lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3524595.1614124044@warthog.procyon.org.uk>
Date:   Tue, 23 Feb 2021 23:47:24 +0000
From:   David Howells <dhowells@...hat.com>
To:     Eric Snowberg <eric.snowberg@...cle.com>
Cc:     dhowells@...hat.com, jarkko@...nel.org, mic@...ux.microsoft.com,
        dwmw2@...radead.org, keyrings@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] cert: Add kconfig dependency for validate_trust

Eric Snowberg <eric.snowberg@...cle.com> wrote:

> The kernel test robot reports when building with Kconfig
> CONFIG_INTEGRITY_PLATFORM_KEYRING defined and 
> CONFIG_SYSTEM_DATA_VERIFICATION undefined:
> 
> ld.lld: error: undefined symbol: pkcs7_validate_trust
> referenced by blacklist.c:128 (certs/blacklist.c:128)
>              blacklist.o:(is_key_on_revocation_list) in archive certs/built-in.a
> 
> Make CONFIG_SYSTEM_DATA_VERIFICATION a dependency for validate_trust.
> 
> Reported-by: kernel test robot <lkp@...el.com>
> Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>

I wonder if it's better to provide a separate config option for the revocation
list, say:

	config SYSTEM_REVOCATION_LIST
		bool "Add revocation certs to the blacklist keyring"
		depends on SYSTEM_BLACKLIST_KEYRING
		depends on PKCS7_MESSAGE_PARSER
		help
		  ...

and use that in blacklist.c.

In keys/system_keyring.h, is_key_on_revocation_list() can then be defaulted to
return 0 if that is disabled.

Btw, I've just noticed that add_key_to_revocation_list() and
is_key_on_revocation_list() lack kernel doc comments.

David

Powered by blists - more mailing lists