Matthew Wilcox wrote:
> That also brings up that there is no set_page_private_2(). I think
> that's OK -- you only set PageFsCache() immediately after reading the
> page from the server. But I feel this "unlock_page_private_2" is actually
> "clear_page_private_2" -- ie it's equivalent to writeb
Matthew Wilcox (Oracle) wrote:
> Open-coding this function meant it missed out on the recent bugfix
> for waiters being woken by a delayed wake event from a previous
> instantiation of the page.
>
> Signed-off-by: Matthew Wilcox (Oracle)
Acked-and-tested-by: David Howells
Matthew Wilcox (Oracle) wrote:
> This is the killable version of wait_on_page_writeback.
>
> Signed-off-by: Matthew Wilcox (Oracle)
Acked-and-tested-by: David Howells
Matthew Wilcox (Oracle) wrote:
> Cachefiles was relying on wait_page_key and wait_bit_key being the
> same layout, which is fragile. Now that wait_page_key is exposed in
> the pagemap.h header, we can remove that fragility
>
> Signed-off-by: Matthew Wilcox (Oracle)
Acked-and-t
David Howells wrote:
> (1) For the old fscache code that I'm trying to phase out, it does not take a
> ref when PG_fscache is taken (probably incorrectly), relying instead on
> releasepage, etc. getting called to strip the PG_fscache bit. PG_fscache
> is held fo
Linus Torvalds wrote:
> And as far as I can tell, fscache doesn't want that PG_private_2 bit
> to interact with the random VM lifetime or migration rules either, and
> should rely entirely on the page count. David?
It's slightly complicated for fscache as there are two separate pieces of code
in
Matthew Wilcox wrote:
> So ... a page with both flags cleared should have a refcount of N.
> A page with one or both flags set should have a refcount of N+1.
> ...
> How is a poor filesystem supposed to make that true? Also btrfs has this
> problem since it uses private_2 for its own purposes.
I'm going to make the code generate more information when warning about a
subread reporting having over-read (see attached).
David
---
diff --git a/fs/netfs/read_helper.c b/fs/netfs/read_helper.c
index ce11ca4c32e4..765e88ee132d 100644
--- a/fs/netfs/read_helper.c
+++ b/fs/netfs/read_helper.c
@@ -
db677310fa9:
afs: Stop listxattr() from listing "afs.*" attributes (2021-03-15 17:09:54
+)
AFS fixes
--------
David Howells (2):
afs: Fix accessing YFS xa
Miklos Szeredi wrote:
> > (2) We can use the file position to represent the mnt_id and can jump to
> > it directly - ie. using seek() to jump to a mount object by its ID.
>
> What happens if the mount at the current position is removed?
umount_tree() requires the namespace_sem to be write
Remove the stuff for trawling a mount namespace's mount list using inserted
cursors as bookmarks as this has been replaced with an xarray-based
approach.
Signed-off-by: David Howells
cc: Alexander Viro
cc: Miklos Szeredi
cc: Matthew Wilcox
---
fs/namespace.c|
ed to
hide mounts that are in the process of being inserted into the tree by
marking them in the xarray itself or using a mount flag.
Signed-off-by: David Howells
cc: Alexander Viro
cc: Miklos Szeredi
cc: Matthew Wilcox
---
fs/mount.h |2 +-
fs/namespace.c |
that mount doesn't exist, but a later
one does.
Signed-off-by: David Howells
cc: Alexander Viro
cc: Miklos Szeredi
cc: Matthew Wilcox
---
fs/mount.h |2 +
fs/namespace.c | 81 ++--
2 files changed, 74 insertions(+), 9 deletion
subtree and propagation has to copy all of it.
David
Link:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9f6c61f96f2d97cbb5f7fa85607bc398f843ff0f
[1]
---
David Howells (3):
vfs: Use an xarray in the mount namespace to handle /proc/mounts list
vfs:
Eric Snowberg wrote:
> > Can this go separately, or would it be better rolled into the existing
> > patchset?
>
> IMHO, since you have already sent a pull request and this is not available
> yet in shim, it seems save to have it go separately. I should have time
> to send something out next we
Eric Snowberg wrote:
> If MOKx will be available thru a config table in the next shim,
> I'll prepare a follow on patch to add this support.
Can this go separately, or would it be better rolled into the existing
patchset?
David
f them seem to have any
CONFIG_xxx symbols set.
How about the attached patch?
