| Message ID | 20210517131848.61153-3-dimitri.ledkov@canonical.com |
|---|---|
| State | New |
| Headers | show |
| Series | Support importing mokx keys into revocation list from the mok table | expand |
On 17/05/2021 09:18, Dimitri John Ledkov wrote: > integrity_load_cert() prints messages of the source and cert details > when adding certs as trusted. Mirror those messages in > uefi_revocation_list_x509() when adding certs as revoked. > > Sample dmesg with this change: > > integrity: Platform Keyring initialized > integrity: Loading X.509 certificate: UEFI:db > integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' > integrity: Revoking X.509 certificate: UEFI:MokListXRT (MOKvar table) > blacklist: Revoked X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0' > integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) > integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63' > > BugLink: https://bugs.launchpad.net/bugs/1928679 > Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> > --- > certs/blacklist.c | 4 +++- > security/integrity/platform_certs/keyring_handler.c | 1 + > 2 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/certs/blacklist.c b/certs/blacklist.c > index c9a435b15af4..6a2afa84a5db 100644 > --- a/certs/blacklist.c > +++ b/certs/blacklist.c > @@ -172,7 +172,9 @@ int add_key_to_revocation_list(const char *data, size_t size) > if (IS_ERR(key)) { > pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); > return PTR_ERR(key); > - } > + } else > + pr_notice("Revoked X.509 cert '%s'\n", > + key_ref_to_ptr(key)->description); You need {} for this arm. The same for upstream patch. Best regards, Krzysztof
diff --git a/certs/blacklist.c b/certs/blacklist.c index c9a435b15af4..6a2afa84a5db 100644 --- a/certs/blacklist.c +++ b/certs/blacklist.c @@ -172,7 +172,9 @@ int add_key_to_revocation_list(const char *data, size_t size) if (IS_ERR(key)) { pr_err("Problem with revocation key (%ld)\n", PTR_ERR(key)); return PTR_ERR(key); - } + } else + pr_notice("Revoked X.509 cert '%s'\n", + key_ref_to_ptr(key)->description); return 0; } diff --git a/security/integrity/platform_certs/keyring_handler.c b/security/integrity/platform_certs/keyring_handler.c index 5604bd57c990..9f85626702b2 100644 --- a/security/integrity/platform_certs/keyring_handler.c +++ b/security/integrity/platform_certs/keyring_handler.c @@ -61,6 +61,7 @@ static __init void uefi_blacklist_binary(const char *source, static __init void uefi_revocation_list_x509(const char *source, const void *data, size_t len) { + pr_info("Revoking X.509 certificate: %s\n", source); add_key_to_revocation_list(data, len); }
integrity_load_cert() prints messages of the source and cert details when adding certs as trusted. Mirror those messages in uefi_revocation_list_x509() when adding certs as revoked. Sample dmesg with this change: integrity: Platform Keyring initialized integrity: Loading X.509 certificate: UEFI:db integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' integrity: Revoking X.509 certificate: UEFI:MokListXRT (MOKvar table) blacklist: Revoked X.509 cert 'Canonical Ltd. Secure Boot Signing: 61482aa2830d0ab2ad5af10b7250da9033ddcef0' integrity: Loading X.509 certificate: UEFI:MokListRT (MOKvar table) integrity: Loaded X.509 cert 'Canonical Ltd. Master Certificate Authority: ad91990bc22ab1f517048c23b6655a268e345a63' BugLink: https://bugs.launchpad.net/bugs/1928679 Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com> --- certs/blacklist.c | 4 +++- security/integrity/platform_certs/keyring_handler.c | 1 + 2 files changed, 4 insertions(+), 1 deletion(-)