Re: [PATCH] cert: Add kconfig dependency for validate_trust
From: Eric Snowberg
Date: Tue Feb 23 2021 - 20:31:40 EST
> On Feb 23, 2021, at 4:47 PM, David Howells <dhowells@xxxxxxxxxx> wrote:
>
> Eric Snowberg <eric.snowberg@xxxxxxxxxx> wrote:
>
>> The kernel test robot reports when building with Kconfig
>> CONFIG_INTEGRITY_PLATFORM_KEYRING defined and
>> CONFIG_SYSTEM_DATA_VERIFICATION undefined:
>>
>> ld.lld: error: undefined symbol: pkcs7_validate_trust
>> referenced by blacklist.c:128 (certs/blacklist.c:128)
>> blacklist.o:(is_key_on_revocation_list) in archive certs/built-in.a
>>
>> Make CONFIG_SYSTEM_DATA_VERIFICATION a dependency for validate_trust.
>>
>> Reported-by: kernel test robot <lkp@xxxxxxxxx>
>> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
>
> I wonder if it's better to provide a separate config option for the revocation
> list, say:
>
> config SYSTEM_REVOCATION_LIST
> bool "Add revocation certs to the blacklist keyring"
> depends on SYSTEM_BLACKLIST_KEYRING
> depends on PKCS7_MESSAGE_PARSER
> help
> ...
>
> and use that in blacklist.c.
>
> In keys/system_keyring.h, is_key_on_revocation_list() can then be defaulted to
> return 0 if that is disabled.
I tried something like that in the past. The problem I ran into is someone
could create a config with PKCS7_MESSAGE_PARSER=m. Then pkcs7_validate_trust
would give an undefined reference error.
SYSTEM_DATA_VERIFICATION was the only thing I could find that guaranteed
everything was available. I supposed I could do:
config SYSTEM_REVOCATION_LIST
bool "Add revocation certs to the blacklist keyring"
depends on SYSTEM_BLACKLIST_KEYRING
depends on SYSTEM_DATA_VERIFICATION
help
…
Would you rather I do that instead?
> Btw, I've just noticed that add_key_to_revocation_list() and
> is_key_on_revocation_list() lack kernel doc comments.
I’ll prepare a patch to add the kernel-doc comments.