Eric Snowberg <[email protected]> wrote:
> The kernel test robot reports when building with Kconfig
> CONFIG_INTEGRITY_PLATFORM_KEYRING defined and
> CONFIG_SYSTEM_DATA_VERIFICATION undefined:
>
> ld.lld: error: undefined symbol: pkcs7_validate_trust
> referenced by blacklist.c:128 (certs/blacklist.c:128)
> blacklist.o:(is_key_on_revocation_list) in archive
> certs/built-in.a
>
> Make CONFIG_SYSTEM_DATA_VERIFICATION a dependency for validate_trust.
>
> Reported-by: kernel test robot <[email protected]>
> Signed-off-by: Eric Snowberg <[email protected]>
I wonder if it's better to provide a separate config option for the revocation
list, say:
config SYSTEM_REVOCATION_LIST
bool "Add revocation certs to the blacklist keyring"
depends on SYSTEM_BLACKLIST_KEYRING
depends on PKCS7_MESSAGE_PARSER
help
...
and use that in blacklist.c.
In keys/system_keyring.h, is_key_on_revocation_list() can then be defaulted to
return 0 if that is disabled.
Btw, I've just noticed that add_key_to_revocation_list() and
is_key_on_revocation_list() lack kernel doc comments.
David
