On Fri, Dec 04, 2020 at 02:01:36PM +0000, David Howells wrote: > Mickaël Salaün <mic@xxxxxxxxxxx> wrote: > > > > What would be easiest way to smoke test the changes? > > > > An easy way to test it is to enable the second trusted keyring to > > dynamically load certificates in the kernel. Then we can create a hash > > of a valid certificate (but not loaded yet) and sign it as explained in > > tools/certs/print-cert-tbs-hash.sh (patch 9/9). Once this hash is loaded > > in the kernel, loading the blacklisted certificate will be denied. We > > can also test it with a PKCS#7 signature chain, either with the > > blacklist keyring itself, or with a signed dm-verity image. > > It might also be possible to use the pkcs#7 test key type > (CONFIG_PKCS7_TEST_KEY) to aid in that. > > David Thanks, note taken. /Jarkko
