lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 23 Feb 2021 18:26:43 -0700
From:   Eric Snowberg <eric.snowberg@...cle.com>
To:     David Howells <dhowells@...hat.com>
Cc:     Jarkko Sakkinen <jarkko@...nel.org>,
        Mickaël Salaün <mic@...ux.microsoft.com>,
        David Woodhouse <dwmw2@...radead.org>,
        keyrings@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] cert: Add kconfig dependency for validate_trust


> On Feb 23, 2021, at 4:47 PM, David Howells <dhowells@...hat.com> wrote:
> 
> Eric Snowberg <eric.snowberg@...cle.com> wrote:
> 
>> The kernel test robot reports when building with Kconfig
>> CONFIG_INTEGRITY_PLATFORM_KEYRING defined and 
>> CONFIG_SYSTEM_DATA_VERIFICATION undefined:
>> 
>> ld.lld: error: undefined symbol: pkcs7_validate_trust
>> referenced by blacklist.c:128 (certs/blacklist.c:128)
>>             blacklist.o:(is_key_on_revocation_list) in archive certs/built-in.a
>> 
>> Make CONFIG_SYSTEM_DATA_VERIFICATION a dependency for validate_trust.
>> 
>> Reported-by: kernel test robot <lkp@...el.com>
>> Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
> 
> I wonder if it's better to provide a separate config option for the revocation
> list, say:
> 
> 	config SYSTEM_REVOCATION_LIST
> 		bool "Add revocation certs to the blacklist keyring"
> 		depends on SYSTEM_BLACKLIST_KEYRING
> 		depends on PKCS7_MESSAGE_PARSER
> 		help
> 		  ...
> 
> and use that in blacklist.c.
> 
> In keys/system_keyring.h, is_key_on_revocation_list() can then be defaulted to
> return 0 if that is disabled.

I tried something like that in the past.  The problem I ran into is someone 
could create a config with PKCS7_MESSAGE_PARSER=m.  Then pkcs7_validate_trust 
would give an undefined reference error. 

SYSTEM_DATA_VERIFICATION was the only thing I could find that guaranteed 
everything was available.  I supposed I could do:

	config SYSTEM_REVOCATION_LIST
		bool "Add revocation certs to the blacklist keyring"
		depends on SYSTEM_BLACKLIST_KEYRING
		depends on SYSTEM_DATA_VERIFICATION
		help
		  …

Would you rather I do that instead?

> Btw, I've just noticed that add_key_to_revocation_list() and
> is_key_on_revocation_list() lack kernel doc comments.

I’ll prepare a patch to add the kernel-doc comments.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