the possession flag from the keyring ref will be tacked on to + * the key ref before it is returned. + */ +key_ref_t key_create(key_ref_t keyring_ref, + const char *type, + const char *description, + const void *payload, + size_t plen, + key_perm_t perm, + unsigned long flags) +{ + return __key_create_or_update(keyring_ref, + type, + description, + payload, + plen, + perm, + flags, + false); +} +EXPORT_SYMBOL(key_create); + /** * key_update - Update a key's contents. * @key_ref: The pointer (plus possession flag) to the key. From patchwork Fri Nov 18 04:03:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= X-Patchwork-Id: 22096 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:f944:0:0:0:0:0 with SMTP id q4csp766575wrr; Thu, 17 Nov 2022 20:09:13 -0800 (PST) X-Google-Smtp-Source: AA0mqf61TmC89nT4E3egOvbg4VstPscGoImc8VQwyvsmJtUzwik//YeijpSmCvydhDPmLJbJoiL5 X-Received: by 2002:a63:d908:0:b0:45f:fc05:270b with SMTP id r8-20020a63d908000000b0045ffc05270bmr5031904pgg.14.1668744553448; Thu, 17 Nov 2022 20:09:13 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668744553; cv=none; d=google.com; s=arc-20160816; b=noe+k34HvjvkS+dAojMxoaCfPxczIXYzLN8/BvHbBDtquQSzTYmHVEPKs5NbtlTLKb eeq7Iomkkbnyge8s/gm6wexGYsEQZRkBlL3bvczKRIK5djtSyVSDpehfQkTdDKecfk6R MQRj20H5kf0/qweVpmXSjzO6fvtq2L39B+XHHTLR08NT1TPYuUPKf6Yk35r05QBeqCfH TDkMtnSeTlL5rBv7atlnjSjQs3t7ynR2U0lmQZYS4pqc+FKyKUknP+Sg9It4rW97SYit h4+FNna9R9qVlwwifWLeNbYdxtBnk8FDhRfQLqGPl0HgcJ/bOSCgG++L1aXqle4F2tf+ 4auA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:dkim-signature :from; bh=VxA31OL0Ok/2DBkQxmB2s7+BuyPeav/bzVD1W+9WbNc=; b=xvFCaRSm9YLAkdBGJFn7aeF6Rc7Ytl/tHu+NoQl1NeUR/AiFYQxUf4E7MFidXIqF1j S6KDJtxZkzdm8XDnNQVI/cJntIg5DD+s/T8W9Z4e4TNzsk7NW1QqfYmmKpVTvPFyC/+A E6dToxj5/eD14dVXN9fahlWycgEJqJoiPqdDJ0wuOFDMA+E7ByBh1yuekoKQS2pFtt0y MCgFzkLqDW7Ru9kFxOP5349MYF9UnfnpSyIrO6coGUjR90ktOW5RQGImWbKOuo056Nph OQyTWdVzTDqijvVCSp3DfM5gcgSSSUsA0UVJLSgv8Ut9a4/CM+9NgomDORuOAkKlTDFR lBYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@weissschuh.net header.s=mail header.b=Svfd8uOk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id n1-20020a634d41000000b0046b2bef339csi2716545pgl.257.2022.11.17.20.09.00; Thu, 17 Nov 2022 20:09:13 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=fail header.i=@weissschuh.net header.s=mail header.b=Svfd8uOk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240985AbiKREFK (ORCPT + 99 others); Thu, 17 Nov 2022 23:05:10 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54870 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241063AbiKREES (ORCPT ); Thu, 17 Nov 2022 23:04:18 -0500 Received: from todd.t-8ch.de (todd.t-8ch.de [IPv6:2a01:4f8:c010:41de::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6E31D90597 for ; Thu, 17 Nov 2022 20:04:07 -0800 (PST) From: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=weissschuh.net; s=mail; t=1668744245; bh=Ra7zlnQZv+5EzK/Di0o9djZFSiuiekY1TijxrLS1Kd0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Svfd8uOkMbffoYX8Te7hh+Xoiiy90lNcCSkrL2osEx5X9YIAi/ydZ/tAYH20IL1uS jHYUEAlOSSeJM9J97nyuEaCdA5zlZiwDPMUUmuX2O8INJZUqUqqEFmkNb3KSdf3QUl GtX5XaEU5d9aw6IdSEDICm1ohum0fZdkoU5X9oPE= To: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , David Howells , David Woodhouse , Jarkko Sakkinen , Eric Snowberg Cc: =?utf-8?q?Thomas_Wei=C3=9Fschuh?= , keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, Mark Pearson , linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v3 3/3] certs: don't try to update blacklist keys Date: Fri, 18 Nov 2022 05:03:43 +0100 Message-Id: <20221118040343.2958-4-linux@weissschuh.net> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221118040343.2958-1-linux@weissschuh.net> References: <20221118040343.2958-1-linux@weissschuh.net> MIME-Version: 1.0 X-Developer-Signature: v=1; a=ed25519-sha256; t=1668744218; l=1646; i=linux@weissschuh.net; s=20211113; h=from:subject; bh=Ra7zlnQZv+5EzK/Di0o9djZFSiuiekY1TijxrLS1Kd0=; b=euq+Tl37jfAGfQqWEwou2v6H2ZJ/i3UBFQTNVxYuhrCTL+aTWP8IJh6g2+DHhxHMnGpq6zbHgDRr y0u+dCx7BwHjtmfv1ae2GaImiBQH0JxTi21872zx2ey96SFH67Eh X-Developer-Key: i=linux@weissschuh.net; a=ed25519; pk=9LP6KM4vD/8CwHW7nouRBhWLyQLcK1MkP6aTZbzUlj4= X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1749805488513747150?= X-GMAIL-MSGID: =?utf-8?q?1749805488513747150?= When the same key is blacklisted repeatedly logging at pr_err() level is excessive as no functionality is impaired. When these duplicates are provided by buggy firmware there is nothing the enduser can do to fix the situation. Instead of spamming the bootlog with errors we use a warning that can still be seen by OEMs when testing their firmware. Link: https://lore.kernel.org/all/c8c65713-5cda-43ad-8018-20f2e32e4432@t-8ch.de/ Link: https://lore.kernel.org/all/20221104014704.3469-1-linux@weissschuh.net/ Signed-off-by: Thomas Weißschuh --- certs/blacklist.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index 6e260c4b6a19..675dd7a8f07a 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -183,16 +183,19 @@ static int mark_raw_hash_blacklisted(const char *hash) { key_ref_t key; - key = key_create_or_update(make_key_ref(blacklist_keyring, true), - "blacklist", - hash, - NULL, - 0, - BLACKLIST_KEY_PERM, - KEY_ALLOC_NOT_IN_QUOTA | - KEY_ALLOC_BUILT_IN); + key = key_create(make_key_ref(blacklist_keyring, true), + "blacklist", + hash, + NULL, + 0, + BLACKLIST_KEY_PERM, + KEY_ALLOC_NOT_IN_QUOTA | + KEY_ALLOC_BUILT_IN); if (IS_ERR(key)) { - pr_err("Problem blacklisting hash %s: %pe\n", hash, key); + if (PTR_ERR(key) == -EEXIST) + pr_warn("Duplicate blacklisted hash %s\n", hash); + else + pr_err("Problem blacklisting hash %s: %pe\n", hash, key); return PTR_ERR(key); } return 0;