[PATCH v3 09/10] KEYS: CA link restriction

Jarkko Sakkinen jarkko at kernel.org
Wed Jan 4 11:54:46 UTC 2023


On Wed, Jan 04, 2023 at 11:51:52AM +0000, Jarkko Sakkinen wrote:
> On Tue, Dec 13, 2022 at 07:34:00PM -0500, Eric Snowberg wrote:
> > +/**
> > + * restrict_link_by_ca - Restrict additions to a ring of CA keys
> > + * @dest_keyring: Keyring being linked to.
> > + * @type: The type of key being added.
> > + * @payload: The payload of the new key.
> > + * @trust_keyring: Unused.
> > + *
> > + * Check if the new certificate is a CA. If it is a CA, then mark the new
> > + * certificate as being ok to link.
> > + *
> > + * Returns 0 if the new certificate was accepted, -ENOKEY if the
> > + * certificate is not a CA. -ENOPKG if the signature uses unsupported
> > + * crypto, or some other error if there is a matching certificate but
> > + * the signature check cannot be performed.
> > + */
> > +int restrict_link_by_ca(struct key *dest_keyring,
> > +			const struct key_type *type,
> > +			const union key_payload *payload,
> > +			struct key *trust_keyring)
> 
> Why you want to define trust_keyring, other than matching the parameter
> list in restrict_link_by_signature()?
> 
> Also if it is unused, it should be then just "struct key *)", right?

Please ignore, I forgot how this worked, i.e. "restriction" is set to
the correct function so this looks correct to me :-) So it's good.
Sorry for the confusion.

BR, Jarkko




More information about the Linux-security-module-archive mailing list