Received: by 2002:a05:7412:b995:b0:f9:9502:5bb8 with SMTP id it21csp7144493rdb; Wed, 3 Jan 2024 06:09:57 -0800 (PST) X-Google-Smtp-Source: AGHT+IHgzPOBrm0ZsxqPajkjrGMFo9RwIG3SLWNVNTqNzf9IE+Hi6x/wJxQLfPKm1ef4Mms0SgzS X-Received: by 2002:a05:6870:d611:b0:204:fcc:6c19 with SMTP id a17-20020a056870d61100b002040fcc6c19mr17392739oaq.109.1704290997119; Wed, 03 Jan 2024 06:09:57 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704290997; cv=none; d=google.com; s=arc-20160816; b=Rme6Kxs7U3GXwe1eCG2XReP83+nIVF6+ca2cbLHS+kllNgcFVWioi1J8CxBoufJbQj y9Hjbpa6+mrqq16YQFcUqaoEQqpXNosf6OURS+qdxYdZpvvtxwI6ebZoE1JpAb6oOE4+ X9aXf/y5AuOdy1Y25G+9MwK/NOGNIqheipUwe9le9jcIwh152+iQpGedjR8IWsUNZWRt vun9iJAb1o/XjmzqmC5z46uKE34JbTKsfAA+a7ClOxFRC3gHxBfL9CyOSG/eW0dem8PV 8Y4EFjqjcsF9G+k3ruR3JpDnf4Efh/a73xEx07JxR92xNcJbUABaXNMONSf5Z9d216Ic 6rKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:references:to:from:subject:cc:message-id:date :content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:dkim-signature; bh=1mR9/6krjv0ZCLMOhWxaaAmQrWcgi+5oC2CXFlxkrLA=; fh=RRJsEq7XEb9QZS/MC+I9MEXDHDfch8XgE5XbkGIi/x0=; b=KjgyZKa3g/ahtFkZP2OK4V9iWbCw41GbnlhUfEiZPy7ZrmAIGfy5R7cj7ZTk9/hC3I i+xrBtsGMCVy1Tg9Jlskb4IHJVlov/+GL7IJctEHyCK1X1XZhKNWS7wMAr/WC74ql4QH gn3X2G13N/ZZ2CTLAYgHrnu3FuzlVy+bfxzdE0S/vxNgs+fhMYuTJOJvKekBNdBTqZnL Cz4JFJIBHhEe/8uFYCA9tMf5n3F6zqE+lIVbpLwWVDhw6rlgbvjgP+8Z1M0nlxSCybQr +P4bB6HqMHui/EbK99wdVtEF7DhVxcN2MjI/uOnKb4yks4bfI/2nRIRvDPTEE9R4mxNU m1aw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mSmEjkNY; spf=pass (google.com: domain of linux-kernel+bounces-15632-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-15632-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id a62-20020a1f6641000000b004b6bbb03fd7si588256vkc.322.2024.01.03.06.09.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 03 Jan 2024 06:09:57 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-15632-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=mSmEjkNY; spf=pass (google.com: domain of linux-kernel+bounces-15632-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-15632-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 509CC1C235BD for ; Wed, 3 Jan 2024 14:09:51 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A23CE1A5A6; Wed, 3 Jan 2024 14:09:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="mSmEjkNY" X-Original-To: linux-kernel@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D14B21A59D; Wed, 3 Jan 2024 14:09:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 5EEBAC433C8; Wed, 3 Jan 2024 14:09:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1704290973; bh=2RyW2FyfKqulF+XdUN4uGTLJOz6xINLjJ7oev9I+OEk=; h=Date:Cc:Subject:From:To:References:In-Reply-To:From; b=mSmEjkNYQ8CS09mi8y/qhZLxPZMtfNSZ2VFKWuyZ53RrzjtIRxhSrId+JK8i68urZ wU3ZoD7C5xB6QBWh7+WRtnxeofc3GLV2e+++LETAFdtSjp3HKtPXl+Rqe7RaDv+oQJ dYMU7QopRYMKdUOkB7UW0mwkFnp2/SqEz4rOIwvkfpzFVkB5kEXC9xv342UWMWZkAs KI+26TwS8cazaUw/SWjBL6rn5ioc5d+GcCp2QAQeADgK6KjEyIlISItSt/qq7iFq2S CdSJS+eK9y6boKhL8keuxnVGA9ke3BtdLnK1yjJ5o7wDdmdN5Rn3gnNoV6knkJw6Mq goyBIPEPlP3TQ== Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Wed, 03 Jan 2024 16:09:29 +0200 Message-Id: Cc: , "Mimi Zohar" , "Dmitry Kasatkin" , "Paul Moore" , "James Morris" , "Serge E. Hallyn" , "open list:SECURITY SUBSYSTEM" , "open list" Subject: Re: [PATCH] integrity: don't throw an error immediately when failed to add a cert to the .machine keyring From: "Jarkko Sakkinen" To: "Coiby Xu" , X-Mailer: aerc 0.15.2 References: <20231227044156.166009-1-coxu@redhat.com> In-Reply-To: <20231227044156.166009-1-coxu@redhat.com> On Wed Dec 27, 2023 at 6:41 AM EET, Coiby Xu wrote: > Currently when the kernel fails to add a cert to the .machine keyring, > it will throw an error immediately in the function integrity_add_key. > > Since the kernel will try adding to the .platform keyring next or throw > an error (in the caller of integrity_add_key i.e. add_to_machine_keyring)= , > so there is no need to throw an error immediately in integrity_add_key. > > Reported-by: itrymybest80@protonmail.com Missing "Firstname Lastname". > Closes: https://bugzilla.redhat.com/show_bug.cgi?id=3D2239331 > Signed-off-by: Coiby Xu > --- > security/integrity/digsig.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c > index df387de29bfa..45c3e5dda355 100644 > --- a/security/integrity/digsig.c > +++ b/security/integrity/digsig.c > @@ -179,7 +179,8 @@ static int __init integrity_add_key(const unsigned in= t id, const void *data, > KEY_ALLOC_NOT_IN_QUOTA); > if (IS_ERR(key)) { > rc =3D PTR_ERR(key); > - pr_err("Problem loading X.509 certificate %d\n", rc); > + if (id !=3D INTEGRITY_KEYRING_MACHINE) > + pr_err("Problem loading X.509 certificate %d\n", rc); > } else { > pr_notice("Loaded X.509 cert '%s'\n", > key_ref_to_ptr(key)->description); BR, Jarkko