Re: [PATCH v5 08/12] KEYS: integrity: change link restriction to trust the machine keyring

From: Mimi Zohar
Date: Thu Sep 09 2021 - 13:27:43 EST

Next message: Bjorn Helgaas: "Re: [PATCH] PCI/P2PDMA: fix the wrong dma address calculation when map sg"
Previous message: Andre Muller: "Re: [Bisected Regression] OLPC XO-1.5: Internal drive and SD card (mmcblk*) gone since commit ea718c699055"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Eric,

On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote:

> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 955bd57815f4..747f0c528fec 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -89,7 +89,10 @@ static __init struct key_restriction *get_builtin_and_secondary_restriction(void
> if (!restriction)
> panic("Can't allocate secondary trusted keyring restriction\n");
>
> - restriction->check = restrict_link_by_builtin_and_secondary_trusted;
> + if (IS_ENABLED(CONFIG_INTEGRITY_MACHINE_KEYRING))
> + restriction->check = restrict_link_by_builtin_secondary_and_ca_trusted;

Returning the new restriction in a function named
get_builtin_and_secondary_restriction() is kind of weird. Renaming the
function to get_secondary_restriction() would be clearer.

thanks,

Mimi

Next message: Bjorn Helgaas: "Re: [PATCH] PCI/P2PDMA: fix the wrong dma address calculation when map sg"
Previous message: Andre Muller: "Re: [Bisected Regression] OLPC XO-1.5: Internal drive and SD card (mmcblk*) gone since commit ea718c699055"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]