Mickaël Salaün <mic@xxxxxxxxxxx> wrote: > > What would be easiest way to smoke test the changes? > > An easy way to test it is to enable the second trusted keyring to > dynamically load certificates in the kernel. Then we can create a hash > of a valid certificate (but not loaded yet) and sign it as explained in > tools/certs/print-cert-tbs-hash.sh (patch 9/9). Once this hash is loaded > in the kernel, loading the blacklisted certificate will be denied. We > can also test it with a PKCS#7 signature chain, either with the > blacklist keyring itself, or with a signed dm-verity image. It might also be possible to use the pkcs#7 test key type (CONFIG_PKCS7_TEST_KEY) to aid in that. David
