summaryrefslogtreecommitdiff
path: root/certs/Kconfig
diff options
context:
space:
mode:
authorMickaël Salaün <mic@linux.microsoft.com>2021-07-12 20:03:10 +0300
committerJarkko Sakkinen <jarkko@kernel.org>2022-05-23 18:47:49 +0300
commitaddf466389d9d78f255e8b15ac44ab4791029852 (patch)
tree9ce8da49277fb9e0feb725af816ec3ad6162f0a2 /certs/Kconfig
parentbf21dc591bb5f17ba4b29b84d4866e0adc39f57f (diff)
downloadlinux-addf466389d9d78f255e8b15ac44ab4791029852.tar.xz
certs: Check that builtin blacklist hashes are valid
Add and use a check-blacklist-hashes.awk script to make sure that the builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will effectively be taken into account as blacklisted hashes. This is useful to debug invalid hash formats, and it make sure that previous hashes which could have been loaded in the kernel, but silently ignored, are now noticed and deal with by the user at kernel build time. This also prevent stricter blacklist key description checking (provided by following commits) to failed for builtin hashes. Update CONFIG_SYSTEM_BLACKLIST_HASH_LIST help to explain the content of a hash string and how to generate certificate ones. Cc: David Howells <dhowells@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Eric Snowberg <eric.snowberg@oracle.com> Cc: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Link: https://lore.kernel.org/r/20210712170313.884724-3-mic@digikod.net Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Diffstat (limited to 'certs/Kconfig')
-rw-r--r--certs/Kconfig7
1 files changed, 5 insertions, 2 deletions
diff --git a/certs/Kconfig b/certs/Kconfig
index 73d1350c223a..4bd385b25084 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -104,8 +104,11 @@ config SYSTEM_BLACKLIST_HASH_LIST
help
If set, this option should be the filename of a list of hashes in the
form "<hash>", "<hash>", ... . This will be included into a C
- wrapper to incorporate the list into the kernel. Each <hash> should
- be a string of hex digits.
+ wrapper to incorporate the list into the kernel. Each <hash> must be a
+ string starting with a prefix ("tbs" or "bin"), then a colon (":"), and
+ finally an even number of hexadecimal lowercase characters (up to 128).
+ Certificate hashes can be generated with
+ tools/certs/print-cert-tbs-hash.sh .
config SYSTEM_REVOCATION_LIST
bool "Provide system-wide ring of revocation certificates"