27 Jun, 2018

1 commit

• 2e20ce4a6   certs/blacklist: fix const confusion ... Browse Code »

  Fixes commit 2be04df5668d ("certs/blacklist_nohashes.c: fix const confusion
  in certs blacklist")

  Signed-off-by: Nick Desaulniers
  Signed-off-by: David Howells
  Signed-off-by: James Morris

  Nick Desaulniers

  2018-06-27 00:43:03 +0800  

03 Apr, 2017

1 commit

• 734114f87   KEYS: Add a system blacklist keyring ... Browse Code »

  Add the following:

  (1) A new system keyring that is used to store information about
  blacklisted certificates and signatures.

  (2) A new key type (called 'blacklist') that is used to store a
  blacklisted hash in its description as a hex string. The key accepts
  no payload.

  (3) The ability to configure a list of blacklisted hashes into the kernel
  at build time. This is done by setting
  CONFIG_SYSTEM_BLACKLIST_HASH_LIST to the filename of a list of hashes
  that are in the form:

  "", "", ..., ""

  where each is a hex string representation of the hash and must
  include all necessary leading zeros to pad the hash to the right size.

  The above are enabled with CONFIG_SYSTEM_BLACKLIST_KEYRING.

  Once the kernel is booted, the blacklist keyring can be listed:

  root@andromeda ~]# keyctl show %:.blacklist
  Keyring
  723359729 ---lswrv 0 0 keyring: .blacklist
  676257228 ---lswrv 0 0 \_ blacklist: 123412341234c55c1dcc601ab8e172917706aa32fb5eaf826813547fdf02dd46

  The blacklist cannot currently be modified by userspace, but it will be
  possible to load it, for example, from the UEFI blacklist database.

  A later commit will make it possible to load blacklisted asymmetric keys in
  here too.

  Signed-off-by: David Howells

  David Howells

  2017-04-03 23:07:24 +0800