From: kernel test robot <lkp@intel.com>
To: Eric Snowberg <eric.snowberg@oracle.com>,
keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
herbert@gondor.apana.org.au, davem@davemloft.net,
jarkko@kernel.org, jmorris@namei.org, serge@hallyn.com
Cc: kbuild-all@lists.01.org
Subject: Re: [PATCH v6 03/13] KEYS: CA link restriction
Date: Thu, 16 Sep 2021 13:46:12 +0800 [thread overview]
Message-ID: <202109161353.wpNkiygQ-lkp@intel.com> (raw)
In-Reply-To: <20210914211416.34096-4-eric.snowberg@oracle.com>
[-- Attachment #1: Type: text/plain, Size: 2802 bytes --]
Hi Eric,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on 6880fa6c56601bb8ed59df6c30fd390cc5f6dd8f]
url: https://github.com/0day-ci/linux/commits/Eric-Snowberg/Enroll-kernel-keys-thru-MOK/20210915-051742
base: 6880fa6c56601bb8ed59df6c30fd390cc5f6dd8f
config: x86_64-randconfig-c022-20210916 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce (this is a W=1 build):
# https://github.com/0day-ci/linux/commit/f65599b2308bdd9f29cfafd3286622f71aafa0b5
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Eric-Snowberg/Enroll-kernel-keys-thru-MOK/20210915-051742
git checkout f65599b2308bdd9f29cfafd3286622f71aafa0b5
# save the attached .config to linux build tree
mkdir build_dir
make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
ld: crypto/asymmetric_keys/restrict.o: in function `restrict_link_by_ca':
>> crypto/asymmetric_keys/restrict.c:148: undefined reference to `public_key_verify_signature'
vim +148 crypto/asymmetric_keys/restrict.c
110
111 /**
112 * restrict_link_by_ca - Restrict additions to a ring of CA keys
113 * @dest_keyring: Keyring being linked to.
114 * @type: The type of key being added.
115 * @payload: The payload of the new key.
116 * @trusted: Unused.
117 *
118 * Check if the new certificate is a CA. If it is a CA, then mark the new
119 * certificate as being ok to link.
120 *
121 * Returns 0 if the new certificate was accepted, -ENOKEY if we could not find
122 * a matching parent certificate in the trusted list. -ENOPKG if the signature
123 * uses unsupported crypto, or some other error if there is a matching
124 * certificate but the signature check cannot be performed.
125 */
126 int restrict_link_by_ca(struct key *dest_keyring,
127 const struct key_type *type,
128 const union key_payload *payload,
129 struct key *trust_keyring)
130 {
131 const struct public_key_signature *sig;
132 const struct public_key *pkey;
133
134 if (type != &key_type_asymmetric)
135 return -EOPNOTSUPP;
136
137 sig = payload->data[asym_auth];
138 if (!sig)
139 return -ENOPKG;
140
141 if (!sig->auth_ids[0] && !sig->auth_ids[1])
142 return -ENOKEY;
143
144 pkey = payload->data[asym_crypto];
145 if (!pkey)
146 return -ENOPKG;
147
> 148 return public_key_verify_signature(pkey, sig);
149 }
150
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 33580 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: kernel test robot <lkp@intel.com>
To: kbuild-all@lists.01.org
Subject: Re: [PATCH v6 03/13] KEYS: CA link restriction
Date: Thu, 16 Sep 2021 13:46:12 +0800 [thread overview]
Message-ID: <202109161353.wpNkiygQ-lkp@intel.com> (raw)
In-Reply-To: <20210914211416.34096-4-eric.snowberg@oracle.com>
[-- Attachment #1: Type: text/plain, Size: 2879 bytes --]
Hi Eric,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on 6880fa6c56601bb8ed59df6c30fd390cc5f6dd8f]
url: https://github.com/0day-ci/linux/commits/Eric-Snowberg/Enroll-kernel-keys-thru-MOK/20210915-051742
base: 6880fa6c56601bb8ed59df6c30fd390cc5f6dd8f
config: x86_64-randconfig-c022-20210916 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce (this is a W=1 build):
# https://github.com/0day-ci/linux/commit/f65599b2308bdd9f29cfafd3286622f71aafa0b5
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Eric-Snowberg/Enroll-kernel-keys-thru-MOK/20210915-051742
git checkout f65599b2308bdd9f29cfafd3286622f71aafa0b5
# save the attached .config to linux build tree
mkdir build_dir
make W=1 O=build_dir ARCH=x86_64 SHELL=/bin/bash
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
ld: crypto/asymmetric_keys/restrict.o: in function `restrict_link_by_ca':
>> crypto/asymmetric_keys/restrict.c:148: undefined reference to `public_key_verify_signature'
vim +148 crypto/asymmetric_keys/restrict.c
110
111 /**
112 * restrict_link_by_ca - Restrict additions to a ring of CA keys
113 * @dest_keyring: Keyring being linked to.
