[PATCH v3 09/10] KEYS: CA link restriction

Jarkko Sakkinen jarkko at kernel.org
Wed Jan 4 11:51:49 UTC 2023


On Tue, Dec 13, 2022 at 07:34:00PM -0500, Eric Snowberg wrote:
> +/**
> + * restrict_link_by_ca - Restrict additions to a ring of CA keys
> + * @dest_keyring: Keyring being linked to.
> + * @type: The type of key being added.
> + * @payload: The payload of the new key.
> + * @trust_keyring: Unused.
> + *
> + * Check if the new certificate is a CA. If it is a CA, then mark the new
> + * certificate as being ok to link.
> + *
> + * Returns 0 if the new certificate was accepted, -ENOKEY if the
> + * certificate is not a CA. -ENOPKG if the signature uses unsupported
> + * crypto, or some other error if there is a matching certificate but
> + * the signature check cannot be performed.
> + */
> +int restrict_link_by_ca(struct key *dest_keyring,
> +			const struct key_type *type,
> +			const union key_payload *payload,
> +			struct key *trust_keyring)

Why you want to define trust_keyring, other than matching the parameter
list in restrict_link_by_signature()?

Also if it is unused, it should be then just "struct key *)", right?

BR, Jarkko



More information about the Linux-security-module-archive mailing list