[PATCH v7 0/4] Check codeSigning extended key usage extension

[PATCH v7 0/4] Check codeSigning extended key usage extension

[Lee, Chun-Yi]

NIAP PP_OS certification requests that the OS shall validate the
CodeSigning extended key usage extension field for integrity
verifiction of exectable code:

    https://www.niap-ccevs.org/MMO/PP/-442-/
        FIA_X509_EXT.1.1

This patchset adds the logic for parsing the codeSigning EKU extension
field in X.509. And checking the CodeSigning EKU when verifying
signature of kernel module or kexec PE binary in PKCS#7.

v7:
- Fixed the broken function call in is_key_on_revocation_list().
  (be found by kernel test robot)
- Use a general name check_eku_by_usage() instead of check_codesign_eku().

v6:
- Add more length checking when parsing extKeyUsage and EKU's OID blob.
- Add 'usage' parameter to the comment of pkcs7_validate_trust function.

v5:
Fixed the wording in module-signing.rst.

v4:
Fixed the wording in patch description.

v3:
- Add codeSigning EKU to x509.genkey key generation config.
- Add openssl command option example for generating CodeSign EKU to
  module-signing.rst document.

v2:
Changed the help wording in the Kconfig.

Lee, Chun-Yi (4):
  X.509: Add CodeSigning extended key usage parsing
  PKCS#7: Check codeSigning EKU for kernel module and kexec pe
    verification
  modsign: Add codeSigning EKU when generating X.509 key generation
    config
  Documentation/admin-guide/module-signing.rst: add openssl command
    option example for CodeSign EKU

 Documentation/admin-guide/module-signing.rst |  6 ++++
 certs/Makefile                               |  1 +
 certs/blacklist.c                            |  6 ++--
 certs/system_keyring.c                       |  4 +--
 crypto/asymmetric_keys/Kconfig               |  9 ++++++
 crypto/asymmetric_keys/pkcs7_trust.c         | 43 ++++++++++++++++++++++++++--
 crypto/asymmetric_keys/x509_cert_parser.c    | 25 ++++++++++++++++
 include/crypto/pkcs7.h                       |  4 ++-
 include/crypto/public_key.h                  |  1 +
 include/keys/system_keyring.h                |  7 +++--
 include/linux/oid_registry.h                 |  5 ++++
 11 files changed, 101 insertions(+), 10 deletions(-)

-- 
2.16.4

[PATCH v7,1/4] X.509: Add CodeSigning extended key usage parsing

[Lee, Chun-Yi]

This patch adds the logic for parsing the CodeSign extended key usage
extension in X.509. The parsing result will be set to the eku flag
which is carried by public key. It can be used in the PKCS#7
verification.

Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 crypto/asymmetric_keys/x509_cert_parser.c | 25 +++++++++++++++++++++++++
 include/crypto/public_key.h               |  1 +
 include/linux/oid_registry.h              |  5 +++++
 3 files changed, 31 insertions(+)

diff --git a/crypto/asymmetric_keys/x509_cert_parser.c b/crypto/asymmetric_keys/x509_cert_parser.c
index 6d003096b5bc..996db9419474 100644
--- a/crypto/asymmetric_keys/x509_cert_parser.c
+++ b/crypto/asymmetric_keys/x509_cert_parser.c
@@ -542,6 +542,8 @@ int x509_process_extension(void *context, size_t hdrlen,
 	struct x509_parse_context *ctx = context;
 	struct asymmetric_key_id *kid;
 	const unsigned char *v = value;
+	int i = 0;
+	enum OID oid;
 
 	pr_debug("Extension: %u\n", ctx->last_oid);
 
@@ -571,6 +573,29 @@ int x509_process_extension(void *context, size_t hdrlen,
 		return 0;
 	}
 
