| Message ID | 20211116001545.2639333-14-eric.snowberg@oracle.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Enroll kernel keys thru MOK | expand |
Hi Eric, Is the subject line left over from the original patch? Shouldn't it be "link machine trusted keys to secondary_trusted_keys". On Mon, 2021-11-15 at 19:15 -0500, Eric Snowberg wrote: > Allow the .machine keyring to be linked to the secondary_trusted_keys. > After the link is created, keys contained in the .machine keyring will > automatically be searched when searching secondary_trusted_keys. > > Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> > --- > v3: Initial version > v4: Unmodified from v3 > v5: Rename to machine keyring > v7: Unmodified from v5 > --- > certs/system_keyring.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/certs/system_keyring.c b/certs/system_keyring.c > index ba732856ebd0..2a2dc70b126c 100644 > --- a/certs/system_keyring.c > +++ b/certs/system_keyring.c > @@ -101,6 +101,9 @@ static __init struct key_restriction *get_secondary_restriction(void) > void __init set_machine_trusted_keys(struct key *keyring) > { > machine_trusted_keys = keyring; > + > + if (key_link(secondary_trusted_keys, machine_trusted_keys) < 0) > + panic("Can't link (machine) trusted keyrings\n"); > } > > /** In general is the ordering of the patches "bisect safe"[1]? Only in the next patch is machine_trusted_keys set. In this case, either merge the two patches or reverse their order. thanks, Mimi [1] Refer to the section "Separate your changes" in Documentation/process/submitting-patches.rst.
> On Nov 18, 2021, at 5:32 AM, Mimi Zohar <zohar@linux.ibm.com> wrote: > > Hi Eric, > > Is the subject line left over from the original patch? Shouldn't it > be "link machine trusted keys to secondary_trusted_keys". Yes, you are right, this was left over from the original patch. I’ll update the heading in the next round. > On Mon, 2021-11-15 at 19:15 -0500, Eric Snowberg wrote: >> Allow the .machine keyring to be linked to the secondary_trusted_keys. >> After the link is created, keys contained in the .machine keyring will >> automatically be searched when searching secondary_trusted_keys. >> >> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> >> --- >> v3: Initial version >> v4: Unmodified from v3 >> v5: Rename to machine keyring >> v7: Unmodified from v5 >> --- >> certs/system_keyring.c | 3 +++ >> 1 file changed, 3 insertions(+) >> >> diff --git a/certs/system_keyring.c b/certs/system_keyring.c >> index ba732856ebd0..2a2dc70b126c 100644 >> --- a/certs/system_keyring.c >> +++ b/certs/system_keyring.c >> @@ -101,6 +101,9 @@ static __init struct key_restriction *get_secondary_restriction(void) >> void __init set_machine_trusted_keys(struct key *keyring) >> { >> machine_trusted_keys = keyring; >> + >> + if (key_link(secondary_trusted_keys, machine_trusted_keys) < 0) >> + panic("Can't link (machine) trusted keyrings\n"); >> } >> >> /** > > In general is the ordering of the patches "bisect safe"[1]? Only in > the next patch is machine_trusted_keys set. In this case, either > merge the two patches or reverse their order. I’ll also reverse the ordering in the next round too. Thanks.
diff --git a/certs/system_keyring.c b/certs/system_keyring.c index ba732856ebd0..2a2dc70b126c 100644 --- a/certs/system_keyring.c +++ b/certs/system_keyring.c @@ -101,6 +101,9 @@ static __init struct key_restriction *get_secondary_restriction(void) void __init set_machine_trusted_keys(struct key *keyring) { machine_trusted_keys = keyring; + + if (key_link(secondary_trusted_keys, machine_trusted_keys) < 0) + panic("Can't link (machine) trusted keyrings\n"); } /**
Allow the .machine keyring to be linked to the secondary_trusted_keys. After the link is created, keys contained in the .machine keyring will automatically be searched when searching secondary_trusted_keys. Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com> --- v3: Initial version v4: Unmodified from v3 v5: Rename to machine keyring v7: Unmodified from v5 --- certs/system_keyring.c | 3 +++ 1 file changed, 3 insertions(+)