[PATCH 5/7] KEYS: Introduce sig restriction that validates root of trust
kernel test robot
lkp at intel.com
Wed Apr 6 19:55:00 UTC 2022
Hi Eric,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on 3123109284176b1532874591f7c81f3837bbdc17]
url: https://github.com/intel-lab-lkp/linux/commits/Eric-Snowberg/Add-CA-enforcement-keyring-restrictions/20220407-003209
base: 3123109284176b1532874591f7c81f3837bbdc17
config: riscv-randconfig-r042-20220406 (https://download.01.org/0day-ci/archive/20220407/202204070321.X7bLj3Ce-lkp@intel.com/config)
compiler: riscv64-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/intel-lab-lkp/linux/commit/68d98a175d29032d888f3f5700c43cf771ef17d8
git remote add linux-review https://github.com/intel-lab-lkp/linux
git fetch --no-tags linux-review Eric-Snowberg/Add-CA-enforcement-keyring-restrictions/20220407-003209
git checkout 68d98a175d29032d888f3f5700c43cf771ef17d8
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=riscv SHELL=/bin/bash crypto/asymmetric_keys/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp at intel.com>
All warnings (new ones prefixed by >>):
>> crypto/asymmetric_keys/restrict.c:111:5: warning: no previous prototype for 'restrict_link_by_rot_and_signature' [-Wmissing-prototypes]
111 | int restrict_link_by_rot_and_signature(struct key *dest_keyring,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
vim +/restrict_link_by_rot_and_signature +111 crypto/asymmetric_keys/restrict.c
110
> 111 int restrict_link_by_rot_and_signature(struct key *dest_keyring,
112 const struct key_type *type,
113 const union key_payload *payload,
114 struct key *trust_keyring)
115 {
116 const struct public_key_signature *sig;
117 struct key *key;
118 int ret;
119
120 if (!trust_keyring)
121 return -ENOKEY;
122
123 if (type != &key_type_asymmetric)
124 return -EOPNOTSUPP;
125
126 sig = payload->data[asym_auth];
127 if (!sig)
128 return -ENOPKG;
129 if (!sig->auth_ids[0] && !sig->auth_ids[1] && !sig->auth_ids[2])
130 return -ENOKEY;
131
132 if (ca_keyid && !asymmetric_key_id_partial(sig->auth_ids[1], ca_keyid))
133 return -EPERM;
134
135 /* See if we have a key that signed this one. */
136 key = find_asymmetric_key(trust_keyring,
137 sig->auth_ids[0], sig->auth_ids[1],
138 sig->auth_ids[2], false);
139 if (IS_ERR(key))
140 return -ENOKEY;
141
142 if (!test_bit(KEY_FLAG_BUILTIN_ROT, &key->flags))
143 ret = -ENOKEY;
144 else if (use_builtin_keys && !test_bit(KEY_FLAG_BUILTIN, &key->flags))
145 ret = -ENOKEY;
146 else
147 ret = verify_signature(key, sig);
148 key_put(key);
149 return ret;
150 }
151
--
0-DAY CI Kernel Test Service
https://01.org/lkp
More information about the Linux-security-module-archive
mailing list