+	if (ctx->last_oid == OID_extKeyUsage) {
+		if (vlen < 2 ||
+		    v[0] != ((ASN1_UNIV << 6) | ASN1_CONS_BIT | ASN1_SEQ) ||
+		    v[1] != vlen - 2)
+			return -EBADMSG;
+		i += 2;
+
+		while (i < vlen) {
+			/* A 10 bytes EKU OID Octet blob =
+			 * ASN1_OID + size byte + 8 bytes OID */
+			if ((i + 10) > vlen || v[i] != ASN1_OID || v[i + 1] != 8)
+				return -EBADMSG;
+
+			oid = look_up_OID(v + i + 2, v[i + 1]);
+			if (oid == OID_codeSigning) {
+				ctx->cert->pub->eku |= EKU_codeSigning;
+			}
+			i += 10;
+		}
+		pr_debug("extKeyUsage: %d\n", ctx->cert->pub->eku);
+		return 0;
+	}
+
 	return 0;
 }
 
diff --git a/include/crypto/public_key.h b/include/crypto/public_key.h
index 47accec68cb0..1ccaebe2a28b 100644
--- a/include/crypto/public_key.h
+++ b/include/crypto/public_key.h
@@ -28,6 +28,7 @@ struct public_key {
 	bool key_is_private;
 	const char *id_type;
 	const char *pkey_algo;
+	unsigned int eku : 9;      /* Extended Key Usage (9-bit) */
 };
 
 extern void public_key_free(struct public_key *key);
diff --git a/include/linux/oid_registry.h b/include/linux/oid_registry.h
index 461b7aa587ba..8c8935f0eb73 100644
--- a/include/linux/oid_registry.h
+++ b/include/linux/oid_registry.h
@@ -125,9 +125,14 @@ enum OID {
 	OID_TPMImportableKey,		/* 2.23.133.10.1.4 */
 	OID_TPMSealedData,		/* 2.23.133.10.1.5 */
 
+	/* Extended key purpose OIDs [RFC 5280] */
+	OID_codeSigning,		/* 1.3.6.1.5.5.7.3.3 */
+
 	OID__NR
 };
 
+#define EKU_codeSigning	(1 << 2)
+
 extern enum OID look_up_OID(const void *data, size_t datasize);
 extern int parse_OID(const void *data, size_t datasize, enum OID *oid);
 extern int sprint_oid(const void *, size_t, char *, size_t);
-- 
2.16.4

[PATCH v7,2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification

[Lee, Chun-Yi]

This patch adds the logic for checking the CodeSigning extended
key usage when verifying signature of kernel module or
kexec PE binary in PKCS#7.

Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 certs/blacklist.c                    |  6 +++--
 certs/system_keyring.c               |  4 ++--
 crypto/asymmetric_keys/Kconfig       |  9 ++++++++
 crypto/asymmetric_keys/pkcs7_trust.c | 43 +++++++++++++++++++++++++++++++++---
 include/crypto/pkcs7.h               |  4 +++-
 include/keys/system_keyring.h        |  7 ++++--
 6 files changed, 63 insertions(+), 10 deletions(-)

diff --git a/certs/blacklist.c b/certs/blacklist.c
index c9a435b15af4..a4ef26286584 100644
--- a/certs/blacklist.c
+++ b/certs/blacklist.c
@@ -16,6 +16,7 @@
 #include <linux/seq_file.h>
 #include <linux/uidgid.h>
 #include <keys/system_keyring.h>
+#include <keys/asymmetric-type.h>
 #include "blacklist.h"
 #include "common.h"
 
@@ -181,11 +182,12 @@ int add_key_to_revocation_list(const char *data, size_t size)
  * is_key_on_revocation_list - Determine if the key for a PKCS#7 message is revoked
  * @pkcs7: The PKCS#7 message to check
  */
-int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
+int is_key_on_revocation_list(struct pkcs7_message *pkcs7,
+			      enum key_being_used_for usage)
 {
 	int ret;
 
-	ret = pkcs7_validate_trust(pkcs7, blacklist_keyring);
+	ret = pkcs7_validate_trust(pkcs7, blacklist_keyring, usage, false);
 
 	if (ret == 0)
 		return -EKEYREJECTED;
diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 692365dee2bd..394cf4e0feed 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -221,13 +221,13 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
 			goto error;
 		}
 
-		ret = is_key_on_revocation_list(pkcs7);
+		ret = is_key_on_revocation_list(pkcs7, usage);
 		if (ret != -ENOKEY) {
 			pr_devel("PKCS#7 platform key is on revocation list\n");
 			goto error;
 		}
 	}
-	ret = pkcs7_validate_trust(pkcs7, trusted_keys);
+	ret = pkcs7_validate_trust(pkcs7, trusted_keys, usage, true);
 	if (ret < 0) {
 		if (ret == -ENOKEY)
 			pr_devel("PKCS#7 signature not signed with a trusted key\n");
diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig
index 1f1f004dc757..1754812df989 100644
--- a/crypto/asymmetric_keys/Kconfig
+++ b/crypto/asymmetric_keys/Kconfig
@@ -96,4 +96,13 @@ config SIGNED_PE_FILE_VERIFICATION
 	  This option provides support for verifying the signature(s) on a
 	  signed PE binary.
 
