git.kernel.dk Git - linux-2.6-block.git/commit

author	Mickaël Salaün <mic@linux.microsoft.com>
	Mon, 12 Jul 2021 17:03:10 +0000 (19:03 +0200)
committer	Jarkko Sakkinen <jarkko@kernel.org>
	Wed, 23 Feb 2022 15:49:05 +0000 (16:49 +0100)
commit	a89d708caec32263df48de5e2402158e55053b68
tree	3fa57ec8b8fb3dadf64713acf91bda39e90adf39	tree
parent	a03562af835e9f8932ab635f833b0c6a09fcbb9b	commit \| diff

certs: Check that builtin blacklist hashes are valid

Add and use a check-blacklist-hashes.awk script to make sure that the
builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will
effectively be taken into account as blacklisted hashes. This is useful
to debug invalid hash formats, and it make sure that previous hashes
which could have been loaded in the kernel, but silently ignored, are
now noticed and deal with by the user at kernel build time.

This also prevent stricter blacklist key description checking (provided
by following commits) to failed for builtin hashes.

Update CONFIG_SYSTEM_BLACKLIST_HASH_LIST help to explain the content of
a hash string and how to generate certificate ones.

Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Eric Snowberg <eric.snowberg@oracle.com>
Cc: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
Link: https://lore.kernel.org/r/20210712170313.884724-3-mic@digikod.net
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

MAINTAINERS		diff \| blob \| blame \| history
certs/.gitignore		diff \| blob \| blame \| history
certs/Kconfig		diff \| blob \| blame \| history
certs/Makefile		diff \| blob \| blame \| history
scripts/check-blacklist-hashes.awk	[new file with mode: 0755]	blob