Re: [BUG] blacklist: Problem blacklisting hash (-13) during boot

From: Mickaël Salaün
Date: Fri Nov 04 2022 - 13:04:04 EST

Next message: Arnd Bergmann: "Re: [virtio-dev] Re: [RFC PATCH 1/1] can: virtio: Initial virtio CAN driver."
Previous message: Vladimir Oltean: "Re: [PATCH v2] dt-bindings: net: nxp,sja1105: document spi-cpol/cpha"
Next in thread: Thomas Weißschuh: "Re: [BUG] blacklist: Problem blacklisting hash (-13) during boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Thanks for this report. These error messages seem correct but I don't see any legitimate reason for the firmware to store duplicate blacklisted hashes.

According to the blacklist_init() function, the "blacklisting failed" message could be improved to explain that only a set of hashes failed, and why they failed. However, despite this message, this should work as expected and should not generate any issue.

Did you contact Lenovo to report this issue (i.e. duplicate hashes in their firmware)?

Could you please provide the list of duplicate hashes?

Regards,
Mickaël

On 15/10/2022 05:16, Thomas Weißschuh wrote:

Hi,

Since 5.19 during boot I see lots of the following entries in dmesg:

blacklist: Problem blacklisting hash (-13)

This happens because the firmware contains duplicate blacklist entries.
As commit 6364d106e041 [0] modified the "blacklist" keyring to reject updates
this now leads to the spurious error messages.

The machine is a Thinkpad X1 Cargon Gen9 with BIOS revision 1.56 and firmware
revision 1.33.

[0] 6364d106e041 ("certs: Allow root user to append signed hashes to the blacklist keyring")

Next message: Arnd Bergmann: "Re: [virtio-dev] Re: [RFC PATCH 1/1] can: virtio: Initial virtio CAN driver."
Previous message: Vladimir Oltean: "Re: [PATCH v2] dt-bindings: net: nxp,sja1105: document spi-cpol/cpha"
Next in thread: Thomas Weißschuh: "Re: [BUG] blacklist: Problem blacklisting hash (-13) during boot"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]