> On May 10, 2023, at 4:34 PM, Jarkko Sakkinen <jarkko@xxxxxxxxxx> wrote: > > On Tue May 9, 2023 at 1:07 AM EEST, Eric Snowberg wrote: >> Add a new link restriction. Restrict the addition of keys in a keyring >> based on the key having digitalSignature usage set. Additionally, verify >> the new certificate against the ones in the system keyrings. Add two >> additional functions to use the new restriction within either the builtin >> or secondary keyrings. >> >> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> >> --- >> certs/system_keyring.c | 52 +++++++++++++++++++++++++++++++ >> crypto/asymmetric_keys/restrict.c | 44 ++++++++++++++++++++++++++ >> include/crypto/public_key.h | 11 +++++++ >> include/keys/system_keyring.h | 11 +++++++ >> 4 files changed, 118 insertions(+) >> >> diff --git a/certs/system_keyring.c b/certs/system_keyring.c >> index a7a49b17ceb1..4249c49bd43b 100644 >> --- a/certs/system_keyring.c >> +++ b/certs/system_keyring.c >> @@ -51,6 +51,27 @@ int restrict_link_by_builtin_trusted(struct key *dest_keyring, >> builtin_trusted_keys); >> } >> >> +/** >> + * restrict_link_by_digsig_builtin - Restrict digitalSignature key additions >> + * by the built-in keyring. > > BTW, does checkpatch complain if you put that to a single line (I don't > know this)? > > If not, I would just put "Restrict by digitalSignature” It looks like check patch will allow up to 100 chars. I will update it to a single line. Thanks.