+config CHECK_CODESIGN_EKU
+	bool "Check codeSigning extended key usage"
+	depends on PKCS7_MESSAGE_PARSER=y
+	depends on SYSTEM_DATA_VERIFICATION
+	help
+	  This option provides support for checking the codeSigning extended
+	  key usage when verifying the signature in PKCS#7. It affects kernel
+	  module verification and kexec PE binary verification.
+
 endif # ASYMMETRIC_KEY_TYPE
diff --git a/crypto/asymmetric_keys/pkcs7_trust.c b/crypto/asymmetric_keys/pkcs7_trust.c
index b531df2013c4..c6ebf3e6adfd 100644
--- a/crypto/asymmetric_keys/pkcs7_trust.c
+++ b/crypto/asymmetric_keys/pkcs7_trust.c
@@ -16,12 +16,40 @@
 #include <crypto/public_key.h>
 #include "pkcs7_parser.h"
 
+#ifdef CONFIG_CHECK_CODESIGN_EKU
+static bool check_eku_by_usage(struct key *key, enum key_being_used_for usage)
+{
+	struct public_key *public_key = key->payload.data[asym_crypto];
+	bool ret = true;
+
+	switch (usage) {
+	case VERIFYING_MODULE_SIGNATURE:
+	case VERIFYING_KEXEC_PE_SIGNATURE:
+		ret = !!(public_key->eku & EKU_codeSigning);
+		if (!ret)
+			pr_warn("The signer '%s' key is not CodeSigning\n",
+				key->description);
+		break;
+	default:
+		break;
+	}
+	return ret;
+}
+#else
+static bool check_eku_by_usage(struct key *key, enum key_being_used_for usage)
+{
+	return true;
+}
+#endif
+
 /*
  * Check the trust on one PKCS#7 SignedInfo block.
  */
 static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
 				    struct pkcs7_signed_info *sinfo,
-				    struct key *trust_keyring)
+				    struct key *trust_keyring,
+				    enum key_being_used_for usage,
+				    bool check_eku)
 {
 	struct public_key_signature *sig = sinfo->sig;
 	struct x509_certificate *x509, *last = NULL, *p;
@@ -112,6 +140,10 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
 	return -ENOKEY;
 
 matched:
+	if (check_eku && !check_eku_by_usage(key, usage)) {
+		key_put(key);
+		return -ENOKEY;
+	}
 	ret = verify_signature(key, sig);
 	key_put(key);
 	if (ret < 0) {
@@ -135,6 +167,8 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
  * pkcs7_validate_trust - Validate PKCS#7 trust chain
  * @pkcs7: The PKCS#7 certificate to validate
  * @trust_keyring: Signing certificates to use as starting points
+ * @usage: The use to which the key is being put.
+ * @check_eku: Check EKU (Extended Key Usage)
  *
  * Validate that the certificate chain inside the PKCS#7 message intersects
  * keys we already know and trust.
@@ -156,7 +190,9 @@ static int pkcs7_validate_trust_one(struct pkcs7_message *pkcs7,
  * May also return -ENOMEM.
  */
 int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
-			 struct key *trust_keyring)
+			 struct key *trust_keyring,
+			 enum key_being_used_for usage,
+			 bool check_eku)
 {
 	struct pkcs7_signed_info *sinfo;
 	struct x509_certificate *p;
@@ -167,7 +203,8 @@ int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
 		p->seen = false;
 
 	for (sinfo = pkcs7->signed_infos; sinfo; sinfo = sinfo->next) {
-		ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring);
+		ret = pkcs7_validate_trust_one(pkcs7, sinfo, trust_keyring,
+					       usage, check_eku);
 		switch (ret) {
 		case -ENOKEY:
 			continue;
diff --git a/include/crypto/pkcs7.h b/include/crypto/pkcs7.h
index 38ec7f5f9041..5d87b8a02f79 100644
--- a/include/crypto/pkcs7.h
+++ b/include/crypto/pkcs7.h
@@ -30,7 +30,9 @@ extern int pkcs7_get_content_data(const struct pkcs7_message *pkcs7,
  * pkcs7_trust.c
  */
 extern int pkcs7_validate_trust(struct pkcs7_message *pkcs7,
-				struct key *trust_keyring);
+				struct key *trust_keyring,
+				enum key_being_used_for usage,
+				bool check_eku);
 