114 * @type: The type of key being added.
115 * @payload: The payload of the new key.
116 * @trusted: Unused.
117 *
118 * Check if the new certificate is a CA. If it is a CA, then mark the new
119 * certificate as being ok to link.
120 *
121 * Returns 0 if the new certificate was accepted, -ENOKEY if we could not find
122 * a matching parent certificate in the trusted list. -ENOPKG if the signature
123 * uses unsupported crypto, or some other error if there is a matching
124 * certificate but the signature check cannot be performed.
125 */
126 int restrict_link_by_ca(struct key *dest_keyring,
127 const struct key_type *type,
128 const union key_payload *payload,
129 struct key *trust_keyring)
130 {
131 const struct public_key_signature *sig;
132 const struct public_key *pkey;
133
134 if (type != &key_type_asymmetric)
135 return -EOPNOTSUPP;
136
137 sig = payload->data[asym_auth];
138 if (!sig)
139 return -ENOPKG;
140
141 if (!sig->auth_ids[0] && !sig->auth_ids[1])
142 return -ENOKEY;
143
144 pkey = payload->data[asym_crypto];
145 if (!pkey)
146 return -ENOPKG;
147
> 148 return public_key_verify_signature(pkey, sig);
149 }
150
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 33580 bytes --]
next prev parent reply other threads:[~2021-09-16 5:46 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-14 21:14 [PATCH v6 00/13] Enroll kernel keys thru MOK Eric Snowberg
2021-09-14 21:14 ` [PATCH v6 01/13] integrity: Introduce a Linux keyring called machine Eric Snowberg
2021-09-14 21:14 ` [PATCH v6 02/13] integrity: Do not allow machine keyring updates following init Eric Snowberg
2021-09-14 21:14 ` [PATCH v6 03/13] KEYS: CA link restriction Eric Snowberg
2021-09-16 4:21 ` kernel test robot
2021-09-16 4:21 ` kernel test robot
2021-09-16 5:46 ` kernel test robot [this message]
2021-09-16 5:46 ` kernel test robot
2021-09-16 20:05 ` Nayna
2021-09-14 21:14 ` [PATCH v6 04/13] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Eric Snowberg
2021-09-14 21:14 ` [PATCH v6 05/13] integrity: add new keyring handler for mok keys Eric Snowberg
2021-09-16 3:16 ` kernel test robot
2021-09-16 3:16 ` kernel test robot
2021-09-14 21:14 ` [PATCH v6 06/13] KEYS: Rename get_builtin_and_secondary_restriction Eric Snowberg
2021-09-14 21:14 ` [PATCH v6 07/13] KEYS: add a reference to machine keyring Eric Snowberg
2021-09-14 21:14 ` [PATCH v6 08/13] KEYS: Introduce link restriction for machine keys Eric Snowberg
2021-09-14 21:14 ` [PATCH v6 09/13] KEYS: integrity: change link restriction to trust the machine keyring Eric Snowberg
2021-09-14 21:14 ` [PATCH v6 10/13] KEYS: link secondary_trusted_keys to machine trusted keys Eric Snowberg
2021-09-14 21:14 ` [PATCH v6 11/13] integrity: store reference to machine keyring Eric Snowberg
2021-09-14 21:14 ` [PATCH v6 12/13] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2021-09-16 22:19 ` Peter Jones
2021-09-17 2:00 ` Eric Snowberg
2021-09-17 15:03 ` Peter Jones
2021-09-17 16:06 ` Eric Snowberg
2021-09-14 21:14 ` [PATCH v6 13/13] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2021-09-15 17:57 ` [PATCH v6 00/13] Enroll kernel keys thru MOK Jarkko Sakkinen
2021-09-15 21:28 ` Eric Snowberg
2021-09-16 15:15 ` Jarkko Sakkinen
2021-09-16 22:14 ` Peter Jones
2021-09-17 1:58 ` Eric Snowberg
2021-09-21 21:03 ` Jarkko Sakkinen
2021-09-16 20:03 ` Nayna
2021-09-17 1:55 ` Eric Snowberg
2021-09-17 18:02 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202109161353.wpNkiygQ-lkp@intel.com \
--to=lkp@intel.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=eric.snowberg@oracle.com \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=jmorris@namei.org \
--cc=kbuild-all@lists.01.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.