Re: [PATCH] cert: Add kconfig dependency for validate_trust

Eric Snowberg wrote: > > I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support. > > I believe this is ok. However currently, whenever the kernel finds either a > EFI_CERT_SHA256_GUID or EFI_CERT_X509_SHA256_GUID entry in the dbx, it loads > it into the blacklist keyring.

Re: [PATCH] cert: Add kconfig dependency for validate_trust

> On Feb 24, 2021, at 3:51 AM, David Howells wrote: > > How about these changes? > > I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support. I believe this is ok. However currently, whenever the kernel finds either a EFI_CERT_SHA256_GUID or EFI_CERT_X509_SHA256_GUID ent

Re: [PATCH] cert: Add kconfig dependency for validate_trust

Mickaël Salaün wrote: > > +config SYSTEM_REVOCATION_LIST > > + bool "Provide system-wide ring of revocation certificates" > > + depends on SYSTEM_BLACKLIST_KEYRING > > + depends on PKCS7_MESSAGE_PARSER=y > > The function verify_pkcs7_message_sig() (which is patched) is only > available if

Re: [PATCH] cert: Add kconfig dependency for validate_trust

On 24/02/2021 11:51, David Howells wrote: > How about these changes? > > I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support. > > I've also added kerneldoc comments and moved the functions so that they're not > in the middle of the blacklist-specific stuff. > > I'm not

Re: [PATCH] cert: Add kconfig dependency for validate_trust

How about these changes? I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support. I've also added kerneldoc comments and moved the functions so that they're not in the middle of the blacklist-specific stuff. I'm not sure uefi_revocation_list_x509() needs conditionalising as t

Re: [PATCH] cert: Add kconfig dependency for validate_trust

> On Feb 23, 2021, at 4:47 PM, David Howells wrote: > > Eric Snowberg wrote: > >> The kernel test robot reports when building with Kconfig >> CONFIG_INTEGRITY_PLATFORM_KEYRING defined and >> CONFIG_SYSTEM_DATA_VERIFICATION undefined: >> >> ld.lld: error: undefined symbol: pkcs7_validate_tru

Re: [PATCH] cert: Add kconfig dependency for validate_trust

Eric Snowberg wrote: > The kernel test robot reports when building with Kconfig > CONFIG_INTEGRITY_PLATFORM_KEYRING defined and > CONFIG_SYSTEM_DATA_VERIFICATION undefined: > > ld.lld: error: undefined symbol: pkcs7_validate_trust > referenced by blacklist.c:128 (certs/blacklist.c:128) >

[PATCH] cert: Add kconfig dependency for validate_trust

The kernel test robot reports when building with Kconfig CONFIG_INTEGRITY_PLATFORM_KEYRING defined and CONFIG_SYSTEM_DATA_VERIFICATION undefined: ld.lld: error: undefined symbol: pkcs7_validate_trust referenced by blacklist.c:128 (certs/blacklist.c:128) blacklist.o:(is_key_on_revocat