linux-next/certs
Mickaël Salaün addf466389 certs: Check that builtin blacklist hashes are valid
Add and use a check-blacklist-hashes.awk script to make sure that the
builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will
effectively be taken into account as blacklisted hashes.  This is useful
to debug invalid hash formats, and it make sure that previous hashes
which could have been loaded in the kernel, but silently ignored, are
now noticed and deal with by the user at kernel build time.

This also prevent stricter blacklist key description checking (provided
by following commits) to failed for builtin hashes.

Update CONFIG_SYSTEM_BLACKLIST_HASH_LIST help to explain the content of
a hash string and how to generate certificate ones.

Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Eric Snowberg <eric.snowberg@oracle.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Link: https://lore.kernel.org/r/20210712170313.884724-3-mic@digikod.net
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
2022-05-23 18:47:49 +03:00
..
.gitignore certs: Check that builtin blacklist hashes are valid 2022-05-23 18:47:49 +03:00
blacklist_hashes.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
blacklist_nohashes.c certs/blacklist_nohashes.c: fix const confusion in certs blacklist 2018-02-21 15:35:43 -08:00
blacklist.c certs: Make blacklist_vet_description() more strict 2022-05-23 18:47:49 +03:00
blacklist.h certs: Add EFI_CERT_X509_GUID support for dbx entries 2021-03-11 16:31:28 +00:00
common.c certs: Move load_system_certificate_list to a common function 2021-03-11 16:32:38 +00:00
common.h certs: Move load_system_certificate_list to a common function 2021-03-11 16:32:38 +00:00
default_x509.genkey certs: check-in the default x509 config file 2021-12-11 22:09:14 +09:00
extract-cert.c certs: move scripts/extract-cert to certs/ 2022-01-08 18:28:21 +09:00
Kconfig certs: Check that builtin blacklist hashes are valid 2022-05-23 18:47:49 +03:00
Makefile certs: Check that builtin blacklist hashes are valid 2022-05-23 18:47:49 +03:00
revocation_certificates.S certs: Add ability to preload revocation certs 2021-03-11 16:33:49 +00:00
system_certificates.S certs: include certs/signing_key.x509 unconditionally 2022-03-03 08:16:19 +09:00
system_keyring.c KEYS: Introduce link restriction for machine keys 2022-03-08 13:55:52 +02:00