tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

certs: Check that builtin blacklist hashes are valid

Add and use a check-blacklist-hashes.awk script to make sure that the
builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will
effectively be taken into account as blacklisted hashes. This is useful
to debug invalid hash formats, and it make sure that previous hashes
which could have been loaded in the kernel, but silently ignored, are
now noticed and deal with by the user at kernel build time.

This also prevent stricter blacklist key description checking (provided
by following commits) to failed for builtin hashes.

Update CONFIG_SYSTEM_BLACKLIST_HASH_LIST help to explain the content of
a hash string and how to generate certificate ones.

Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Eric Snowberg <eric.snowberg@oracle.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Link: https://lore.kernel.org/r/20210712170313.884724-3-mic@digikod.net
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

authored by

Mickaël Salaün and committed by
Jarkko Sakkinen addf4663 bf21dc59

+57 -3
+1
MAINTAINERS
··· 4575 4575 S: Maintained 4576 4576 F: Documentation/admin-guide/module-signing.rst 4577 4577 F: certs/ 4578 + F: scripts/check-blacklist-hashes.awk 4578 4579 F: scripts/sign-file.c 4579 4580 F: tools/certs/ 4580 4581
+1
certs/.gitignore
··· 1 1 # SPDX-License-Identifier: GPL-2.0-only 2 + /blacklist_hashes_checked 2 3 /extract-cert 3 4 /x509_certificate_list 4 5 /x509_revocation_list
+5 -2
certs/Kconfig
··· 104 104 help 105 105 If set, this option should be the filename of a list of hashes in the 106 106 form "<hash>", "<hash>", ... . This will be included into a C 107 - wrapper to incorporate the list into the kernel. Each <hash> should 108 - be a string of hex digits. 107 + wrapper to incorporate the list into the kernel. Each <hash> must be a 108 + string starting with a prefix ("tbs" or "bin"), then a colon (":"), and 109 + finally an even number of hexadecimal lowercase characters (up to 128). 110 + Certificate hashes can be generated with 111 + tools/certs/print-cert-tbs-hash.sh . 109 112 110 113 config SYSTEM_REVOCATION_LIST 111 114 bool "Provide system-wide ring of revocation certificates"
+13 -1
certs/Makefile
··· 7 7 obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o common.o 8 8 obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o 9 9 ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) 10 + quiet_cmd_check_blacklist_hashes = CHECK $(patsubst "%",%,$(2)) 11 + cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@ 12 + 13 + $(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) 14 + 15 + $(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked 16 + 17 + CFLAGS_blacklist_hashes.o += -I$(srctree) 18 + 19 + targets += blacklist_hashes_checked 20 + $(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE 21 + $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST)) 10 22 obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o 11 23 else 12 24 obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o ··· 33 21 $(obj)/x509_certificate_list: $(CONFIG_SYSTEM_TRUSTED_KEYS) $(obj)/extract-cert FORCE 34 22 $(call if_changed,extract_certs) 35 23 36 - targets += x509_certificate_list 24 + targets += x509_certificate_list blacklist_hashes_checked 37 25 38 26 # If module signing is requested, say by allyesconfig, but a key has not been 39 27 # supplied, then one will need to be generated to make sure the build does not
+37
scripts/check-blacklist-hashes.awk
··· 1 + #!/usr/bin/awk -f 2 + # SPDX-License-Identifier: GPL-2.0 3 + # 4 + # Copyright © 2020, Microsoft Corporation. All rights reserved. 5 + # 6 + # Author: Mickaël Salaün <mic@linux.microsoft.com> 7 + # 8 + # Check that a CONFIG_SYSTEM_BLACKLIST_HASH_LIST file contains a valid array of 9 + # hash strings. Such string must start with a prefix ("tbs" or "bin"), then a 10 + # colon (":"), and finally an even number of hexadecimal lowercase characters 11 + # (up to 128). 12 + 13 + BEGIN { 14 + RS = "," 15 + } 16 + { 17 + if (!match($0, "^[ \t\n\r]*\"([^\"]*)\"[ \t\n\r]*$", part1)) { 18 + print "Not a string (item " NR "):", $0; 19 + exit 1; 20 + } 21 + if (!match(part1[1], "^(tbs|bin):(.*)$", part2)) { 22 + print "Unknown prefix (item " NR "):", part1[1]; 23 + exit 1; 24 + } 25 + if (!match(part2[2], "^([0-9a-f]+)$", part3)) { 26 + print "Not a lowercase hexadecimal string (item " NR "):", part2[2]; 27 + exit 1; 28 + } 29 + if (length(part3[1]) > 128) { 30 + print "Hash string too long (item " NR "):", part3[1]; 31 + exit 1; 32 + } 33 + if (length(part3[1]) % 2 == 1) { 34 + print "Not an even number of hexadecimal characters (item " NR "):", part3[1]; 35 + exit 1; 36 + } 37 + }