 /*
  * pkcs7_verify.c
diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h
index 6acd3cf13a18..3da982c3aef5 100644
--- a/include/keys/system_keyring.h
+++ b/include/keys/system_keyring.h
@@ -9,6 +9,7 @@
 #define _KEYS_SYSTEM_KEYRING_H
 
 #include <linux/key.h>
+#include <keys/asymmetric-type.h>
 
 #ifdef CONFIG_SYSTEM_TRUSTED_KEYRING
 
@@ -59,13 +60,15 @@ static inline int is_binary_blacklisted(const u8 *hash, size_t hash_len)
 
 #ifdef CONFIG_SYSTEM_REVOCATION_LIST
 extern int add_key_to_revocation_list(const char *data, size_t size);
-extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7);
+extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7,
+				     enum key_being_used_for usage);
 #else
 static inline int add_key_to_revocation_list(const char *data, size_t size)
 {
 	return 0;
 }
-static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7)
+static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7,
+					    enum key_being_used_for usage);
 {
 	return -ENOKEY;
 }
-- 
2.16.4

[PATCH v7,3/4] modsign: Add codeSigning EKU when generating X.509 key generation config

[Lee, Chun-Yi]

Add codeSigning EKU to the X.509 key generation config for the build time
autogenerated kernel key.

Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 certs/Makefile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/certs/Makefile b/certs/Makefile
index 359239a0ee9e..278e83d23aeb 100644
--- a/certs/Makefile
+++ b/certs/Makefile
@@ -99,6 +99,7 @@ $(obj)/x509.genkey:
 	@echo >>$@ "keyUsage=digitalSignature"
 	@echo >>$@ "subjectKeyIdentifier=hash"
 	@echo >>$@ "authorityKeyIdentifier=keyid"
+	@echo >>$@ "extendedKeyUsage=codeSigning"
 endif # CONFIG_MODULE_SIG_KEY
 
 $(eval $(call config_filename,MODULE_SIG_KEY))
-- 
2.16.4

[PATCH v7,4/4] Documentation/admin-guide/module-signing.rst: add openssl command option example for CodeSign EKU

[Lee, Chun-Yi]

Add an openssl command option example for generating CodeSign extended
key usage in X.509 when CONFIG_CHECK_CODESIGN_EKU is enabled.

Signed-off-by: "Lee, Chun-Yi" <jlee@suse.com>
---
 Documentation/admin-guide/module-signing.rst | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/Documentation/admin-guide/module-signing.rst b/Documentation/admin-guide/module-signing.rst
index 7d7c7c8a545c..ca3b8f19466c 100644
--- a/Documentation/admin-guide/module-signing.rst
+++ b/Documentation/admin-guide/module-signing.rst
@@ -170,6 +170,12 @@ generate the public/private key files::
 	   -config x509.genkey -outform PEM -out kernel_key.pem \
 	   -keyout kernel_key.pem
 
+When ``CONFIG_CHECK_CODESIGN_EKU`` option is enabled, the following openssl
+command option should be added where for generating CodeSign extended key usage
+in X.509::
+
+        -addext "extendedKeyUsage=codeSigning"
+
 The full pathname for the resulting kernel_key.pem file can then be specified
 in the ``CONFIG_MODULE_SIG_KEY`` option, and the certificate and key therein will
 be used instead of an autogenerated keypair.
-- 
2.16.4

Re: [PATCH v7,2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification

[kernel test robot]

[-- Attachment #1: Type: text/plain, Size: 3516 bytes --]

Hi Chun-Yi",

I love your patch! Yet something to improve:

