All of lore.kernel.org
 help / color / mirror / Atom feed
From: Arnd Bergmann <arnd@kernel.org>
To: David Howells <dhowells@redhat.com>,
	David Woodhouse <dwmw2@infradead.org>,
	Eric Snowberg <eric.snowberg@oracle.com>,
	Jarkko Sakkinen <jarkko@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>,
	keyrings@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] certs: select PKCS7_MESSAGE_PARSER if needed
Date: Thu, 25 Feb 2021 13:56:30 +0100	[thread overview]
Message-ID: <20210225125638.1841436-1-arnd@kernel.org> (raw)

From: Arnd Bergmann <arnd@arndb.de>

When CONFIG_SYSTEM_BLACKLIST_KEYRING and CONFIG_INTEGRITY_PLATFORM_KEYRING
are both enabled, the system blacklist tries calling the
pkcs7_validate_trust() function, causing a link failure if the driver
that defines it is disabled or a loadable module:

ld.lld: error: undefined symbol: pkcs7_validate_trust
>>> referenced by blacklist.c
>>>               blacklist.o:(is_key_on_revocation_list) in archive certs/built-in.a

Add a Kconfig 'select' statement for this specific case that force-
enables the pkcs7 code as well.

Fixes: 30fdba3f40fd ("certs: Add EFI_CERT_X509_GUID support for dbx entries")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 certs/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/certs/Kconfig b/certs/Kconfig
index 379a6e198459..21192bb25c79 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -68,6 +68,7 @@ config SECONDARY_TRUSTED_KEYRING
 config SYSTEM_BLACKLIST_KEYRING
 	bool "Provide system-wide ring of blacklisted keys"
 	depends on KEYS
+	select PKCS7_MESSAGE_PARSER if INTEGRITY_PLATFORM_KEYRING
 	help
 	  Provide a system keyring to which blacklisted keys can be added.
 	  Keys in the keyring are considered entirely untrusted.  Keys in this
-- 
2.29.2


             reply	other threads:[~2021-02-25 12:57 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-25 12:56 Arnd Bergmann [this message]
2021-02-25 14:12 ` [PATCH] certs: select PKCS7_MESSAGE_PARSER if needed David Howells
2021-02-25 14:32   ` Arnd Bergmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210225125638.1841436-1-arnd@kernel.org \
    --to=arnd@kernel.org \
    --cc=arnd@arndb.de \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=eric.snowberg@oracle.com \
    --cc=jarkko@kernel.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.