certs: Check that builtin blacklist hashes are valid

Add and use a check-blacklist-hashes.awk script to make sure that the builtin blacklist hashes set with CONFIG_SYSTEM_BLACKLIST_HASH_LIST will effectively be taken into account as blacklisted hashes. This is useful to debug invalid hash formats, and it make sure that previous hashes which could have been loaded in the kernel, but silently ignored, are now noticed and deal with by the user at kernel build time. This also prevent stricter blacklist key description checking (provided by following commits) to failed for builtin hashes. Update CONFIG_SYSTEM_BLACKLIST_HASH_LIST help to explain the content of a hash string and how to generate certificate ones. Cc: David Howells <dhowells@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: Eric Snowberg <eric.snowberg@oracle.com> Cc: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Mickaël Salaün <mic@linux.microsoft.com> Link: https://lore.kernel.org/r/20210712170313.884724-3-mic@digikod.net Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
author: Mickaël Salaün 2021-07-12 19:03:10 +0200
committer: Jarkko Sakkinen 2022-05-23 18:47:49 +0300
commit: addf466389d9d78f255e8b15ac44ab4791029852 (patch)
tree: 9ce8da49277fb9e0feb725af816ec3ad6162f0a2 /certs/.gitignore
parent: bf21dc591bb5f17ba4b29b84d4866e0adc39f57f (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/certs/.gitignore b/certs/.gitignore
index 9e42fe3e02f5..56637aceaf81 100644
--- a/certs/.gitignore
+++ b/certs/.gitignore
@@ -1,4 +1,5 @@
 # SPDX-License-Identifier: GPL-2.0-only
+/blacklist_hashes_checked
 /extract-cert
 /x509_certificate_list
 /x509_revocation_list
author	Mickaël Salaün	2021-07-12 19:03:10 +0200
committer	Jarkko Sakkinen	2022-05-23 18:47:49 +0300
commit	addf466389d9d78f255e8b15ac44ab4791029852 (patch)
tree	9ce8da49277fb9e0feb725af816ec3ad6162f0a2 /certs/.gitignore
parent	bf21dc591bb5f17ba4b29b84d4866e0adc39f57f (diff)