From: Dave Young <dyoung@redhat.com>
To: David Howells <dhowells@redhat.com>
Cc: keyrings@vger.kernel.org, linux-kernel@vger.kernel.org,
kexec@lists.infradead.org
Subject: [PATCH] certs: always use secondary keyring first if possible
Date: Sat, 18 Nov 2017 12:47:11 +0800 [thread overview]
Message-ID: <20171118044711.GA7352@dhcp-128-65.nay.redhat.com> (raw)
Commit d3bfe84129f6 introduced secondary_trusted_keys keyring, current
users of verify_pkcs7_signature are below:
net/wireless/reg.c : uses its own trusted_keys
kernel/module_signing.c : pass NULL trusted_keys
crypto/asymmetric_keys/verify_pefile.c : pass NULL trusted_keys
For both module and pefile verification, there is no reason to use builtin
keys only. Actually in Fedora kernel module signing code passes 1UL, but
kexec code does not pass 1UL for pefile verification thus we have below bug
https://bugzilla.redhat.com/show_bug.cgi?id=1470995
Drop the hard code 1UL checking so that pefile verification can use
secondary keyring as well.
Signed-off-by: Dave Young <dyoung@redhat.com>
---
certs/system_keyring.c | 2 --
1 file changed, 2 deletions(-)
--- linux-x86.orig/certs/system_keyring.c
+++ linux-x86/certs/system_keyring.c
@@ -229,8 +229,6 @@ int verify_pkcs7_signature(const void *d
goto error;
if (!trusted_keys) {
- trusted_keys = builtin_trusted_keys;
- } else if (trusted_keys == (void *)1UL) {
#ifdef CONFIG_SECONDARY_TRUSTED_KEYRING
trusted_keys = secondary_trusted_keys;
#else
next reply other threads:[~2017-11-18 4:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-18 4:47 Dave Young [this message]
2017-11-29 2:15 ` [PATCH] certs: always use secondary keyring first if possible Dave Young
2017-12-14 10:25 ` Dave Young
2018-06-08 7:28 ` Dave Young
2018-06-08 8:53 ` Dave Young
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171118044711.GA7352@dhcp-128-65.nay.redhat.com \
--to=dyoung@redhat.com \
--cc=dhowells@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).