From: ritu pal <ritupal888@gmail.com>
To: David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
ritu pal <ritupal888@gmail.com>
Subject: [PATCH] certs/blacklist: add error logging for hash blacklisting failures
Date: Fri, 27 Jun 2025 19:42:03 +0530 [thread overview]
Message-ID: <CAEy91+b+GN1CoX7Y7RVHq2sxjU=OrrPqmbsFuVW3da4YNTH+XQ@mail.gmail.com> (raw)
[PATCH] certs/blacklist: add error logging for hash blacklisting failures
Previously, errors returned by mark_hash_blacklisted() could be
silently ignored by callers,
such as uefi_blacklist_x509_tbs() and uefi_blacklist_binary(),
which do not check or log the return value.
This can make it difficult to detect and diagnose failures to add
hashes to the system blacklist.
This change adds a pr_err() message in mark_hash_blacklisted() to log
any failure to blacklist a hash,
including the error code. This ensures that all blacklisting failures
are visible in the kernel log,
improving debuggability and system integrity monitoring, even if the
upper layers do not handle the error.
No functional changes are made to the blacklisting logic.
Signed-off-by: Ritu Pal <ritupal888@gmail.com>
---
certs/blacklist.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/certs/blacklist.c b/certs/blacklist.c
index 675dd7a8f07a..0f5ff29ccb3d 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -208,8 +208,10 @@ int mark_hash_blacklisted(const u8 *hash, size_t hash_len,
int err;
buffer = get_raw_hash(hash, hash_len, hash_type);
- if (IS_ERR(buffer))
+ if (IS_ERR(buffer)) {
+ pr_err("Failed to blacklist hash: %pe\n", buffer);
return PTR_ERR(buffer);
+ }
err = mark_raw_hash_blacklisted(buffer);
kfree(buffer);
return err;
@@ -229,8 +231,10 @@ int is_hash_blacklisted(const u8 *hash, size_t hash_len,
int ret = 0;
buffer = get_raw_hash(hash, hash_len, hash_type);
- if (IS_ERR(buffer))
+ if (IS_ERR(buffer)) {
+ pr_err("Failed to blacklist hash: %pe\n", buffer);
return PTR_ERR(buffer);
+ }
kref = keyring_search(make_key_ref(blacklist_keyring, true),
&key_type_blacklist, buffer, false);
if (!IS_ERR(kref)) {
--
reply other threads:[~2025-06-27 14:12 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAEy91+b+GN1CoX7Y7RVHq2sxjU=OrrPqmbsFuVW3da4YNTH+XQ@mail.gmail.com' \
--to=ritupal888@gmail.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).