Hi Varad, On Tue, Apr 20, 2021 at 02:22:28PM +0800, Joey Lee wrote: > Hi Varad, > > Thanks for your review! > > On Thu, Apr 15, 2021 at 02:08:32PM +0200, Varad Gautam wrote: > > Hi Joey, > > > > On 4/9/21 4:46 AM, Lee, Chun-Yi wrote: > > > This patch adds the logic for checking the CodeSigning extended > > > key usage when verifying signature of kernel module or > > > kexec PE binary in PKCS#7. > > > > > > Signed-off-by: "Lee, Chun-Yi" <jlee@xxxxxxxx> > > > --- > > > certs/system_keyring.c | 2 +- > > > crypto/asymmetric_keys/Kconfig | 9 +++++++++ > > > crypto/asymmetric_keys/pkcs7_trust.c | 37 +++++++++++++++++++++++++++++++++--- > > > include/crypto/pkcs7.h | 3 ++- > > > 4 files changed, 46 insertions(+), 5 deletions(-) [...snip] > > > > > > matched: > > > + if (!check_codesign_eku(key, usage)) { > > > > Perhaps this can be a generic check_eku_usage() call, with codesigning as one of the > > things it can check for. > > > > Because only codesign EKU be checked now. So I prefer to keep it > as my current implementation until there have other EKU requirement. I have reworked this patch for a bug be found by kernel test robot. I think that your suggestion is good. So I change the function name to a more generic name check_eku_by_usage() in my v7 patch set. Thanks a lot! Joey Lee