Re: [PATCH] cert: Add kconfig dependency for validate_trust

[David Howells]

Mickaël Salaün <mic@xxxxxxxxxxx> wrote:

> > +config SYSTEM_REVOCATION_LIST
> > +	bool "Provide system-wide ring of revocation certificates"
> > +	depends on SYSTEM_BLACKLIST_KEYRING
> > +	depends on PKCS7_MESSAGE_PARSER=y
> 
> The function verify_pkcs7_message_sig() (which is patched) is only
> available if CONFIG_SYSTEM_DATA_VERIFICATION is defined.

That shouldn't matter, at least from a building point of view, since
verify_pkcs7_message_sig() uses the new facility rather than being a
dependency of it - and there's a fallback in place in case you don't want
SYSTEM_REVOCATION_LIST.  Note that SYSTEM_DATA_VERIFICATION also doesn't
depend on or select SYSTEM_BLACKLIST_KEYRING - it will use it if it's enabled,
but not otherwise.

> I suggest to use the same dependencies as for my dynamic authenticated
> blacklist keyring patchset.

This, you mean?

	config SYSTEM_BLACKLIST_AUTH_UPDATE
		bool "Allow root to add signed blacklist keys"
		depends on SYSTEM_BLACKLIST_KEYRING
		depends on SYSTEM_DATA_VERIFICATION

I.e.:

	config SYSTEM_REVOCATION_LIST
		bool "Provide system-wide ring of revocation certificates"
		depends on SYSTEM_BLACKLIST_KEYRING
		depends on SYSTEM_DATA_VERIFICATION
		depends on PKCS7_MESSAGE_PARSER=y

I suppose you could argue the it that way since it's only used for that
purpose.  Note that it does need the PKCS7 dep since it explicitly uses that
code.

> Could you please not move those functions? It makes the patch more
> readable and avoids merge conflicts (e.g. with the dynamic authenticated
> blacklist keyring patchset). Thanks.

I would suggest merging these changes in so that the error is not found by
bisection.  But the functions really are mislocated:-/

David