From e90886291c7cd89577bf11729b205cc0ed42fbec Mon Sep 17 00:00:00 2001 From: Adam Borowski Date: Mon, 18 Jul 2022 15:50:34 +0200 Subject: certs: make system keyring depend on x509 parser This code requires x509_load_certificate_list() to be built-in. Fixes: 60050ffe3d77 ("certs: Move load_certificate_list() to be with the asymmetric keys code") Reported-by: kernel test robot Reported-by: Steven Rostedt Link: https://lore.kernel.org/all/202206221515.DqpUuvbQ-lkp@intel.com/ Link: https://lore.kernel.org/all/20220712104554.408dbf42@gandalf.local.home/ Signed-off-by: Adam Borowski Signed-off-by: Linus Torvalds --- certs/Kconfig | 1 + 1 file changed, 1 insertion(+) (limited to 'certs') diff --git a/certs/Kconfig b/certs/Kconfig index 476755703cf8..bf9b511573d7 100644 --- a/certs/Kconfig +++ b/certs/Kconfig @@ -43,6 +43,7 @@ config SYSTEM_TRUSTED_KEYRING bool "Provide system-wide ring of trusted keys" depends on KEYS depends on ASYMMETRIC_KEY_TYPE + depends on X509_CERTIFICATE_PARSER help Provide a system keyring to which trusted keys can be added. Keys in the keyring are considered to be trusted. Keys may be added at will -- cgit v1.2.3 From 9008a676662a77ab98727d05bdffa0e3c38cba53 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Sun, 12 Jun 2022 02:22:32 +0900 Subject: certs: move scripts/check-blacklist-hashes.awk to certs/ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This script is only used in certs/Makefile, so certs/ is a better home for it. Signed-off-by: Masahiro Yamada Reviewed-by: Mickaël Salaün Reviewed-by: Jarkko Sakkinen --- certs/Makefile | 2 +- certs/check-blacklist-hashes.awk | 37 +++++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100755 certs/check-blacklist-hashes.awk (limited to 'certs') diff --git a/certs/Makefile b/certs/Makefile index 88a73b28d254..854647dbce05 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -13,7 +13,7 @@ CFLAGS_blacklist_hashes.o := -I $(obj) quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@ cmd_check_and_copy_blacklist_hash_list = \ - $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \ + $(AWK) -f $(srctree)/$(src)/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \ cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@ $(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE diff --git a/certs/check-blacklist-hashes.awk b/certs/check-blacklist-hashes.awk new file mode 100755 index 000000000000..107c1d3204d4 --- /dev/null +++ b/certs/check-blacklist-hashes.awk @@ -0,0 +1,37 @@ +#!/usr/bin/awk -f +# SPDX-License-Identifier: GPL-2.0 +# +# Copyright © 2020, Microsoft Corporation. All rights reserved. +# +# Author: Mickaël Salaün +# +# Check that a CONFIG_SYSTEM_BLACKLIST_HASH_LIST file contains a valid array of +# hash strings. Such string must start with a prefix ("tbs" or "bin"), then a +# colon (":"), and finally an even number of hexadecimal lowercase characters +# (up to 128). + +BEGIN { + RS = "," +} +{ + if (!match($0, "^[ \t\n\r]*\"([^\"]*)\"[ \t\n\r]*$", part1)) { + print "Not a string (item " NR "):", $0; + exit 1; + } + if (!match(part1[1], "^(tbs|bin):(.*)$", part2)) { + print "Unknown prefix (item " NR "):", part1[1]; + exit 1; + } + if (!match(part2[2], "^([0-9a-f]+)$", part3)) { + print "Not a lowercase hexadecimal string (item " NR "):", part2[2]; + exit 1; + } + if (length(part3[1]) > 128) { + print "Hash string too long (item " NR "):", part3[1]; + exit 1; + } + if (length(part3[1]) % 2 == 1) { + print "Not an even number of hexadecimal characters (item " NR "):", part3[1]; + exit 1; + } +} -- cgit v1.2.3 From 31f6d95c2cab1898c05a95f434f54a327431f158 Mon Sep 17 00:00:00 2001 From: Masahiro Yamada Date: Sun, 12 Jun 2022 02:22:33 +0900 Subject: certs: unify blacklist_hashes.c and blacklist_nohashes.c MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These two files are very similar. Unify them. Signed-off-by: Masahiro Yamada Reviewed-by: Mickaël Salaün Reviewed-by: Jarkko Sakkinen --- certs/Makefile | 12 +++++------- certs/blacklist_hashes.c | 1 - certs/blacklist_nohashes.c | 6 ------ 3 files changed, 5 insertions(+), 14 deletions(-) delete mode 100644 certs/blacklist_nohashes.c (limited to 'certs') diff --git a/certs/Makefile b/certs/Makefile index 854647dbce05..9486ed924731 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -4,24 +4,22 @@ # obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o -obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o blacklist_hashes.o obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o -ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),) $(obj)/blacklist_hashes.o: $(obj)/blacklist_hash_list CFLAGS_blacklist_hashes.o := -I $(obj) quiet_cmd_check_and_copy_blacklist_hash_list = GEN $@ cmd_check_and_copy_blacklist_hash_list = \ + $(if $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST), \ $(AWK) -f $(srctree)/$(src)/check-blacklist-hashes.awk $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) >&2; \ - cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) > $@ + { cat $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST); echo $(comma) NULL; } > $@, \ + echo NULL > $@) $(obj)/blacklist_hash_list: $(CONFIG_SYSTEM_BLACKLIST_HASH_LIST) FORCE $(call if_changed,check_and_copy_blacklist_hash_list) -obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o -else -obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o -endif + targets += blacklist_hash_list quiet_cmd_extract_certs = CERT $@ diff --git a/certs/blacklist_hashes.c b/certs/blacklist_hashes.c index 86d66fe11348..0c5476abebd9 100644 --- a/certs/blacklist_hashes.c +++ b/certs/blacklist_hashes.c @@ -3,5 +3,4 @@ const char __initconst *const blacklist_hashes[] = { #include "blacklist_hash_list" - , NULL }; diff --git a/certs/blacklist_nohashes.c b/certs/blacklist_nohashes.c deleted file mode 100644 index 753b703ef0ef..000000000000 --- a/certs/blacklist_nohashes.c +++ /dev/null @@ -1,6 +0,0 @@ -// SPDX-License-Identifier: GPL-2.0 -#include "blacklist.h" - -const char __initconst *const blacklist_hashes[] = { - NULL -}; -- cgit v1.2.3