From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 53783C433E2 for ; Sat, 5 Sep 2020 00:58:09 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0BB712087C for ; Sat, 5 Sep 2020 00:58:09 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="IkxsdXwT" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727986AbgIEA6H (ORCPT ); Fri, 4 Sep 2020 20:58:07 -0400 Received: from us-smtp-delivery-124.mimecast.com ([216.205.24.124]:24826 "EHLO us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726456AbgIEA6H (ORCPT ); Fri, 4 Sep 2020 20:58:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1599267485; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kNBOhuEZgb11jNzVin4vW86ugipWCO8mBgoUlZPaXM0=; b=IkxsdXwT0E8dXDxp6LpfRFDVF2z1iHeySk7ZleXv8ltsQJWl35SZG6kIpe7lFOJuBpyZXT PliItNj4I2CTzVkQS0ZBjTZEcxU8rsZI0xs/DVieS934oIy/PFvhNVygm/TFU46woVCT0X LEgit3NYteOotnm+mkCn+ZzEab/Ucrg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-537-uF9XtEZ6OV2bD6ZgtSTOhQ-1; Fri, 04 Sep 2020 20:58:01 -0400 X-MC-Unique: uF9XtEZ6OV2bD6ZgtSTOhQ-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EEF211DDEA; Sat, 5 Sep 2020 00:57:59 +0000 (UTC) Received: from [10.10.65.66] (ovpn-65-66.rdu2.redhat.com [10.10.65.66]) by smtp.corp.redhat.com (Postfix) with ESMTP id ADE3460C05; Sat, 5 Sep 2020 00:57:57 +0000 (UTC) Subject: Re: [PATCH 2/3] integrity: Move import of MokListRT certs to a separate routine To: Andy Shevchenko Cc: Linux Kernel Mailing List , linux-efi , Platform Driver , linux-security-module , Ard Biesheuvel , James Morris , "Serge E. Hallyn" , Kees Cook , Mimi Zohar , Borislav Petkov , Peter Jones , David Howells , Prarit Bhargava References: <20200826034455.28707-1-lszubowi@redhat.com> <20200826034455.28707-3-lszubowi@redhat.com> From: Lenny Szubowicz Message-ID: Date: Fri, 4 Sep 2020 20:57:57 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 9/2/20 3:55 AM, Andy Shevchenko wrote: > On Wed, Aug 26, 2020 at 6:45 AM Lenny Szubowicz wrote: >> >> Move the loading of certs from the UEFI MokListRT into a separate >> routine to facilitate additional MokList functionality. >> >> There is no visible functional change as a result of this patch. >> Although the UEFI dbx certs are now loaded before the MokList certs, >> they are loaded onto different key rings. So the order of the keys >> on their respective key rings is the same. > > ... > >> /* >> + * load_moklist_certs() - Load MokList certs >> + * >> + * Returns: Summary error status >> + * >> + * Load the certs contained in the UEFI MokListRT database into the >> + * platform trusted keyring. >> + */ > > Hmm... Is it intentionally kept out of kernel doc format? Yes. Since this is a static local routine, I thought that it shouldn't be included by kerneldoc. But I wanted to generally adhere to the kernel doc conventions for a routine header. To that end, in V2 I move the "Return:" section to come after the short description. > >> +static int __init load_moklist_certs(void) >> +{ >> + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; >> + void *mok = NULL; >> + unsigned long moksize = 0; >> + efi_status_t status; >> + int rc = 0; > > Redundant assignment (see below). > >> + /* Get MokListRT. It might not exist, so it isn't an error >> + * if we can't get it. >> + */ >> + mok = get_cert_list(L"MokListRT", &mok_var, &moksize, &status); > >> + if (!mok) { > > Why not positive conditional? Sometimes ! is hard to notice. > >> + if (status == EFI_NOT_FOUND) >> + pr_debug("MokListRT variable wasn't found\n"); >> + else >> + pr_info("Couldn't get UEFI MokListRT\n"); >> + } else { >> + rc = parse_efi_signature_list("UEFI:MokListRT", >> + mok, moksize, get_handler_for_db); >> + if (rc) >> + pr_err("Couldn't parse MokListRT signatures: %d\n", rc); >> + kfree(mok); > > kfree(...) > if (rc) > ... > return rc; > > And with positive conditional there will be no need to have redundant > 'else' followed by additional level of indentation. > >> + } > >> + return rc; > > return 0; > >> +} > > P.S. Yes, I see that the above was in the original code, so, consider > my comments as suggestions to improve the code. > I agree that your suggestions improve the code. I've incorporated this into V2. -Lenny.