David
---
commit 95897dc8dc13ad13c637a477a1ead9b63ff1fafa
Author: David Howells
Date: Fri Mar 12 10:48:25 2021 +
certs: Clean up signing_key.pem and x509.genkey on make mrproper
Autogenerated sig
Valdis Klētnieks wrote:
> So the root cause was: 'make mrproper doesn't clean certs/' out enough,
> and this chunk of certs/Makefile
> ...
> I admit not being sure how (or if) this should be fixed
It's tricky because CONFIG_MODULE_SIG_KEY may not point to a file, let alone a
file that was autoge
afs.* xattrs, not just the ACL ones.
Fixes: ae46578b963f ("afs: Get YFS ACLs and information through xattrs")
Reported-by: Gaja Sophie Peters
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003502.html [
/afs/openafs.org/
Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept")
Reported-by: Gaja Sophie Peters
Signed-off-by: David Howells
Tested-by: Gaja Sophie Peters
cc: linux-...@lists.infradead.org
Link: http://lists.infradead.org/pipermail/linux-afs/2021-Marc
g/pipermail/linux-afs/2021-March/003565.html # v1
Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003568.html [7]
Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003570.html [8]
---
David Howells (2):
afs: Fix accessing YFS xattrs on a non-YFS server
afs
Hi Linus,
Here's a set of patches from Eric Snowberg[1] that add support for
EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries
cause matching certificates to be rejected). These are currently ignored
and only the hash entries are made use of. Additionally Eric included h
/afs/openafs.org/
Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept")
Reported-by: Gaja Sophie Peters
Signed-off-by: David Howells
Tested-by: Gaja Sophie Peters
cc: linux-...@lists.infradead.org
Link: http://lists.infradead.org/pipermail/linux-afs/2021-Marc
)
Reported-by: Gaja Sophie Peters
Signed-off-by: David Howells
Tested-by: Gaja Sophie Peters
cc: linux-...@lists.infradead.org
Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003502.html [1]
---
fs/afs/xattr.c |7 +--
1 file changed, 1 insertion(+), 6 deletions(-)
diff
17cc655a82ded715dea7245ce88ebc91b98
[3]
Link: https://github.com/WayneD/rsync/issues/163 [4]
Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003516.html [5]
Link: http://lists.infradead.org/pipermail/linux-afs/2021-March/003524.html [6]
---
David Howells (2):
afs: Fix accessing
David Howells wrote:
> I'll have to try with the aarch64 build, see if it's something in that that's
> the problem.
That works too... kind of. Building in the certs/ dir is fine - and all the
cert generation and extraction is done in the expected place, but the link
f
Valdis Klētnieks wrote:
> So there's something weird going on with scripts/extract-cert when running
> as a userid other than the owner of the source tree.. I wonder if it's
> actually an OpenSSL issue...
I cloned next-20210311 as one user then built it as another user using:
LANG=C ni
I wonder... Can you grab branch keys-cve-2020-26541-branch from:
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/
and try that? If that breaks, can you try dropping the top four commits?
David
Valdis Klētnieks wrote:
> What i *expected* was that multiple builds with different O= would each
> generate themselves a unique signing key and put it in their own O= directory
> and stay out of each other's way.
Hmmm... Works for me. I use separate build dirs all the time.
What version of t
Hi Eric,
Can you check this patch? I rolled your changes into it.
David
more advanced version of this could be made that does
generic_perform_write() for a whole cache granule. This would make it
easier to avoid doing the download/read for the data to be overwritten.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc: linux-cach...@redhat.com
cc: linux
Extract writeback extension into its own function to break up the writeback
function a bit.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc: linux-cach...@redhat.com
cc: linux-fsde...@vger.kernel.org
Link:
https://lore.kernel.org/r/160588538471.3465195.782513375683399583.st
een running async and stuff that might sleep needs punting to a
workqueue.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc: linux-cach...@redhat.com
cc: linux-fsde...@vger.kernel.org
Link:
https://lore.kernel.org/r/160588542733.3465195.7526541422073350302
As a prelude to supporting transparent huge pages, use thp_size() and
similar rather than PAGE_SIZE/SHIFT.
Further, try and frame everything in terms of file positions and lengths
rather than page indices and numbers of pages.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc
e call
delivery handler.
This means the done function will be called back on error also, not just on
successful completion.
This allows motion towards asynchronous data reception on data fetch calls
and allows any error to be handed off to the fscache read helper in the
same place as a successful com
PG_fscache is going to be used to indicate that a page is being written to
the cache, and that the page should not be modified or released until it's
finished.
