All of lore.kernel.org
 help / color / mirror / Atom feed
From: Andy Shevchenko <andy.shevchenko@gmail.com>
To: Lenny Szubowicz <lszubowi@redhat.com>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
	linux-efi <linux-efi@vger.kernel.org>,
	Platform Driver <platform-driver-x86@vger.kernel.org>,
	linux-security-module <linux-security-module@vger.kernel.org>,
	Ard Biesheuvel <ardb@kernel.org>,
	James Morris <jmorris@namei.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	Kees Cook <keescook@chromium.org>,
	Mimi Zohar <zohar@linux.ibm.com>, Borislav Petkov <bp@alien8.de>,
	Peter Jones <pjones@redhat.com>,
	David Howells <dhowells@redhat.com>,
	Prarit Bhargava <prarit@redhat.com>
Subject: Re: [PATCH 2/3] integrity: Move import of MokListRT certs to a separate routine
Date: Wed, 2 Sep 2020 10:55:21 +0300	[thread overview]
Message-ID: <CAHp75Vec0a3LC7dGY6wacQu0brc+Zjfowt6kGdcZ9sfMzoDR9g@mail.gmail.com> (raw)
In-Reply-To: <20200826034455.28707-3-lszubowi@redhat.com>

On Wed, Aug 26, 2020 at 6:45 AM Lenny Szubowicz <lszubowi@redhat.com> wrote:
>
> Move the loading of certs from the UEFI MokListRT into a separate
> routine to facilitate additional MokList functionality.
>
> There is no visible functional change as a result of this patch.
> Although the UEFI dbx certs are now loaded before the MokList certs,
> they are loaded onto different key rings. So the order of the keys
> on their respective key rings is the same.

...

>  /*
> + * load_moklist_certs() - Load MokList certs
> + *
> + * Returns:    Summary error status
> + *
> + * Load the certs contained in the UEFI MokListRT database into the
> + * platform trusted keyring.
> + */

Hmm... Is it intentionally kept out of kernel doc format?

> +static int __init load_moklist_certs(void)
> +{
> +       efi_guid_t mok_var = EFI_SHIM_LOCK_GUID;
> +       void *mok = NULL;
> +       unsigned long moksize = 0;
> +       efi_status_t status;
> +       int rc = 0;

Redundant assignment (see below).

> +       /* Get MokListRT. It might not exist, so it isn't an error
> +        * if we can't get it.
> +        */
> +       mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status);

> +       if (!mok) {

Why not positive conditional? Sometimes ! is hard to notice.

> +               if (status == EFI_NOT_FOUND)
> +                       pr_debug("MokListRT variable wasn't found\n");
> +               else
> +                       pr_info("Couldn't get UEFI MokListRT\n");
> +       } else {
> +               rc = parse_efi_signature_list("UEFI:MokListRT",
> +                                             mok, moksize, get_handler_for_db);
> +               if (rc)
> +                       pr_err("Couldn't parse MokListRT signatures: %d\n", rc);
> +               kfree(mok);

 kfree(...)
 if (rc)
  ...
 return rc;

And with positive conditional there will be no need to have redundant
'else' followed by additional level of indentation.

> +       }

> +       return rc;

return 0;

> +}

P.S. Yes, I see that the above was in the original code, so, consider
my comments as suggestions to improve the code.

-- 
With Best Regards,
Andy Shevchenko

  parent reply	other threads:[~2020-09-02  7:55 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-26  3:44 [PATCH 0/3] integrity: Load certs from EFI MOK config table Lenny Szubowicz
2020-08-26  3:44 ` [PATCH 1/3] efi: Support for MOK variable " Lenny Szubowicz
2020-08-26  3:44 ` [PATCH 2/3] integrity: Move import of MokListRT certs to a separate routine Lenny Szubowicz
2020-09-01 20:48   ` Mimi Zohar
2020-09-02  7:55   ` Andy Shevchenko [this message]
2020-09-05  0:57     ` Lenny Szubowicz
2020-08-26  3:44 ` [PATCH 3/3] integrity: Load certs from the EFI MOK config table Lenny Szubowicz
2020-08-26 11:55 ` [PATCH 0/3] integrity: Load certs from " Mimi Zohar
2020-09-05  1:30   ` Lenny Szubowicz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAHp75Vec0a3LC7dGY6wacQu0brc+Zjfowt6kGdcZ9sfMzoDR9g@mail.gmail.com \
    --to=andy.shevchenko@gmail.com \
    --cc=ardb@kernel.org \
    --cc=bp@alien8.de \
    --cc=dhowells@redhat.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=lszubowi@redhat.com \
    --cc=pjones@redhat.com \
    --cc=platform-driver-x86@vger.kernel.org \
    --cc=prarit@redhat.com \
    --cc=serge@hallyn.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.