]> git.baikalelectronics.ru Git - kernel.git/commit
certs: Check that builtin blacklist hashes are valid
authorMickaël Salaün <mic@linux.microsoft.com>
Mon, 12 Jul 2021 17:03:10 +0000 (19:03 +0200)
committerJarkko Sakkinen <jarkko@kernel.org>
Mon, 23 May 2022 15:47:49 +0000 (18:47 +0300)
commit4dbf0d7281b6c9dfb130e4264d1e37c27124a599
tree9ce8da49277fb9e0feb725af816ec3ad6162f0a2
parent42c3e5f76e3add1a6e17a38d57d2509146ae1c07
certs: Check that builtin blacklist hashes are valid

Add and use a check-blacklist-hashes.awk script to make sure that the
builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will
effectively be taken into account as blacklisted hashes.  This is useful
to debug invalid hash formats, and it make sure that previous hashes
which could have been loaded in the kernel, but silently ignored, are
now noticed and deal with by the user at kernel build time.

This also prevent stricter blacklist key description checking (provided
by following commits) to failed for builtin hashes.

Update CONFIG_SYSTEM_BLACKLIST_HASH_LIST help to explain the content of
a hash string and how to generate certificate ones.

Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Eric Snowberg <eric.snowberg@oracle.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Link: https://lore.kernel.org/r/20210712170313.884724-3-mic@digikod.net
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
MAINTAINERS
certs/.gitignore
certs/Kconfig
certs/Makefile
scripts/check-blacklist-hashes.awk [new file with mode: 0755]