| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3524595.1614124044@warthog.procyon.org.uk>
Date: Tue, 23 Feb 2021 23:47:24 +0000
From: David Howells <dhowells@...hat.com>
To: Eric Snowberg <eric.snowberg@...cle.com>
Cc: dhowells@...hat.com, jarkko@...nel.org, mic@...ux.microsoft.com,
dwmw2@...radead.org, keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] cert: Add kconfig dependency for validate_trust
Eric Snowberg <eric.snowberg@...cle.com> wrote:
> The kernel test robot reports when building with Kconfig
> CONFIG_INTEGRITY_PLATFORM_KEYRING defined and
> CONFIG_SYSTEM_DATA_VERIFICATION undefined:
>
> ld.lld: error: undefined symbol: pkcs7_validate_trust
> referenced by blacklist.c:128 (certs/blacklist.c:128)
> blacklist.o:(is_key_on_revocation_list) in archive certs/built-in.a
>
> Make CONFIG_SYSTEM_DATA_VERIFICATION a dependency for validate_trust.
>
> Reported-by: kernel test robot <lkp@...el.com>
> Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
I wonder if it's better to provide a separate config option for the revocation
list, say:
config SYSTEM_REVOCATION_LIST
bool "Add revocation certs to the blacklist keyring"
depends on SYSTEM_BLACKLIST_KEYRING
depends on PKCS7_MESSAGE_PARSER
help
...
and use that in blacklist.c.
In keys/system_keyring.h, is_key_on_revocation_list() can then be defaulted to
return 0 if that is disabled.
Btw, I've just noticed that add_key_to_revocation_list() and
is_key_on_revocation_list() lack kernel doc comments.
David
Powered by blists - more mailing lists