Re: [PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid

[PATCH v3 00/10] Enable root to update the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-01-14
[PATCH v3 04/10] certs: Fix blacklist flag type confusion · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 04/10] certs: Fix blacklist flag type confusion · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
Re: [PATCH v3 04/10] certs: Fix blacklist flag type confusion · Mickaël Salaün <mic@digikod.net> · 2021-01-20
Re: [PATCH v3 04/10] certs: Fix blacklist flag type confusion · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-21
[PATCH v3 07/10] certs: Factor out the blacklist hash creation · Mickaël Salaün <mic@digikod.net> · 2021-01-14
[PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
Re: [PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid · Mickaël Salaün <mic@digikod.net> · 2021-01-20
Re: [PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-21
Re: [PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid · Mickaël Salaün <mic@digikod.net> · 2021-01-21
Re: [PATCH v3 08/10] certs: Check that builtin blacklist hashes are valid · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-21
[PATCH v3 06/10] certs: Make blacklist_vet_description() more strict · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 06/10] certs: Make blacklist_vet_description() more strict · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
Re: [PATCH v3 06/10] certs: Make blacklist_vet_description() more strict · Mickaël Salaün <mic@digikod.net> · 2021-01-20
[PATCH v3 01/10] certs/blacklist: fix kernel doc interface issue · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 01/10] certs/blacklist: fix kernel doc interface issue · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
[PATCH v3 03/10] PKCS#7: Fix missing include · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 03/10] PKCS#7: Fix missing include · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
[PATCH v3 05/10] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 05/10] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
Re: [PATCH v3 05/10] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID · Mickaël Salaün <mic@digikod.net> · 2021-01-20
Re: [PATCH v3 05/10] certs: Replace K{U,G}IDT_INIT() with GLOBAL_ROOT_{U,G}ID · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-21
[PATCH v3 09/10] certs: Allow root user to append signed hashes to the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 09/10] certs: Allow root user to append signed hashes to the blacklist keyring · Mimi Zohar <zohar@linux.ibm.com> · 2021-01-15
Re: [PATCH v3 09/10] certs: Allow root user to append signed hashes to the blacklist keyring · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
Re: [PATCH v3 09/10] certs: Allow root user to append signed hashes to the blacklist keyring · Mickaël Salaün <mic@digikod.net> · 2021-01-20
[PATCH v3 10/10] tools/certs: Add print-cert-tbs-hash.sh · Mickaël Salaün <mic@digikod.net> · 2021-01-14
[PATCH v3 02/10] certs: Fix blacklisted hexadecimal hash string check · Mickaël Salaün <mic@digikod.net> · 2021-01-14
Re: [PATCH v3 02/10] certs: Fix blacklisted hexadecimal hash string check · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-20
Re: [PATCH v3 02/10] certs: Fix blacklisted hexadecimal hash string check · Mickaël Salaün <mic@digikod.net> · 2021-01-20
Re: [PATCH v3 02/10] certs: Fix blacklisted hexadecimal hash string check · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-21
Re: [PATCH v3 00/10] Enable root to update the blacklist keyring · Jarkko Sakkinen <jarkko@kernel.org> · 2021-01-15

From: Jarkko Sakkinen <jarkko@kernel.org>
Date: 2021-01-20 05:30:33
Also in: keyrings, linux-crypto, linux-security-module, lkml

On Thu, Jan 14, 2021 at 04:19:07PM +0100, Mickaël Salaün wrote:

From: Mickaël Salaün <redacted>

Add and use a check-blacklist-hashes.awk script to make sure that the
builtin blacklist hashes will be approved by the run time blacklist
description checks.  This is useful to debug invalid hash formats, and
it make sure that previous hashes which could have been loaded in the
kernel (but ignored) are now noticed and deal with by the user.

Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Mickaël Salaün <redacted>
Acked-by: Jarkko Sakkinen <jarkko@kernel.org>

I get this with a self-signed cert:

certs/Makefile:18: *** target pattern contains no '%'.  Stop.

CONFIG_SYSTEM_BLACKLIST_HASH_LIST="tbs:8eed1340eef37c1dc84d996406ad05c7dbb3eade19132d688408ca2f63904869"

I used the script in 10/10 to test this, which is another
reamark: the patches are in invalid order, as you need to
apply 10/10 before you can test  8/10.

/Jarkko

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help