From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Jeremy Kerr <jk@ozlabs.org>,
Matthew Garret <matthew.garret@nebula.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Claudio Carvalho <cclaudio@linux.ibm.com>,
George Wilson <gcwilson@linux.ibm.com>,
Elaine Palmer <erpalmer@us.ibm.com>,
Eric Ricther <erichte@linux.ibm.com>,
"Oliver O'Halloran" <oohall@gmail.com>
Subject: Re: [PATCH v7 6/8] certs: add wrapper function to check blacklisted binary hash
Date: Fri, 11 Oct 2019 09:18:17 -0400 [thread overview]
Message-ID: <1570799897.5250.79.camel@linux.ibm.com> (raw)
In-Reply-To: <1570497267-13672-7-git-send-email-nayna@linux.ibm.com>
On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote:
> The existing is_hash_blacklisted() function returns -EKEYREJECTED
> error code for both the blacklisted keys and binaries.
>
> This patch adds a wrapper function is_binary_blacklisted() to check
> against binary hashes and returns -EPERM.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
This patch description describes what you're doing, not the
motivation.
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> certs/blacklist.c | 9 +++++++++
> include/keys/system_keyring.h | 6 ++++++
> 2 files changed, 15 insertions(+)
>
> diff --git a/certs/blacklist.c b/certs/blacklist.c
> index ec00bf337eb6..6514f9ebc943 100644
> --- a/certs/blacklist.c
> +++ b/certs/blacklist.c
> @@ -135,6 +135,15 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
> }
> EXPORT_SYMBOL_GPL(is_hash_blacklisted);
>
> +int is_binary_blacklisted(const u8 *hash, size_t hash_len)
> +{
> + if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED)
> + return -EPERM;
> +
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(is_binary_blacklisted);
> +
> /*
> * Initialise the blacklist
> */
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index c1a96fdf598b..fb8b07daa9d1 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -35,12 +35,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
> extern int mark_hash_blacklisted(const char *hash);
> extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
> const char *type);
> +extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
> #else
> static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
> const char *type)
> {
> return 0;
> }
> +
> +static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
> +{
> + return 0;
> +}
> #endif
>
> #ifdef CONFIG_IMA_BLACKLIST_KEYRING
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Nayna Jain <nayna@linux.ibm.com>,
linuxppc-dev@ozlabs.org, linux-efi@vger.kernel.org,
linux-integrity@vger.kernel.org
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Eric Ricther <erichte@linux.ibm.com>,
linux-kernel@vger.kernel.org,
Claudio Carvalho <cclaudio@linux.ibm.com>,
Matthew Garret <matthew.garret@nebula.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Paul Mackerras <paulus@samba.org>, Jeremy Kerr <jk@ozlabs.org>,
Elaine Palmer <erpalmer@us.ibm.com>,
Oliver O'Halloran <oohall@gmail.com>,
George Wilson <gcwilson@linux.ibm.com>
Subject: Re: [PATCH v7 6/8] certs: add wrapper function to check blacklisted binary hash
Date: Fri, 11 Oct 2019 09:18:17 -0400 [thread overview]
Message-ID: <1570799897.5250.79.camel@linux.ibm.com> (raw)
In-Reply-To: <1570497267-13672-7-git-send-email-nayna@linux.ibm.com>
On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote:
> The existing is_hash_blacklisted() function returns -EKEYREJECTED
> error code for both the blacklisted keys and binaries.
>
> This patch adds a wrapper function is_binary_blacklisted() to check
> against binary hashes and returns -EPERM.
>
> Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
This patch description describes what you're doing, not the
motivation.