Make afs_invalidatepage() and afs_releasepage() wait for it.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc:
potentially allocating a huge array of bio_vec structs (max 256 per page)
when in fact the pagecache already has a structure listing all the relevant
pages (radix_tree/xarray) that can be walked over.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc: linux-cach...@redhat.com
cc: linux
This will allow O_DIRECT calls to be supported in future patches.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc: linux-cach...@redhat.com
cc: linux-fsde...@vger.kernel.org
Link:
https://lore.kernel.org/r/152898380012.11616.12094591785228251717.st...@warthog.procyon.org.uk/
Log unmarshalling errors reported by the peer (ie. it can't parse what we
sent it). Limit the maximum number of messages to 3.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc: linux-cach...@redhat.com
cc: linux-fsde...@vger.kernel.org
Link:
https://lore.kernel.
Stash the key used to authenticate read operations in the afs_read struct.
This will be necessary to reissue the operation against the server if a
read from the cache fails in upcoming cache changes.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc: linux-cach...@redhat.com
cc
e the
iterator.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc: linux-cach...@redhat.com
cc: linux-fsde...@vger.kernel.org
Link:
https://lore.kernel.org/r/158861249201.340223.13035445866976590375.st...@warthog.procyon.org.uk/
# rfc
Link:
https://lore.kernel.
Print the afs_operation debug_id when logging an unexpected change in the
data version. This allows the logged message to be matched against
tracelines.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc: linux-cach...@redhat.com
cc: linux-fsde...@vger.kernel.org
Link:
https
Disable use of the fscache I/O routined by the AFS filesystem. It's about
to transition to passing iov_iters down and fscache is about to have its
I/O path to use iov_iter, so all that needs to change.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc: linux-cach...@redha
e index or private
data as these can be retrieved directly from the page struct.
Signed-off-by: David Howells
cc: linux-...@lists.infradead.org
cc: linux-cach...@redhat.com
cc: linux-fsde...@vger.kernel.org
Link:
https://lore.kernel.org/r/160588527183.3465195.16107942526481976308.st...@warthog.proc
l[2].
- Remove redundant else[2].
- Fill out the kdoc comment for fscache_begin_read_operation().
- Rename fs/fscache/page2.c to io.c to match later patches.
Signed-off-by: David Howells
Reviewed-by: Jeff Layton
cc: Christoph Hellwig
cc: linux-cach...@redhat.com
cc: linux-...@lists.infradead.org
Take a reference on a page when PG_private_2 is set and drop it once the
bit is unlocked[1].
Reported-by: Linus Torvalds
Signed-off-by: David Howells
cc: Matthew Wilcox
cc: Linus Torvalds
cc: linux...@kvack.org
cc: linux-cach...@redhat.com
cc: linux-...@lists.infradead.org
cc: linux
_read stat.
- Move initial definition of fscache_begin_read_operation() elsewhere.
- Need to call op->begin_cache_operation() from netfs_write_begin().
Signed-off-by: David Howells
Reviewed-by: Jeff Layton
cc: Matthew Wilcox
cc: linux...@kvack.org
cc: linux-cach...@redhat.com
cc: linux-...@l
ff-by: David Howells
Reviewed-by: Jeff Layton
cc: Matthew Wilcox
cc: linux...@kvack.org
cc: linux-cach...@redhat.com
cc: linux-...@lists.infradead.org
cc: linux-...@vger.kernel.org
cc: linux-c...@vger.kernel.org
cc: ceph-de...@vger.kernel.org
cc: v9fs-develo...@lists.sourceforge.net
cc: linux
Gather statistics from the netfs interface that can be exported through a
seqfile. This is intended to be called by a later patch when viewing
/proc/fs/fscache/stats.
Signed-off-by: David Howells
Reviewed-by: Jeff Layton
cc: Matthew Wilcox
cc: linux...@kvack.org
cc: linux-cach...@redhat.com
requests. A read request may be a compound of multiple
subrequests.
(3) netfs/netfs_sreq
This logs the progress of netfs_read_subrequest objects, which track
the contributions from various sources to a read request.
Signed-off-by: David Howells
Reviewed-by: Jeff Layton
cc: Matthew
ler may
have been running async and stuff that might sleep needs punting to a
workqueue (can't use in_softirq()[1]).
