> On Nov 24, 2021, at 7:49 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > On Tue, 2021-11-23 at 23:41 -0500, Eric Snowberg wrote: >> +config INTEGRITY_MACHINE_KEYRING >> + bool "Provide a keyring to which CA Machine Owner Keys may be added" >> + depends on SECONDARY_TRUSTED_KEYRING >> + depends on INTEGRITY_ASYMMETRIC_KEYS > > Shouldn't this be "ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y"? With this > change, is "KEYS: Create static version of > public_key_verify_signature" trusted needed? I believe it is still needed. If someone were to use the same config as the build bot, where ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined and INTEGRITY_MACHINE_KEYRING is not defined, they would still hit the problem that has now been fixed in "KEYS: Create static version of public_key_verify_signature”. I wish the first two patches in this series would be accepted, since I’m only carrying them to get past the build bot.
