From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Mon, 12 Jul 2021 10:49:05 +0200
Received: from metis.ext.pengutronix.de ([2001:67c:670:201:290:27ff:fe1d:cc33])
	by lore.white.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1m2rcf-0007n2-KA
	for lore@lore.pengutronix.de; Mon, 12 Jul 2021 10:49:05 +0200
Received: from localhost ([127.0.0.1] helo=metis.ext.pengutronix.de)
	by metis.ext.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1m2rcf-0001LN-6m; Mon, 12 Jul 2021 10:49:05 +0200
Received: from gallifrey.ext.pengutronix.de
 ([2001:67c:670:201:5054:ff:fe8d:eefb] helo=bjornoya.blackshift.org)
 by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mkl@pengutronix.de>)
 id 1m2rcA-0001L5-Oi; Mon, 12 Jul 2021 10:48:34 +0200
Received: from pengutronix.de (unknown
 [IPv6:2a03:f580:87bc:d400:341b:8d7:db9:a745])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (Client did not present a certificate)
 (Authenticated sender: mkl-all@blackshift.org)
 by smtp.blackshift.org (Postfix) with ESMTPSA id 955EB64D894;
 Mon, 12 Jul 2021 08:42:48 +0000 (UTC)
Date: Mon, 12 Jul 2021 10:42:47 +0200
From: Marc Kleine-Budde <mkl@pengutronix.de>
To: Michael Olbrich <m.olbrich@pengutronix.de>
Message-ID: <20210712084247.zvazdqqsffzjotwt@pengutronix.de>
References: <20210708203941.30212-1-rhi@pengutronix.de>
 <20210709133600.GB375046@pengutronix.de>
MIME-Version: 1.0
In-Reply-To: <20210709133600.GB375046@pengutronix.de>
Subject: Re: [ptxdist] [PATCH v3 1/5] ptxd_lib_code_signing: cs_get_ca():
 improve error handling
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: ptxdist@pengutronix.de, Roland Hieber <rhi@pengutronix.de>
Content-Type: multipart/mixed; boundary="===============0580204308=="
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.ext.pengutronix.de); SAEximRunCond expanded to false


--===============0580204308==
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="lwpuc6dyukos7ovj"
Content-Disposition: inline


--lwpuc6dyukos7ovj
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 09.07.2021 15:36:00, Michael Olbrich wrote:
> So this is not what we want here. Sorry, I didn't notice this in the last
> version. The idea is this:
>=20
> If the keydir does not exist, then cs_get_ca)() was evaluated too early. =
So
> the check above should be added as it is here.
> What's now missing is what Marc originally intended and was part of the
> first version of the patch:
> If the keydir exists but no CA, then there will never be a CA and we want
> to match that. So this should be there as well:
>=20
>     if [ -e "${ca}" ]; then
> 	echo "${ca}"
>     fi
>=20
> instead of this:
>=20
> > +    echo "${ca}"
>=20
> Now we can do $(if $(shell cs_get_ca ...), ...) to do something only if t=
he
> CA exists.
>=20
> Marc, that was the use-case, right?

ACK, the use case is:

| KERNEL_SIGN_OPT =3D \
|         CONFIG_MODULE_SIG_KEY=3D'"$(shell cs_get_uri evm)"' \
|         CONFIG_MODULE_SIG_ALL=3Dy \
|         $(if $(shell cs_get_ca kernel-trusted), \
|                 CONFIG_SYSTEM_TRUSTED_KEYS=3D$(shell cs_get_ca kernel-tru=
sted))

regards,
Marc

--=20
Pengutronix e.K.                 | Marc Kleine-Budde           |
Embedded Linux                   | https://www.pengutronix.de  |
Vertretung West/Dortmund         | Phone: +49-231-2826-924     |
Amtsgericht Hildesheim, HRA 2686 | Fax:   +49-5121-206917-5555 |

--lwpuc6dyukos7ovj
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAABCgAdFiEEK3kIWJt9yTYMP3ehqclaivrt76kFAmDsAIUACgkQqclaivrt
76mCWgf9Fky/TXBDLVGllmmVQw4ZH9GkRa+vyBHw1rW72XetmLyv9wELu1JaS6iE
9/dzX6IQo49y9HM+NRbkMtXAn9EaY12+tBj6Aw8PxH5c/4Y69KTK4ILVWoxeWI+v
f7PKB0ZTOGOUfRD1eqP/O/DEJ9HdNiaSYBushKfnSMrmuL+rPXto4AEarTTbquUV
04nfjF7f9senTc8pb1u8xDToX8k07YzVRNOdkTl3zoYn53S1TFT68iddpqfE/lzO
KKthGi1LFy3tkc7ITl8wAgtcsMghgXr+WrsM/IkAQxxOhJNcREqodkDlPNcq/YTA
kiUG1q7a9TBfnucSRRYr8YZZTTckZA==
=FY1U
-----END PGP SIGNATURE-----

--lwpuc6dyukos7ovj--


--===============0580204308==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

--===============0580204308==--