| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2e413e587556199c7403ecedef2ed854cd3e6c39.camel@linux.ibm.com>
Date: Mon, 23 Dec 2024 08:21:17 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Eric Snowberg <eric.snowberg@...cle.com>,
linux-security-module@...r.kernel.org
Cc: dhowells@...hat.com, dwmw2@...radead.org, herbert@...dor.apana.org.au,
davem@...emloft.net, ardb@...nel.org, jarkko@...nel.org,
paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com,
roberto.sassu@...wei.com, dmitry.kasatkin@...il.com, mic@...ikod.net,
casey@...aufler-ca.com, stefanb@...ux.ibm.com, ebiggers@...nel.org,
rdunlap@...radead.org, linux-kernel@...r.kernel.org,
keyrings@...r.kernel.org, linux-crypto@...r.kernel.org,
linux-efi@...r.kernel.org, linux-integrity@...r.kernel.org
Subject: Re: [RFC PATCH v3 01/13] certs: Remove
CONFIG_INTEGRITY_PLATFORM_KEYRING check
Hi Eric,
On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
> Remove the CONFIG_INTEGRITY_PLATFORM_KEYRING ifdef check so this
> pattern does not need to be repeated with new code.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
Ok. The reason why testing the Kconfig is unnecessary should be included in the
patch description. For example,
Commit 219a3e8676f3 ("integrity, KEYS: add a reference to platform keyring")
unnecessarily added the Kconfig test. As platform_trusted_keys is already
initialized, simply use it.
Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>
> ---
> certs/system_keyring.c | 6 ------
> 1 file changed, 6 deletions(-)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 9de610bf1f4b..e344cee10d28 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,9 +24,7 @@ static struct key *secondary_trusted_keys;
> #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> static struct key *machine_trusted_keys;
> #endif
> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> static struct key *platform_trusted_keys;
> -#endif
>
> extern __initconst const u8 system_certificate_list[];
> extern __initconst const unsigned long system_certificate_list_size;
> @@ -345,11 +343,7 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
> trusted_keys = builtin_trusted_keys;
> #endif
> } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> trusted_keys = platform_trusted_keys;
> -#else
> - trusted_keys = NULL;
> -#endif
> if (!trusted_keys) {
> ret = -ENOKEY;
> pr_devel("PKCS#7 platform keyring is not available\n");
Powered by blists - more mailing lists