From patchwork Fri Dec 11 19:03:26 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 342060 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B33D6C433FE for ; Fri, 11 Dec 2020 20:48:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 778FF24058 for ; Fri, 11 Dec 2020 20:48:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388518AbgLKTEn (ORCPT ); Fri, 11 Dec 2020 14:04:43 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58820 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390209AbgLKTEi (ORCPT ); Fri, 11 Dec 2020 14:04:38 -0500 Received: from smtp-42ab.mail.infomaniak.ch (smtp-42ab.mail.infomaniak.ch [IPv6:2001:1600:3:17::42ab]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DE44EC061794 for ; Fri, 11 Dec 2020 11:03:45 -0800 (PST) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4Ct0Yr4b9Yzlh9wN; Fri, 11 Dec 2020 20:03:44 +0100 (CET) Received: from localhost (unknown [23.97.221.149]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4Ct0Yq6lwpzlh8T5; Fri, 11 Dec 2020 20:03:43 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: David Howells , David Woodhouse , Jarkko Sakkinen Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , "David S . Miller" , Herbert Xu , James Morris , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Mimi Zohar , "Serge E . Hallyn" , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 1/5] certs: Make blacklist_vet_description() more strict Date: Fri, 11 Dec 2020 20:03:26 +0100 Message-Id: <20201211190330.2586116-2-mic@digikod.net> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201211190330.2586116-1-mic@digikod.net> References: <20201211190330.2586116-1-mic@digikod.net> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Mickaël Salaün Before exposing this new key type to user space, make sure that only meaningful blacklisted hashes are accepted. This is also checked for builtin blacklisted hashes, but a following commit make sure that the user will notice (at built time) and will fix the configuration if it already included errors. Check that a blacklist key description starts with a valid prefix and then a valid hexadecimal string. Cc: David Howells Cc: David Woodhouse Signed-off-by: Mickaël Salaün --- Changes since v1: * Return ENOPKG (instead of EINVAL) when a hash is greater than the maximum currently known hash (suggested by David Howells). --- certs/blacklist.c | 46 ++++++++++++++++++++++++++++++++++++---------- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index bffe4c6f4a9e..9ea7d4eb6bfb 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -18,6 +18,16 @@ #include #include "blacklist.h" +/* + * According to crypto/asymmetric_keys/x509_cert_parser.c:x509_note_pkey_algo(), + * the size of the currently longest supported hash algorithm is 512 bits, + * which translates into 128 hex characters. + */ +#define MAX_HASH_LEN 128 + +static const char tbs_prefix[] = "tbs"; +static const char bin_prefix[] = "bin"; + static struct key *blacklist_keyring; /* @@ -26,24 +36,40 @@ static struct key *blacklist_keyring; */ static int blacklist_vet_description(const char *desc) { - int n = 0; - - if (*desc == ':') - return -EINVAL; - for (; *desc; desc++) - if (*desc == ':') - goto found_colon; + int i, prefix_len, tbs_step = 0, bin_step = 0; + + /* The following algorithm only works if prefix lenghts match. */ + BUILD_BUG_ON(sizeof(tbs_prefix) != sizeof(bin_prefix)); + prefix_len = sizeof(tbs_prefix) - 1; + for (i = 0; *desc; desc++, i++) { + if (*desc == ':') { + if (tbs_step == prefix_len) + goto found_colon; + if (bin_step == prefix_len) + goto found_colon; + return -EINVAL; + } + if (i >= prefix_len) + return -EINVAL; + if (*desc == tbs_prefix[i]) + tbs_step++; + if (*desc == bin_prefix[i]) + bin_step++; + } return -EINVAL; found_colon: desc++; - for (; *desc; desc++) { + for (i = 0; *desc && i < MAX_HASH_LEN; desc++, i++) { if (!isxdigit(*desc) || isupper(*desc)) return -EINVAL; - n++; } + if (*desc) + /* The hash is greater than MAX_HASH_LEN. */ + return -ENOPKG; - if (n == 0 || n & 1) + /* Checks for an even number of hexadecimal characters. */ + if (i == 0 || i & 1) return -EINVAL; return 0; } From patchwork Fri Dec 11 19:03:27 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 342059 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8360AC4361B for ; Fri, 11 Dec 2020 20:49:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2DB462405A for ; Fri, 11 Dec 2020 20:49:50 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2393378AbgLKTFO (ORCPT ); Fri, 11 Dec 2020 14:05:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58930 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2393396AbgLKTFM (ORCPT ); Fri, 11 Dec 2020 14:05:12 -0500 Received: from smtp-8fab.mail.infomaniak.ch (smtp-8fab.mail.infomaniak.ch [IPv6:2001:1600:3:17::8fab]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 92824C0617B0; Fri, 11 Dec 2020 11:03:47 -0800 (PST) Received: from smtp-2-0000.mail.infomaniak.ch (unknown [10.5.36.107]) by smtp-2-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4Ct0Ys6ddQzlhFLs; Fri, 11 Dec 2020 20:03:45 +0100 (CET) Received: from localhost (unknown [23.97.221.149]) by smtp-2-0000.mail.infomaniak.ch (Postfix) with ESMTPA id 4Ct0Ys47Sjzlppyl; Fri, 11 Dec 2020 20:03:45 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: David Howells , David Woodhouse , Jarkko Sakkinen Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , "David S . Miller" , Herbert Xu , James Morris , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Mimi Zohar , "Serge E . Hallyn" , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 2/5] certs: Factor out the blacklist hash creation Date: Fri, 11 Dec 2020 20:03:27 +0100 Message-Id: <20201211190330.2586116-3-mic@digikod.net> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201211190330.2586116-1-mic@digikod.net> References: <20201211190330.2586116-1-mic@digikod.net> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Mickaël Salaün Factor out the blacklist hash creation with the get_raw_hash() helper. This also centralize the "tbs" and "bin" prefixes and make them private, which help to manage them consistently. Cc: David Howells Cc: David S. Miller Cc: David Woodhouse Cc: Herbert Xu Cc: Jarkko Sakkinen Signed-off-by: Mickaël Salaün --- certs/blacklist.c | 73 ++++++++++++++----- crypto/asymmetric_keys/x509_public_key.c | 3 +- include/keys/system_keyring.h | 14 +++- .../platform_certs/keyring_handler.c | 26 +------ 4 files changed, 70 insertions(+), 46 deletions(-) diff --git a/certs/blacklist.c b/certs/blacklist.c index 9ea7d4eb6bfb..18653c1db6bd 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -103,11 +103,43 @@ static struct key_type key_type_blacklist = { .describe = blacklist_describe, }; +static char *get_raw_hash(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type) +{ + size_t type_len; + const char *type_prefix; + char *buffer, *p; + + switch (hash_type) { + case BLACKLIST_HASH_X509_TBS: + type_len = sizeof(tbs_prefix) - 1; + type_prefix = tbs_prefix; + break; + case BLACKLIST_HASH_BINARY: + type_len = sizeof(bin_prefix) - 1; + type_prefix = bin_prefix; + break; + default: + WARN_ON_ONCE(1); + return ERR_PTR(-EINVAL); + } + buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL); + if (!buffer) + return ERR_PTR(-ENOMEM); + p = memcpy(buffer, type_prefix, type_len); + p += type_len; + *p++ = ':'; + bin2hex(p, hash, hash_len); + p += hash_len * 2; + *p = '\0'; + return