Received: by 10.223.164.202 with SMTP id h10csp2264560wrb; Sat, 18 Nov 2017 17:33:18 -0800 (PST) X-Google-Smtp-Source: AGs4zMZP+D4I8TUDNh4zLFE412pw7VT8GO5DjxhUIl2ZXpSaNt9peTR6T7TUMyF1QQM92VESuKsb X-Received: by 10.99.111.5 with SMTP id k5mr9469187pgc.364.1511055197954; Sat, 18 Nov 2017 17:33:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1511055197; cv=none; d=google.com; s=arc-20160816; b=Mi50RVpNYN4D/sFV/9rPSk9Q+efu215dvvgfhzdf6T3oE7Z61UNFiTze8XGPpsx9Ce vrLStme7QUKEVbkc/Mjpc82Nfect0+i0r0Y6ugLtUXlhiVoRMPj1xNjLV07mbCw4ygBm 4fNeDDyE3MXVuJkEyI7jB33g3XGYbC6trHznDDtTXC9tuy+5Ls2ciae8ARamGchFbkY/ Be0CJ4r72EQLainOx3QcaRH3yDrfB0OD570UT2sc+bcmAKqeyOOZJHhMzm5vogLNwGP1 WY7+qjnB0wN8GJdlyAIyHjmW1eFskrggzt9/reW1gSDYlILPZGdsUQLlSPZiAbayUpsr +weg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date :arc-authentication-results; bh=nja+TO2hzDp4zmH3z21CrqzO58XyuQRN6tC2mTVRwBU=; b=tn0JmYPm3TJ1Xdvz/ypE3wKnwp3ftkCo757BhBr91ZfyiE4yaZgo6rvfpDHrK4LoLc p+TYbXrgVlVvCSZD/Ok1gdbtshtMFoB9eYiBsRBc8UEnSZf77GI/bPkiSlHQsHWEM3XP owC1FQq47yA2S8NMpV6UD8xAgRv7SpzfJcL0BYFYe3N+TnoebhDCt/r6M1gsuzWF2ZSv TyCXGLwJG1lAi3oGgtsAaZl5TvvOgBKnIaVzNNOIQyP3srD6qltXXtWYLny376Fm+xiu Dg4KoC6502HmozyDBqT2V+DS9SKGiaUxjqKSgdjnq2ib0ahMbflCpezqH/fmjxyLTIFg aAWg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s187si5261638pgc.532.2017.11.18.17.33.03; Sat, 18 Nov 2017 17:33:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757188AbdKREra (ORCPT + 93 others); Fri, 17 Nov 2017 23:47:30 -0500 Received: from mx1.redhat.com ([209.132.183.28]:54084 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753253AbdKRErX (ORCPT ); Fri, 17 Nov 2017 23:47:23 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F2BB576528; Sat, 18 Nov 2017 04:47:22 +0000 (UTC) Received: from dhcp-128-65.nay.redhat.com (ovpn-12-18.pek2.redhat.com [10.72.12.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 411F31748F; Sat, 18 Nov 2017 04:47:20 +0000 (UTC) Date: Sat, 18 Nov 2017 12:47:11 +0800 From: Dave Young To: David Howells Cc: keyrings@vger.kernel.org, linux-kernel@vger.kernel.org, kexec@lists.infradead.org Subject: [PATCH] certs: always use secondary keyring first if possible Message-ID: <20171118044711.GA7352@dhcp-128-65.nay.redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.8.3 (2017-05-23) X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Sat, 18 Nov 2017 04:47:23 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit d3bfe84129f6 introduced secondary_trusted_keys keyring, current users of verify_pkcs7_signature are below: net/wireless/reg.c : uses its own trusted_keys kernel/module_signing.c : pass NULL trusted_keys crypto/asymmetric_keys/verify_pefile.c : pass NULL trusted_keys For both module and pefile verification, there is no reason to use builtin keys only. Actually in Fedora kernel module signing code passes 1UL, but kexec code does not pass 1UL for pefile verification thus we have below bug https://bugzilla.redhat.com/show_bug.cgi?id=1470995 Drop the hard code 1UL checking so that pefile verification can use secondary keyring as well. Signed-off-by: Dave Young --- certs/system_keyring.c | 2 -- 1 file changed, 2 deletions(-) --- linux-x86.orig/certs/system_keyring.c +++ linux-x86/certs/system_keyring.c @@ -229,8 +229,6 @@ int verify_pkcs7_signature(const void *d goto error; if (!trusted_keys) { - trusted_keys = builtin_trusted_keys; - } else if (trusted_keys == (void *)1UL) { #ifdef CONFIG_SECONDARY_TRUSTED_KEYRING trusted_keys = secondary_trusted_keys; #else From 1585249794798425175@xxx Mon Nov 27 19:46:54 +0000 2017 X-GM-THRID: 1585222282028842275 X-Gmail-Labels: Inbox,Category Forums,HistoricalUnread