Received: by 10.223.164.202 with SMTP id h10csp3820407wrb; Tue, 28 Nov 2017 18:16:03 -0800 (PST) X-Google-Smtp-Source: AGs4zMZs4ZPnO50Sy2Ue51keDvos82UKAeU2cBciewAXRD/DbFOfPeBxdUAbAy+QluAkLAUK6XUu X-Received: by 10.99.106.134 with SMTP id f128mr1237389pgc.430.1511921763615; Tue, 28 Nov 2017 18:16:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511921763; cv=none; d=google.com; s=arc-20160816; b=rYGqQV5YTas9Ape7e0x7AZLQTPBVul0nXX/Mr6CR5zVRGocXgFml2V7l9RWCnXZ1nL xYT0+tpP6s3ktlqCK5BR+PJxzT4bmyqDUmdrni46Lhm0cPzZCF7V5LyycK+WN17UJeK0 Kzy6f2tF2lJgORwKmTmgtucdj7OZlwmkuqnjsj9PDdy8JrmHUwYiWMLmrZzyIOBkgaV3 BnV5lKUTGN/i+WWi0ZBjCbQb8RP0NwHirFDJKSqs/kQiGC8jrdivq5ksx13MOc5Pp2mD /1Ub2w8gRdQBWzBmCvfQYqL8pqohktgwEc8RKOMb4Wk5oFRuXjdkyR/YJNGETkgIfxv7 eP3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=QQS4I3owMh3MLyyTXzvUWR3VgzC/2i+v+TYlrNshHNU=; b=hOcE3gBYaN713VZ/P1KUnJJpJCNrQpGK/LBKWtD8WB1R+0sffW/kEVjpstepNEd0sY LVka4Hk7c0SgSnxUmqBK0WTUOW+e+QCMnmuY0pNcW2W2/ReteZVC6jQGc9a3y/7yBkEs l13D4DylpdN7zmjKJ3VdBb7WzVzTEmn7+bWSGjKvBQb61FQJgBG6MhgiZXmqApXEstj8 /l/IFeYY27s0KP67Idib+IGmnGrZmM+LjfYUtX98pmfW4ccnbEaNH4ifONeDmy/H3SBE 75lT3RHiscFpoDMOvAaDTQik14eFq1ceYm9EWLngX4dk0VKAV26xPIPKGT+3NKOTA28K 78yQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z18si420610pfd.381.2017.11.28.18.15.53; Tue, 28 Nov 2017 18:16:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752493AbdK2CPO (ORCPT + 70 others); Tue, 28 Nov 2017 21:15:14 -0500 Received: from mx1.redhat.com ([209.132.183.28]:46738 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752111AbdK2CPN (ORCPT ); Tue, 28 Nov 2017 21:15:13 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6965CC0587C0; Wed, 29 Nov 2017 02:15:13 +0000 (UTC) Received: from dhcp-128-65.nay.redhat.com (ovpn-12-57.pek2.redhat.com [10.72.12.57]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4A7575D970; Wed, 29 Nov 2017 02:15:07 +0000 (UTC) Date: Wed, 29 Nov 2017 10:15:04 +0800 From: Dave Young To: David Howells Cc: keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, kexec@lists.infradead.org Subject: Re: [PATCH] certs: always use secondary keyring first if possible Message-ID: <20171129021504.GA4080@dhcp-128-65.nay.redhat.com> References: <20171118044711.GA7352@dhcp-128-65.nay.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171118044711.GA7352@dhcp-128-65.nay.redhat.com> User-Agent: Mutt/1.9.1 (2017-09-22) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Wed, 29 Nov 2017 02:15:13 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/18/17 at 12:47pm, Dave Young wrote: > Commit d3bfe84129f6 introduced secondary_trusted_keys keyring, current > users of verify_pkcs7_signature are below: > net/wireless/reg.c : uses its own trusted_keys > kernel/module_signing.c : pass NULL trusted_keys > crypto/asymmetric_keys/verify_pefile.c : pass NULL trusted_keys > > For both module and pefile verification, there is no reason to use builtin > keys only. Actually in Fedora kernel module signing code passes 1UL, but > kexec code does not pass 1UL for pefile verification thus we have below bug > https://bugzilla.redhat.com/show_bug.cgi?id=1470995 > > Drop the hard code 1UL checking so that pefile verification can use > secondary keyring as well. > > Signed-off-by: Dave Young > --- > certs/system_keyring.c | 2 -- > 1 file changed, 2 deletions(-) > > --- linux-x86.orig/certs/system_keyring.c > +++ linux-x86/certs/system_keyring.c > @@ -229,8 +229,6 @@ int verify_pkcs7_signature(const void *d > goto error; > > if (!trusted_keys) { > - trusted_keys = builtin_trusted_keys; > - } else if (trusted_keys == (void *)1UL) { > #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING > trusted_keys = secondary_trusted_keys; > #else Ping, can anyone review this? Thanks Dave From 1584456215116847995@xxx Sun Nov 19 01:33:17 +0000 2017 X-GM-THRID: 1584456215116847995 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread