From: Coiby Xu <coxu@redhat.com>
To: linux-integrity@vger.kernel.org
Cc: itrymybest80@protonmail.com, Mimi Zohar <zohar@linux.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
Paul Moore <paul@paul-moore.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
linux-security-module@vger.kernel.org (open list:SECURITY
SUBSYSTEM), linux-kernel@vger.kernel.org (open list)
Subject: [PATCH] integrity: don't throw an error immediately when failed to add a cert to the .machine keyring
Date: Wed, 27 Dec 2023 12:41:56 +0800 [thread overview]
Message-ID: <20231227044156.166009-1-coxu@redhat.com> (raw)
Currently when the kernel fails to add a cert to the .machine keyring,
it will throw an error immediately in the function integrity_add_key.
Since the kernel will try adding to the .platform keyring next or throw
an error (in the caller of integrity_add_key i.e. add_to_machine_keyring),
so there is no need to throw an error immediately in integrity_add_key.
Reported-by: itrymybest80@protonmail.com
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2239331
Signed-off-by: Coiby Xu <coxu@redhat.com>
---
security/integrity/digsig.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
index df387de29bfa..45c3e5dda355 100644
--- a/security/integrity/digsig.c
+++ b/security/integrity/digsig.c
@@ -179,7 +179,8 @@ static int __init integrity_add_key(const unsigned int id, const void *data,
KEY_ALLOC_NOT_IN_QUOTA);
if (IS_ERR(key)) {
rc = PTR_ERR(key);
- pr_err("Problem loading X.509 certificate %d\n", rc);
+ if (id != INTEGRITY_KEYRING_MACHINE)
+ pr_err("Problem loading X.509 certificate %d\n", rc);
} else {
pr_notice("Loaded X.509 cert '%s'\n",
key_ref_to_ptr(key)->description);
--
2.43.0
next reply other threads:[~2023-12-27 4:42 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-27 4:41 Coiby Xu [this message]
2024-01-02 17:33 ` [PATCH] integrity: don't throw an error immediately when failed to add a cert to the .machine keyring Eric Snowberg
2024-01-05 13:27 ` Coiby Xu
2024-01-02 17:54 ` Mimi Zohar
2024-01-05 13:27 ` Coiby Xu
2024-01-05 14:59 ` Mimi Zohar
2024-01-09 0:30 ` Coiby Xu
2024-01-03 14:09 ` Jarkko Sakkinen
2024-01-05 13:20 ` Coiby Xu
2024-01-05 16:02 ` Jarkko Sakkinen
2024-01-09 0:27 ` Coiby Xu
2024-01-09 0:24 ` [PATCH v2] integrity: eliminate unnecessary "Problem loading X.509 certificate" msg Coiby Xu
2024-02-16 11:10 ` Coiby Xu
2024-02-16 13:10 ` Mimi Zohar
2024-03-06 10:57 ` Maxime Ripard
2024-03-06 11:55 ` Mimi Zohar
2024-03-06 12:40 ` Maxime Ripard
2024-03-13 2:37 ` Coiby Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231227044156.166009-1-coxu@redhat.com \
--to=coxu@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=itrymybest80@protonmail.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.