From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757331AbdKRErb (ORCPT ); Fri, 17 Nov 2017 23:47:31 -0500 Received: from mx1.redhat.com ([209.132.183.28]:54084 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753253AbdKRErX (ORCPT ); Fri, 17 Nov 2017 23:47:23 -0500 Date: Sat, 18 Nov 2017 12:47:11 +0800 From: Dave Young To: David Howells Cc: keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, kexec@lists.infradead.org Subject: [PATCH] certs: always use secondary keyring first if possible Message-ID: <20171118044711.GA7352@dhcp-128-65.nay.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.8.3 (2017-05-23) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Sat, 18 Nov 2017 04:47:23 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit d3bfe84129f6 introduced secondary_trusted_keys keyring, current users of verify_pkcs7_signature are below: net/wireless/reg.c : uses its own trusted_keys kernel/module_signing.c : pass NULL trusted_keys crypto/asymmetric_keys/verify_pefile.c : pass NULL trusted_keys For both module and pefile verification, there is no reason to use builtin keys only. Actually in Fedora kernel module signing code passes 1UL, but kexec code does not pass 1UL for pefile verification thus we have below bug https://bugzilla.redhat.com/show_bug.cgi?id=1470995 Drop the hard code 1UL checking so that pefile verification can use secondary keyring as well. Signed-off-by: Dave Young --- certs/system_keyring.c | 2 -- 1 file changed, 2 deletions(-) --- linux-x86.orig/certs/system_keyring.c +++ linux-x86/certs/system_keyring.c @@ -229,8 +229,6 @@ int verify_pkcs7_signature(const void *d goto error; if (!trusted_keys) { - trusted_keys = builtin_trusted_keys; - } else if (trusted_keys == (void *)1UL) { #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING trusted_keys = secondary_trusted_keys; #else