Concern:
I'm a bit confused here please tell me if I am wrong in my understanding
of the code... Previously the modules and supported mechanism list was
in kcf.conf. Now I see the config in the kernel. If we add a new
module or mechanism to an existing module, we need to update kcf
kcf_soft_config_init)? Or is there a chicken and egg problem that I
don't see, and after everything is loaded the support list will be
coming from the module? My initial reaction is we've shift the
configuration burden from userland to kernel instead of eliminating most
of the burden..
Code Review:
cryptoadm.c:1165
I don't believe you need the in_kernel == B_FALSE check since there is
one on line 1148 which causes a return(). I don't see any changes to
in_kernel between the two lines. I think only !pent->load check is
necessary.
adm_kef.c.433
Is it necessary to check again if the module is in_kernel=TRUE? It was
checked at the beginning of the function, is it paranoia that the module
could have been unloaded between the top of the function and the middle?
A second related question to this section, why is it necessary to have
the software module loaded to then disable it. I'm assuming at that
point in the code (line 438 to be exact) we know the provider name the
user entered is a valid one (valid meaning "aes", invalid meaning "blah")
adm_kef_util.c:update_kcfconf
I assume that a disabled provider (say software, md5) will have to be
placed in kcf.conf for the system not to load it on reboot? But when I
look at the update_kcfconf function when it's called by uninstall_kcf, I
don't see an entry for adding an entry in kcf.conf (aka !found_entry &&
delete_it), am I missing something?