buffer; +} + /** - * mark_hash_blacklisted - Add a hash to the system blacklist + * mark_raw_hash_blacklisted - Add a hash to the system blacklist * @hash: The hash as a hex string with a type prefix (eg. "tbs:23aa429783") */ -int mark_hash_blacklisted(const char *hash) +static int mark_raw_hash_blacklisted(const char *hash) { key_ref_t key; @@ -127,29 +159,33 @@ int mark_hash_blacklisted(const char *hash) return 0; } +int mark_hash_blacklisted(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type) +{ + const char *buffer; + + buffer = get_raw_hash(hash, hash_len, hash_type); + if (IS_ERR(buffer)) + return PTR_ERR(buffer); + kfree(buffer); + return 0; +} /** * is_hash_blacklisted - Determine if a hash is blacklisted * @hash: The hash to be checked as a binary blob * @hash_len: The length of the binary hash - * @type: Type of hash + * @hash_type: Type of hash */ -int is_hash_blacklisted(const u8 *hash, size_t hash_len, const char *type) +int is_hash_blacklisted(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type) { key_ref_t kref; - size_t type_len = strlen(type); - char *buffer, *p; + const char *buffer; int ret = 0; - buffer = kmalloc(type_len + 1 + hash_len * 2 + 1, GFP_KERNEL); - if (!buffer) - return -ENOMEM; - p = memcpy(buffer, type, type_len); - p += type_len; - *p++ = ':'; - bin2hex(p, hash, hash_len); - p += hash_len * 2; - *p = 0; - + buffer = get_raw_hash(hash, hash_len, hash_type); + if (IS_ERR(buffer)) + return PTR_ERR(buffer); kref = keyring_search(make_key_ref(blacklist_keyring, true), &key_type_blacklist, buffer, false); if (!IS_ERR(kref)) { @@ -164,7 +200,8 @@ EXPORT_SYMBOL_GPL(is_hash_blacklisted); int is_binary_blacklisted(const u8 *hash, size_t hash_len) { - if (is_hash_blacklisted(hash, hash_len, "bin") == -EKEYREJECTED) + if (is_hash_blacklisted(hash, hash_len, BLACKLIST_HASH_BINARY) == + -EKEYREJECTED) return -EPERM; return 0; @@ -194,7 +231,7 @@ static int __init blacklist_init(void) panic("Can't allocate system blacklist keyring\n"); for (bl = blacklist_hashes; *bl; bl++) - if (mark_hash_blacklisted(*bl) < 0) + if (mark_raw_hash_blacklisted(*bl) < 0) pr_err("- blacklisting failed\n"); return 0; } diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index ae450eb8be14..3b7dba5e4cd9 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c @@ -81,7 +81,8 @@ int x509_get_sig_params(struct x509_certificate *cert) if (ret < 0) goto error_2; - ret = is_hash_blacklisted(sig->digest, sig->digest_size, "tbs"); + ret = is_hash_blacklisted(sig->digest, sig->digest_size, + BLACKLIST_HASH_X509_TBS); if (ret == -EKEYREJECTED) { pr_err("Cert %*phN is blacklisted\n", sig->digest_size, sig->digest); diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h index fb8b07daa9d1..b184d8743e23 100644 --- a/include/keys/system_keyring.h +++ b/include/keys/system_keyring.h @@ -10,6 +10,13 @@ #include +enum blacklist_hash_type { + /* TBSCertificate hash */ + BLACKLIST_HASH_X509_TBS = 1, + /* Raw data hash */ + BLACKLIST_HASH_BINARY = 2, +}; + #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING extern int restrict_link_by_builtin_trusted(struct key *keyring, @@ -32,13 +39,14 @@ extern int restrict_link_by_builtin_and_secondary_trusted( #endif #ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING -extern int mark_hash_blacklisted(const char *hash); +extern int mark_hash_blacklisted(const u8 *hash, size_t hash_len, + enum blacklist_hash_type hash_type); extern int is_hash_blacklisted(const u8 *hash, size_t hash_len, - const char *type); + enum blacklist_hash_type hash_type); extern int is_binary_blacklisted(const u8 *hash, size_t hash_len); #else static inline int is_hash_blacklisted(const u8 *hash, size_t hash_len, - const char *type) + enum