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> certs/blacklist.c | 9 +++++++++
> include/keys/system_keyring.h | 6 ++++++
> 2 files changed, 15 insertions(+)
>
> diff --git a/certs/blacklist.c b/certs/blacklist.c
> index ec00bf337eb6..6514f9ebc943 100644
> --- a/certs/blacklist.c
> +++ b/certs/blacklist.c
> @@ -135,6 +135,15 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type)
> }
> EXPORT_SYMBOL_GPL(is_hash_blacklisted);
>
> +int is_binary_blacklisted(const u8 *hash, size_t hash_len)
> +{
> + if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED)
> + return -EPERM;
> +
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(is_binary_blacklisted);
> +
> /*
> * Initialise the blacklist
> */
> diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
> index c1a96fdf598b..fb8b07daa9d1 100644
> --- a/include/keys/system_keyring.h
> +++ b/include/keys/system_keyring.h
> @@ -35,12 +35,18 @@ extern int restrict_link_by_builtin_and_secondary_trusted(
> extern int mark_hash_blacklisted(const char *hash);
> extern int is_hash_blacklisted(const u8 *hash, size_t hash_len,
> const char *type);
> +extern int is_binary_blacklisted(const u8 *hash, size_t hash_len);
> #else
> static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len,
> const char *type)
> {
> return 0;
> }
> +
> +static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
> +{
> + return 0;
> +}
> #endif
>
> #ifdef CONFIG_IMA_BLACKLIST_KEYRING
next prev parent reply other threads:[~2019-10-11 13:18 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-08 1:14 [PATCH v7 0/8] powerpc: Enabling IMA arch specific secure boot policies Nayna Jain
2019-10-08 1:14 ` Nayna Jain
2019-10-08 1:14 ` [PATCH v7 1/8] powerpc: detect the secure boot mode of the system Nayna Jain
2019-10-08 1:14 ` Nayna Jain
2019-10-15 11:30 ` Michael Ellerman
2019-10-15 11:30 ` Michael Ellerman
2019-10-08 1:14 ` [PATCH v7 2/8] powerpc: add support to initialize ima policy rules Nayna Jain
2019-10-08 1:14 ` Nayna Jain
2019-10-11 13:12 ` Mimi Zohar
2019-10-11 13:12 ` Mimi Zohar
2019-10-15 9:59 ` Michael Ellerman
2019-10-15 9:59 ` Michael Ellerman
2019-10-15 11:29 ` Michael Ellerman
2019-10-15 11:29 ` Michael Ellerman
2019-10-17 12:58 ` Nayna
2019-10-17 12:58 ` Nayna
2019-10-08 1:14 ` [PATCH v7 3/8] powerpc: detect the trusted boot state of the system Nayna Jain
2019-10-08 1:14 ` Nayna Jain
2019-10-15 10:23 ` Michael Ellerman
2019-10-15 10:23 ` Michael Ellerman
2019-10-08 1:14 ` [PATCH v7 4/8] powerpc/ima: add measurement rules to ima arch specific policy Nayna Jain
2019-10-08 1:14 ` Nayna Jain
2019-10-15 11:29 ` Michael Ellerman
2019-10-15 11:29 ` Michael Ellerman
2019-10-19 18:27 ` Nayna
2019-10-19 18:27 ` Nayna
2019-10-08 1:14 ` [PATCH v7 5/8] ima: make process_buffer_measurement() generic Nayna Jain
2019-10-08 1:14 ` Nayna Jain
2019-10-11 13:14 ` Mimi Zohar
2019-10-11 13:14 ` Mimi Zohar
2019-10-08 1:14 ` [PATCH v7 6/8] certs: add wrapper function to check blacklisted binary hash Nayna Jain
2019-10-08 1:14 ` Nayna Jain
2019-10-11 13:18 ` Mimi Zohar [this message]
2019-10-11 13:18 ` Mimi Zohar
2019-10-08 1:14 ` [PATCH v7 7/8] ima: check against blacklisted hashes for files with modsig Nayna Jain
2019-10-08 1:14 ` Nayna Jain
2019-10-11 13:19 ` Mimi Zohar
2019-10-11 13:19 ` Mimi Zohar
2019-10-19 18:30 ` Nayna
2019-10-19 18:30 ` Nayna
2019-10-08 1:14 ` [PATCH v7 8/8] powerpc/ima: update ima arch policy to check for blacklist Nayna Jain
2019-10-08 1:14 ` Nayna Jain
2019-10-11 13:19 ` Mimi Zohar
2019-10-11 13:19 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1570799897.5250.79.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=benh@kernel.crashing.org \
--cc=cclaudio@linux.ibm.com \
--cc=erichte@linux.ibm.com \
--cc=erpalmer@us.ibm.com \
--cc=gcwilson@linux.ibm.com \
--cc=gregkh@linuxfoundation.org \
--cc=jk@ozlabs.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linuxppc-dev@ozlabs.org \
--cc=matthew.garret@nebula.com \
--cc=mpe@ellerman.id.au \
--cc=nayna@linux.ibm.com \
--cc=oohall@gmail.com \
--cc=paulus@samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.