Re: [PATCH v1 1/2] certs: Remove panic() calls from blacklist_init()

From: Jarkko Sakkinen <jarkko@kernel.org>
To: Paul Moore <paul@paul-moore.com>
Cc: "Mickaël Salaün" <mic@digikod.net>,
	"David Howells" <dhowells@redhat.com>,
	"David Woodhouse" <dwmw2@infradead.org>,
	"David S . Miller" <davem@davemloft.net>,
	"Eric Snowberg" <eric.snowberg@oracle.com>,
	"Mickaël Salaün" <mic@linux.microsoft.com>,
	keyrings@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1 1/2] certs: Remove panic() calls from blacklist_init()
Date: Sun, 20 Mar 2022 23:04:26 +0200	[thread overview]
Message-ID: <YjeW2r6Wv55Du0bJ@iki.fi> (raw)
In-Reply-To: <CAHC9VhThwFbO83D8u09XmRRvQxft7fHZ+KPciGfmrBJNZA1wGQ@mail.gmail.com>

On Fri, Mar 11, 2022 at 05:00:32PM -0500, Paul Moore wrote:
> On Fri, Mar 11, 2022 at 12:47 PM Mickaël Salaün <mic@digikod.net> wrote:
> > From: Mickaël Salaün <mic@linux.microsoft.com>
> >
> > Replace panic() calls from device_initcall(blacklist_init) with proper
> > error handling using -ENODEV.
> >
> > Suggested-by: Jarkko Sakkinen <jarkko@kernel.org> [1]
> > Link: https://lore.kernel.org/r/Yik0C2t7G272YZ73@iki.fi [1]
> > Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com>
> > Link: https://lore.kernel.org/r/20220311174741.250424-2-mic@digikod.net
> > ---
> >  certs/blacklist.c | 27 +++++++++++++++++++++------
> >  1 file changed, 21 insertions(+), 6 deletions(-)
> 
> I'm not sure we can safely rely on a non-zero error code saving us in
> the care of failure, can we?
> 
> The blacklist_init() function is registered as an initcall via
> device_initcall() which I believe is either executed via
> do_init_module() in the case of a dynamic module load, or via
> do_initcalls() if built into the kernel.  In either case the result is
> that the module/functionality doesn't load and the kernel continues on
> executing.  While this could be acceptable for some non-critical
> modules, if this particular module fails to load it defeats the
> certificate/key based deny list for signed modules, yes?
> 
> I completely understand the strong desire to purge the kernel of
> panic()s, BUG()s, and the like, but if a critical piece of security
> functionality that users expect to be present fails to initialize,
> panic()ing is likely the right thing to do.

OK, I get this. 

What this function should have is this information documented in
the header. Otherwise, this is just confusing.

BR, Jarkko

next prev parent reply	other threads:[~2022-03-20 21:03 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-03-11 17:47 [PATCH v1 0/2] Remove panic() from keyring init calls Mickaël Salaün
2022-03-11 17:47 ` [PATCH v1 1/2] certs: Remove panic() calls from blacklist_init() Mickaël Salaün
2022-03-11 22:00   ` Paul Moore
2022-03-20 21:04     ` Jarkko Sakkinen [this message]
2022-03-11 17:47 ` [PATCH v1 2/2] certs: Remove panic() calls from system_trusted_keyring_init() Mickaël Salaün
2022-03-17  7:36   ` Jarkko Sakkinen
2022-03-17  8:30     ` Mickaël Salaün
2022-03-17  8:31       ` Mickaël Salaün
2022-03-20 21:07         ` Jarkko Sakkinen
2022-03-20 21:06       ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YjeW2r6Wv55Du0bJ@iki.fi \
    --to=jarkko@kernel.org \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=eric.snowberg@oracle.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mic@digikod.net \
    --cc=mic@linux.microsoft.com \
    --cc=paul@paul-moore.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.