certs: select PKCS7_MESSAGE_PARSER if needed

Message ID	20210225125638.1841436-1-arnd@kernel.org (mailing list archive)
State	New
Headers	show Return-Path: <keyrings-owner@kernel.org> From: Arnd Bergmann <arnd@kernel.org> To: David Howells <dhowells@redhat.com>, David Woodhouse <dwmw2@infradead.org>, Eric Snowberg <eric.snowberg@oracle.com>, Jarkko Sakkinen <jarkko@kernel.org> Cc: Arnd Bergmann <arnd@arndb.de>, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] certs: select PKCS7_MESSAGE_PARSER if needed Date: Thu, 25 Feb 2021 13:56:30 +0100 Message-Id: <20210225125638.1841436-1-arnd@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	certs: select PKCS7_MESSAGE_PARSER if needed \| expand certs: select PKCS7_MESSAGE_PARSER if needed

Message ID

20210225125638.1841436-1-arnd@kernel.org (mailing list archive)

State

New

Headers

From: Arnd Bergmann <arnd@kernel.org>
To: David Howells <dhowells@redhat.com>,
        David Woodhouse <dwmw2@infradead.org>,
        Eric Snowberg <eric.snowberg@oracle.com>,
        Jarkko Sakkinen <jarkko@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>, keyrings@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH] certs: select PKCS7_MESSAGE_PARSER if needed
Date: Thu, 25 Feb 2021 13:56:30 +0100
Message-Id: <20210225125638.1841436-1-arnd@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

certs: select PKCS7_MESSAGE_PARSER if needed | expand

Commit Message

Arnd Bergmann Feb. 25, 2021, 12:56 p.m. UTC

From: Arnd Bergmann <arnd@arndb.de>

When CONFIG_SYSTEM_BLACKLIST_KEYRING and CONFIG_INTEGRITY_PLATFORM_KEYRING
are both enabled, the system blacklist tries calling the
pkcs7_validate_trust() function, causing a link failure if the driver
that defines it is disabled or a loadable module:

ld.lld: error: undefined symbol: pkcs7_validate_trust
>>> referenced by blacklist.c
>>>               blacklist.o:(is_key_on_revocation_list) in archive certs/built-in.a

Add a Kconfig 'select' statement for this specific case that force-
enables the pkcs7 code as well.

Fixes: 30fdba3f40fd ("certs: Add EFI_CERT_X509_GUID support for dbx entries")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
 certs/Kconfig | 1 +
 1 file changed, 1 insertion(+)

Comments

David Howells Feb. 25, 2021, 2:12 p.m. UTC | #1

Arnd Bergmann <arnd@kernel.org> wrote:

> +	select PKCS7_MESSAGE_PARSER if INTEGRITY_PLATFORM_KEYRING

I think a better way to do it is to add a separate config option for dealing
with revocation certs, which is part of what I suggested here:

	https://lore.kernel.org/keyrings/3731128.1614163916@warthog.procyon.org.uk/

David

Arnd Bergmann Feb. 25, 2021, 2:32 p.m. UTC | #2

On Thu, Feb 25, 2021 at 3:12 PM David Howells <dhowells@redhat.com> wrote:
>
> Arnd Bergmann <arnd@kernel.org> wrote:
>
> > +     select PKCS7_MESSAGE_PARSER if INTEGRITY_PLATFORM_KEYRING
>
> I think a better way to do it is to add a separate config option for dealing
> with revocation certs, which is part of what I suggested here:
>
>         https://lore.kernel.org/keyrings/3731128.1614163916@warthog.procyon.org.uk/

Ok, sounds good. Can this make it into v5.12 though, or do we need an
intermediate
fix to avoid the build failure?

        Arnd

diff --git a/certs/Kconfig b/certs/Kconfig
index 379a6e198459..21192bb25c79 100644
--- a/certs/Kconfig
+++ b/certs/Kconfig
@@ -68,6 +68,7 @@  config SECONDARY_TRUSTED_KEYRING
 config SYSTEM_BLACKLIST_KEYRING
 	bool "Provide system-wide ring of blacklisted keys"
 	depends on KEYS
+	select PKCS7_MESSAGE_PARSER if INTEGRITY_PLATFORM_KEYRING
 	help
 	  Provide a system keyring to which blacklisted keys can be added.
 	  Keys in the keyring are considered entirely untrusted.  Keys in this

certs: select PKCS7_MESSAGE_PARSER if needed

Commit Message

Comments

Patch