Re: [PATCH] cert: Add kconfig dependency for validate_trust

From: David Howells
Date: Wed Feb 24 2021 - 07:41:48 EST


Mickaël Salaün <mic@xxxxxxxxxxx> wrote:

> > +config SYSTEM_REVOCATION_LIST
> > + bool "Provide system-wide ring of revocation certificates"
> > + depends on SYSTEM_BLACKLIST_KEYRING
> > + depends on PKCS7_MESSAGE_PARSER=y
>
> The function verify_pkcs7_message_sig() (which is patched) is only
> available if CONFIG_SYSTEM_DATA_VERIFICATION is defined.

That shouldn't matter, at least from a building point of view, since
verify_pkcs7_message_sig() uses the new facility rather than being a
dependency of it - and there's a fallback in place in case you don't want
SYSTEM_REVOCATION_LIST. Note that SYSTEM_DATA_VERIFICATION also doesn't
depend on or select SYSTEM_BLACKLIST_KEYRING - it will use it if it's enabled,
but not otherwise.

> I suggest to use the same dependencies as for my dynamic authenticated
> blacklist keyring patchset.

This, you mean?

config SYSTEM_BLACKLIST_AUTH_UPDATE
bool "Allow root to add signed blacklist keys"
depends on SYSTEM_BLACKLIST_KEYRING
depends on SYSTEM_DATA_VERIFICATION

I.e.:

config SYSTEM_REVOCATION_LIST
bool "Provide system-wide ring of revocation certificates"
depends on SYSTEM_BLACKLIST_KEYRING
depends on SYSTEM_DATA_VERIFICATION
depends on PKCS7_MESSAGE_PARSER=y

I suppose you could argue the it that way since it's only used for that
purpose. Note that it does need the PKCS7 dep since it explicitly uses that
code.

> Could you please not move those functions? It makes the patch more
> readable and avoids merge conflicts (e.g. with the dynamic authenticated
> blacklist keyring patchset). Thanks.

I would suggest merging these changes in so that the error is not found by
bisection. But the functions really are mislocated:-/

David