Re: [PATCH] cert: Add kconfig dependency for validate_trust

[Eric Snowberg]

> On Feb 23, 2021, at 4:47 PM, David Howells <dhowells@xxxxxxxxxx> wrote:
> 
> Eric Snowberg <eric.snowberg@xxxxxxxxxx> wrote:
> 
>> The kernel test robot reports when building with Kconfig
>> CONFIG_INTEGRITY_PLATFORM_KEYRING defined and 
>> CONFIG_SYSTEM_DATA_VERIFICATION undefined:
>> 
>> ld.lld: error: undefined symbol: pkcs7_validate_trust
>> referenced by blacklist.c:128 (certs/blacklist.c:128)
>>             blacklist.o:(is_key_on_revocation_list) in archive certs/built-in.a
>> 
>> Make CONFIG_SYSTEM_DATA_VERIFICATION a dependency for validate_trust.
>> 
>> Reported-by: kernel test robot <lkp@xxxxxxxxx>
>> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
> 
> I wonder if it's better to provide a separate config option for the revocation
> list, say:
> 
> 	config SYSTEM_REVOCATION_LIST
> 		bool "Add revocation certs to the blacklist keyring"
> 		depends on SYSTEM_BLACKLIST_KEYRING
> 		depends on PKCS7_MESSAGE_PARSER
> 		help
> 		  ...
> 
> and use that in blacklist.c.
> 
> In keys/system_keyring.h, is_key_on_revocation_list() can then be defaulted to
> return 0 if that is disabled.

I tried something like that in the past.  The problem I ran into is someone 
could create a config with PKCS7_MESSAGE_PARSER=m.  Then pkcs7_validate_trust 
would give an undefined reference error. 

SYSTEM_DATA_VERIFICATION was the only thing I could find that guaranteed 
everything was available.  I supposed I could do:

	config SYSTEM_REVOCATION_LIST
		bool "Add revocation certs to the blacklist keyring"
		depends on SYSTEM_BLACKLIST_KEYRING
		depends on SYSTEM_DATA_VERIFICATION
		help
		  …

Would you rather I do that instead?

> Btw, I've just noticed that add_key_to_revocation_list() and
> is_key_on_revocation_list() lack kernel doc comments.

I’ll prepare a patch to add the kernel-doc comments.