On 1/8/26 5:54 PM, Farhan Ali wrote:
> <..snip...>
>
> On 12/8/2025 1:32 PM, Zhuoying Cai wrote:
>> +static int build_vce_data(VCEntry *vce, S390IPLCertificate cert)
>> +{
>> + uint16_t keyid_field_len;
>> + uint16_t hash_field_len;
>> + uint32_t cert_field_len;
>> + uint32_t vce_len;
>> + int rc;
>> +
>> + handle_key_id(vce, cert);
>> + /* vce key id field length - can be 0 if failed to retrieve */
>> + keyid_field_len = ROUND_UP(be16_to_cpu(vce->keyid_len), 4);
>
> If we fail to retrieve the key, does it makes sense to build the VCE? I
> think we need the key to verify the signature of the certificate, so why
> not mark the certificate as invalid?
>
>
The key ID is used to identify the public key in the certificate, but
it is not utilized in the current patch series. Therefore, I thought it
would be acceptable to continue building the VCE without this field,
though I am open to other ideas or suggestions on how to handle it.
>> +
>> + rc = handle_hash(vce, cert, keyid_field_len);
>> + if (rc) {
>> + return -1;
>> + }
>> + hash_field_len = ROUND_UP(be16_to_cpu(vce->hash_len), 4);
>> +
>> + rc = handle_cert(vce, cert, hash_field_len);
>> + if (rc || !is_cert_valid(cert)) {
>> + return -1;
>> + }
>> + /* vce certificate field length */
>> + cert_field_len = ROUND_UP(be32_to_cpu(vce->cert_len), 4);
>> +
>> + vce_len = VCE_HEADER_LEN + keyid_field_len + hash_field_len +
>> cert_field_len;
>> + if (vce_len > be32_to_cpu(vce->len)) {
>> + return -1;
>> + }
>> +
>> + /* The certificate is valid and VCE contains the certificate */
>> + vce->flags |= DIAG_320_VCE_FLAGS_VALID;
>> +
>> + /* Update vce length to reflect the actual size used by vce */
>> + vce->len = cpu_to_be32(vce_len);
>> +
>> + return 0;
>> +}
>> +
>
> <...snip...>
>
