Re: [PATCH] cert: Add kconfig dependency for validate_trust
From: David Howells
Date: Wed Feb 24 2021 - 07:41:48 EST
Mickaël Salaün <mic@xxxxxxxxxxx> wrote:
> > +config SYSTEM_REVOCATION_LIST
> > + bool "Provide system-wide ring of revocation certificates"
> > + depends on SYSTEM_BLACKLIST_KEYRING
> > + depends on PKCS7_MESSAGE_PARSER=y
>
> The function verify_pkcs7_message_sig() (which is patched) is only
> available if CONFIG_SYSTEM_DATA_VERIFICATION is defined.
That shouldn't matter, at least from a building point of view, since
verify_pkcs7_message_sig() uses the new facility rather than being a
dependency of it - and there's a fallback in place in case you don't want
SYSTEM_REVOCATION_LIST. Note that SYSTEM_DATA_VERIFICATION also doesn't
depend on or select SYSTEM_BLACKLIST_KEYRING - it will use it if it's enabled,
but not otherwise.
> I suggest to use the same dependencies as for my dynamic authenticated
> blacklist keyring patchset.
This, you mean?
config SYSTEM_BLACKLIST_AUTH_UPDATE
bool "Allow root to add signed blacklist keys"
depends on SYSTEM_BLACKLIST_KEYRING
depends on SYSTEM_DATA_VERIFICATION
I.e.:
config SYSTEM_REVOCATION_LIST
bool "Provide system-wide ring of revocation certificates"
depends on SYSTEM_BLACKLIST_KEYRING
depends on SYSTEM_DATA_VERIFICATION
depends on PKCS7_MESSAGE_PARSER=y
I suppose you could argue the it that way since it's only used for that
purpose. Note that it does need the PKCS7 dep since it explicitly uses that
code.
> Could you please not move those functions? It makes the patch more
> readable and avoids merge conflicts (e.g. with the dynamic authenticated
> blacklist keyring patchset). Thanks.
I would suggest merging these changes in so that the error is not found by
bisection. But the functions really are mislocated:-/
David