Re: [RFC PATCH v3 01/13] certs: Remove CONFIG_INTEGRITY_PLATFORM_KEYRING check
From: Mimi Zohar
Date: Mon Dec 23 2024 - 08:23:07 EST
Hi Eric,
On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
> Remove the CONFIG_INTEGRITY_PLATFORM_KEYRING ifdef check so this
> pattern does not need to be repeated with new code.
>
> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx>
Ok. The reason why testing the Kconfig is unnecessary should be included in the
patch description. For example,
Commit 219a3e8676f3 ("integrity, KEYS: add a reference to platform keyring")
unnecessarily added the Kconfig test. As platform_trusted_keys is already
initialized, simply use it.
Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> ---
> certs/system_keyring.c | 6 ------
> 1 file changed, 6 deletions(-)
>
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 9de610bf1f4b..e344cee10d28 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,9 +24,7 @@ static struct key *secondary_trusted_keys;
> #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
> static struct key *machine_trusted_keys;
> #endif
> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> static struct key *platform_trusted_keys;
> -#endif
>
> extern __initconst const u8 system_certificate_list[];
> extern __initconst const unsigned long system_certificate_list_size;
> @@ -345,11 +343,7 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
> trusted_keys = builtin_trusted_keys;
> #endif
> } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
> trusted_keys = platform_trusted_keys;
> -#else
> - trusted_keys = NULL;
> -#endif
> if (!trusted_keys) {
> ret = -ENOKEY;
> pr_devel("PKCS#7 platform keyring is not available\n");