lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <F6980CA4-737D-416A-BBE3-390CEBA8B192@oracle.com> Date: Tue, 23 Feb 2021 18:26:43 -0700 From: Eric Snowberg <eric.snowberg@...cle.com> To: David Howells <dhowells@...hat.com> Cc: Jarkko Sakkinen <jarkko@...nel.org>, Mickaël Salaün <mic@...ux.microsoft.com>, David Woodhouse <dwmw2@...radead.org>, keyrings@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] cert: Add kconfig dependency for validate_trust > On Feb 23, 2021, at 4:47 PM, David Howells <dhowells@...hat.com> wrote: > > Eric Snowberg <eric.snowberg@...cle.com> wrote: > >> The kernel test robot reports when building with Kconfig >> CONFIG_INTEGRITY_PLATFORM_KEYRING defined and >> CONFIG_SYSTEM_DATA_VERIFICATION undefined: >> >> ld.lld: error: undefined symbol: pkcs7_validate_trust >> referenced by blacklist.c:128 (certs/blacklist.c:128) >> blacklist.o:(is_key_on_revocation_list) in archive certs/built-in.a >> >> Make CONFIG_SYSTEM_DATA_VERIFICATION a dependency for validate_trust. >> >> Reported-by: kernel test robot <lkp@...el.com> >> Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com> > > I wonder if it's better to provide a separate config option for the revocation > list, say: > > config SYSTEM_REVOCATION_LIST > bool "Add revocation certs to the blacklist keyring" > depends on SYSTEM_BLACKLIST_KEYRING > depends on PKCS7_MESSAGE_PARSER > help > ... > > and use that in blacklist.c. > > In keys/system_keyring.h, is_key_on_revocation_list() can then be defaulted to > return 0 if that is disabled. I tried something like that in the past. The problem I ran into is someone could create a config with PKCS7_MESSAGE_PARSER=m. Then pkcs7_validate_trust would give an undefined reference error. SYSTEM_DATA_VERIFICATION was the only thing I could find that guaranteed everything was available. I supposed I could do: config SYSTEM_REVOCATION_LIST bool "Add revocation certs to the blacklist keyring" depends on SYSTEM_BLACKLIST_KEYRING depends on SYSTEM_DATA_VERIFICATION help … Would you rather I do that instead? > Btw, I've just noticed that add_key_to_revocation_list() and > is_key_on_revocation_list() lack kernel doc comments. I’ll prepare a patch to add the kernel-doc comments.
Powered by blists - more mailing lists