blacklist_hash_type hash_type) { return 0; } diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index c5ba695c10e3..4a78fa1fde53 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -15,35 +15,13 @@ static efi_guid_t efi_cert_x509_sha256_guid __initdata = EFI_CERT_X509_SHA256_GUID; static efi_guid_t efi_cert_sha256_guid __initdata = EFI_CERT_SHA256_GUID; -/* - * Blacklist a hash. - */ -static __init void uefi_blacklist_hash(const char *source, const void *data, - size_t len, const char *type, - size_t type_len) -{ - char *hash, *p; - - hash = kmalloc(type_len + len * 2 + 1, GFP_KERNEL); - if (!hash) - return; - p = memcpy(hash, type, type_len); - p += type_len; - bin2hex(p, data, len); - p += len * 2; - *p = 0; - - mark_hash_blacklisted(hash); - kfree(hash); -} - /* * Blacklist an X509 TBS hash. */ static __init void uefi_blacklist_x509_tbs(const char *source, const void *data, size_t len) { - uefi_blacklist_hash(source, data, len, "tbs:", 4); + mark_hash_blacklisted(data, len, BLACKLIST_HASH_X509_TBS); } /* @@ -52,7 +30,7 @@ static __init void uefi_blacklist_x509_tbs(const char *source, static __init void uefi_blacklist_binary(const char *source, const void *data, size_t len) { - uefi_blacklist_hash(source, data, len, "bin:", 4); + mark_hash_blacklisted(data, len, BLACKLIST_HASH_BINARY); } /* From patchwork Fri Dec 11 19:03:28 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= X-Patchwork-Id: 342058 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI, SPF_HELO_NONE, SPF_PASS, URIBL_BLOCKED, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D4152C433FE for ; Fri, 11 Dec 2020 20:50:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8D46024058 for ; Fri, 11 Dec 2020 20:50:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2393497AbgLKTFq (ORCPT ); Fri, 11 Dec 2020 14:05:46 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58962 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2393435AbgLKTFX (ORCPT ); Fri, 11 Dec 2020 14:05:23 -0500 Received: from smtp-42ae.mail.infomaniak.ch (smtp-42ae.mail.infomaniak.ch [IPv6:2001:1600:4:17::42ae]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3CA20C061282 for ; Fri, 11 Dec 2020 11:03:49 -0800 (PST) Received: from smtp-2-0001.mail.infomaniak.ch (unknown [10.5.36.108]) by smtp-3-3000.mail.infomaniak.ch (Postfix) with ESMTPS id 4Ct0Yv1GTxzlhLNB; Fri, 11 Dec 2020 20:03:47 +0100 (CET) Received: from localhost (unknown [23.97.221.149]) by smtp-2-0001.mail.infomaniak.ch (Postfix) with ESMTPA id 4Ct0Yt670Fzlh8T5; Fri, 11 Dec 2020 20:03:46 +0100 (CET) From: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= To: David Howells , David Woodhouse , Jarkko Sakkinen Cc: =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , "David S . Miller" , Herbert Xu , James Morris , =?utf-8?q?Micka=C3=ABl_Sala=C3=BCn?= , Mimi Zohar , "Serge E . Hallyn" , keyrings@vger.kernel.org, linux-crypto@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org Subject: [PATCH v2 3/5] certs: Check that builtin blacklist hashes are valid Date: Fri, 11 Dec 2020 20:03:28 +0100 Message-Id: <20201211190330.2586116-4-mic@digikod.net> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201211190330.2586116-1-mic@digikod.net> References: <20201211190330.2586116-1-mic@digikod.net> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org From: Mickaël Salaün Add and use a check-blacklist-hashes.awk script to make sure that the builtin blacklist hashes will be approved by the run time blacklist description checks. This is useful to debug invalid hash formats, and it make sure that previous hashes which could have been loaded in the kernel (but ignored) are now noticed and deal with by the user. Cc: David Howells Cc: David Woodhouse Signed-off-by: Mickaël Salaün --- Changes since v1: * Prefix script path with $(scrtree)/ (suggested by David Howells). * Fix hexadecimal number check. --- MAINTAINERS | 1 + certs/.gitignore | 1 + certs/Makefile | 15 +++++++++++- scripts/check-blacklist-hashes.awk | 37 ++++++++++++++++++++++++++++++ 4 files changed, 53 insertions(+), 1 deletion(-) create mode 100755 scripts/check-blacklist-hashes.awk diff --git a/MAINTAINERS b/MAINTAINERS index a008b70f3c16..e9d4453caf5d 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -4080,6 +4080,7 @@ L: keyrings@vger.kernel.org S: Maintained F: Documentation/admin-guide/module-signing.rst F: certs/ +F: scripts/check-blacklist-hashes.awk F: scripts/extract-cert.c F: scripts/sign-file.c diff --git a/certs/.gitignore b/certs/.gitignore index 2a2483990686..42cc2ac24b93 100644 --- a/certs/.gitignore +++ b/certs/.gitignore @@ -1,2 +1,3 @@ # SPDX-License-Identifier: GPL-2.0-only +blacklist_hashes_checked x509_certificate_list diff --git a/certs/Makefile b/certs/Makefile index f4c25b67aad9..eb45407ff282 100644 --- a/certs/Makefile +++ b/certs/Makefile @@ -6,7 +6,20 @@ obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist.o ifneq ($(CONFIG_SYSTEM_BLACKLIST_HASH_LIST),"") + +quiet_cmd_check_blacklist_hashes = CHECK $(patsubst "%",%,$(2)) + cmd_check_blacklist_hashes = $(AWK) -f $(srctree)/scripts/check-blacklist-hashes.awk $(2); touch $@ + +$(eval $(call config_filename,SYSTEM_BLACKLIST_HASH_LIST)) + +$(obj)/blacklist_hashes.o: $(obj)/blacklist_hashes_checked + +targets += blacklist_hashes_checked +$(obj)/blacklist_hashes_checked: $(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(SYSTEM_BLACKLIST_HASH_LIST_FILENAME) scripts/check-blacklist-hashes.awk FORCE + $(call if_changed,check_blacklist_hashes,$(SYSTEM_BLACKLIST_HASH_LIST_SRCPREFIX)$(CONFIG_SYSTEM_BLACKLIST_HASH_LIST)) + obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_hashes.o + else obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += blacklist_nohashes.o endif @@ -29,7 +42,7 @@ $(obj)/x509_certificate_list: scripts/extract-cert $(SYSTEM_TRUSTED_KEYS_SRCPREF $(call if_changed,extract_certs,$(SYSTEM_TRUSTED_KEYS_SRCPREFIX)$(CONFIG_SYSTEM_TRUSTED_KEYS)) endif # CONFIG_SYSTEM_TRUSTED_KEYRING -clean-files := x509_certificate_list .x509.list +clean-files := x509_certificate_list .x509.list blacklist_hashes_checked ifeq ($(CONFIG_MODULE_SIG),y) ############################################################################### diff --git a/scripts/check-blacklist-hashes.awk b/scripts/check-blacklist-hashes.awk new file mode 100755 index 000000000000..107c1d3204d4 --- /dev/null +++ b/scripts/check-blacklist-hashes.awk @@ -0,0 +1,37 @@ +#!/usr/bin/awk -f +# SPDX-License-Identifier: GPL-2.0 +# +# Copyright © 2020, Microsoft Corporation. All rights reserved. +# +# Author: Mickaël Salaün +# +# Check that a CONFIG_SYSTEM_BLACKLIST_HASH_LIST file contains a valid array of +# hash strings. Such string must start with a prefix ("tbs" or "bin"), then a +# colon (":"), and finally an even number of hexadecimal lowercase characters +# (up to 128). + +BEGIN { + RS = "," +} +{ + if (!match($0, "^[ \t\n\r]*\"([^\"]*)\"[ \t\n\r]*$", part1)) { + print "Not a string (item " NR "):", $0; + exit 1; + } + if (!match(part1[1], "^(tbs|bin):(.*)$", part2)) { + print "Unknown prefix (item " NR "):", part1[1]; + exit 1; + } + if (!match(part2[2], "^([0-9a-f]+)$", part3)) { + print "Not a lowercase hexadecimal string (item " NR "):", part2[2]; + exit 1; + } + if (length(part3[1]) > 128) { + print "Hash string too long (item " NR "):", part3[1]; + exit 1; + } + if (length(part3[1]) % 2 == 1) { + print "Not an even number of hexadecimal characters (item " NR "):", part3[1]; + exit 1; + } +}