[auto build test ERROR on cryptodev/master]
[also build test ERROR on linus/master v5.13-rc2 next-20210521]
[cannot apply to crypto/master sparc-next/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Lee-Chun-Yi/Check-codeSigning-extended-key-usage-extension/20210522-220349
base:   https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
config: sparc64-randconfig-s032-20210522 (attached as .config)
compiler: sparc64-linux-gcc (GCC) 9.3.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # apt-get install sparse
        # sparse version: v0.6.3-341-g8af24329-dirty
        # https://github.com/0day-ci/linux/commit/928555596c9cd62caabf8777ed8152ddac2609ef
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Lee-Chun-Yi/Check-codeSigning-extended-key-usage-extension/20210522-220349
        git checkout 928555596c9cd62caabf8777ed8152ddac2609ef
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' W=1 ARCH=sparc64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   In file included from security/integrity/digsig.c:18:
>> include/keys/system_keyring.h:72:1: error: expected identifier or '(' before '{' token
      72 | {
         | ^
   In file included from security/integrity/digsig.c:18:
   include/keys/system_keyring.h:70:19: warning: 'is_key_on_revocation_list' declared 'static' but never defined [-Wunused-function]
      70 | static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7,
         |                   ^~~~~~~~~~~~~~~~~~~~~~~~~


vim +72 include/keys/system_keyring.h

734114f8782f6c David Howells 2017-04-03  60  
56c5812623f953 Eric Snowberg 2021-01-22  61  #ifdef CONFIG_SYSTEM_REVOCATION_LIST
56c5812623f953 Eric Snowberg 2021-01-22  62  extern int add_key_to_revocation_list(const char *data, size_t size);
928555596c9cd6 Lee, Chun-Yi  2021-05-21  63  extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7,
928555596c9cd6 Lee, Chun-Yi  2021-05-21  64  				     enum key_being_used_for usage);
56c5812623f953 Eric Snowberg 2021-01-22  65  #else
56c5812623f953 Eric Snowberg 2021-01-22  66  static inline int add_key_to_revocation_list(const char *data, size_t size)
56c5812623f953 Eric Snowberg 2021-01-22  67  {
56c5812623f953 Eric Snowberg 2021-01-22  68  	return 0;
56c5812623f953 Eric Snowberg 2021-01-22  69  }
928555596c9cd6 Lee, Chun-Yi  2021-05-21  70  static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7,
928555596c9cd6 Lee, Chun-Yi  2021-05-21  71  					    enum key_being_used_for usage);
56c5812623f953 Eric Snowberg 2021-01-22 @72  {
56c5812623f953 Eric Snowberg 2021-01-22  73  	return -ENOKEY;
56c5812623f953 Eric Snowberg 2021-01-22  74  }
56c5812623f953 Eric Snowberg 2021-01-22  75  #endif
56c5812623f953 Eric Snowberg 2021-01-22  76  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 27373 bytes --]

Re: [PATCH v7,2/4] PKCS#7: Check codeSigning EKU for kernel module and kexec pe verification

[kernel test robot]

[-- Attachment #1: Type: text/plain, Size: 2678 bytes --]

Hi Chun-Yi",

I love your patch! Perhaps something to improve:

[auto build test WARNING on cryptodev/master]
[also build test WARNING on linus/master v5.13-rc2 next-20210521]
[cannot apply to crypto/master]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Lee-Chun-Yi/Check-codeSigning-extended-key-usage-extension/20210522-220349
base:   https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
config: openrisc-randconfig-r015-20210522 (attached as .config)
compiler: or1k-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/928555596c9cd62caabf8777ed8152ddac2609ef
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Lee-Chun-Yi/Check-codeSigning-extended-key-usage-extension/20210522-220349
        git checkout 928555596c9cd62caabf8777ed8152ddac2609ef
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=openrisc 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   In file included from certs/system_keyring.c:17:
   include/keys/system_keyring.h:72:1: error: expected identifier or '(' before '{' token
      72 | {
         | ^
>> include/keys/system_keyring.h:70:19: warning: 'is_key_on_revocation_list' used but never defined
      70 | static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7,
         |                   ^~~~~~~~~~~~~~~~~~~~~~~~~


vim +/is_key_on_revocation_list +70 include/keys/system_keyring.h

    60	
    61	#ifdef CONFIG_SYSTEM_REVOCATION_LIST
    62	extern int add_key_to_revocation_list(const char *data, size_t size);
    63	extern int is_key_on_revocation_list(struct pkcs7_message *pkcs7,
    64					     enum key_being_used_for usage);
    65	#else
    66	static inline int add_key_to_revocation_list(const char *data, size_t size)
    67	{
    68		return 0;
    69	}
  > 70	static inline int is_key_on_revocation_list(struct pkcs7_message *pkcs7,
    71						    enum key_being_used_for usage);
    72	{
    73		return -ENOKEY;
    74	}
    75	#endif
    76	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 25079 bytes --]