Signed-off-by: David Howells
Reviewed-by: Jeff Layton
cc: Matthew Wilcox
cc: linux...@kvack.org
cc: linux-cach...@redhat.com
cc: linux-...@lists.infradead.org
cc: linux-..
ather than pagemap.h[1]]
Signed-off-by: David Howells
cc: Linus Torvalds
cc: Matthew Wilcox
cc: linux...@kvack.org
cc: linux-cach...@redhat.com
cc: linux-...@lists.infradead.org
cc: linux-...@vger.kernel.org
cc: linux-c...@vger.kernel.org
cc: ceph-de...@vger.kernel.org
cc: v
Move the PG_fscache related helper funcs (such as SetPageFsCache()) to
linux/netfs.h rather than linux/fscache.h as the intention is to move to a
model where they're used by the network filesystem and the helper library,
but not by fscache/cachefiles itself.
Signed-off-by: David Howell
Make a netfs helper module to manage read request segmentation, caching
support and transparent huge page support on behalf of a network
filesystem.
Signed-off-by: David Howells
Reviewed-by: Jeff Layton
cc: Matthew Wilcox
cc: linux...@kvack.org
cc: linux-cach...@redhat.com
cc: linux
Add interface documentation for the netfs helper library.
Signed-off-by: David Howells
---
Documentation/filesystems/index.rst |1
Documentation/filesystems/netfs_library.rst | 526 +++
2 files changed, 527 insertions(+)
create mode 100644 Documentation
boundaries, thereby allowing whole granules to be stored in the cache, but
there are other potential users also.
Changes:
- Moved the declaration of readahead_expand() to a better place[1].
Suggested-by: Matthew Wilcox (Oracle)
Signed-off-by: David Howells
cc: Matthew Wilcox (Oracle)
cc: Alexander Viro
the terminology of
PG_private_2 and PG_fscache in the mm core function]
Changes:
- Remove extern from the declaration[2].
Suggested-by: Linus Torvalds
Signed-off-by: David Howells
Reviewed-by: Christoph Hellwig
cc: Matthew Wilcox (Oracle)
cc: Alexander Viro
cc: Christoph Hellwig
cc: linux
that would require
a bio_vec array to be allocated to refer to all the pages - which should be
redundant if inode->i_pages also points to all these pages.
Note that older versions of this patch implemented an ITER_MAPPING instead,
which was almost the same.
Signed-off-by: David Howells
cc: Alexan
612263...@warthog.procyon.org.uk/
Link: https://lore.kernel.org/r/270998.1612265...@warthog.procyon.org.uk/
David
---
David Howells (28):
iov_iter: Add ITER_XARRAY
mm: Add an unlock function for PG_private_2/PG_fscache
mm: Implement readahead_control pageset expansion
netfs: Make a
Dmitry Vyukov wrote:
> Not sure if you are still interesting in this or not, but fwiw tabs
> should be supported now:
> https://github.com/google/syzkaller/commit/26967e354e030f6a022b7a60a7c9899ec25923aa
Not right this minute, but thanks for letting me know!
David
Linus Walleij wrote:
> As it seems neither Microsoft nor Apple is paying it much attention
> (+/- new facts) it will be up to the community to define use cases
> for RPMB. I don't know what would make most sense, but the
> kernel keyring seems to make a bit of sense as it is a well maintained
> k
.
Add the ability to load mokx into the blacklist keyring during boot.
Signed-off-by: Eric Snowberg
Suggested-by: James Bottomley
Signed-off-by: David Howells
Reviewed-by: Jarkko Sakkinen
cc: keyri...@vger.kernel.org
Link:
https://lore.kernel.org/r/20210122181054.32635-5-eric.snowb...@oracle.com
SYSTEM_REVOCATION_LIST.
- Fix SYSTEM_REVOCATION_KEYS=n, but CONFIG_SYSTEM_REVOCATION_LIST=y[1][2].
- Use CONFIG_SYSTEM_REVOCATION_LIST for extract-cert[3].
- Use CONFIG_SYSTEM_REVOCATION_LIST for revocation_certificates.o[3].
Signed-off-by: Eric Snowberg
Acked-by: Jarkko Sakkinen
Signed-off-by: David Howells
cc
From: Eric Snowberg
Move functionality within load_system_certificate_list to a common
function, so it can be reused in the future.
DH Changes:
- Added inclusion of common.h to common.c (Eric [1]).
Signed-off-by: Eric Snowberg
Acked-by: Jarkko Sakkinen
Signed-off-by: David Howells
cc
.
- Moved the functions out from the middle of the blacklist functions.
- Added kerneldoc comments.]
Signed-off-by: Eric Snowberg
Signed-off-by: David Howells
Reviewed-by: Jarkko Sakkinen
cc: Randy Dunlap
cc: Mickaël Salaün
cc: Arnd Bergmann
cc: keyri...@vger.kernel.org
Link: https
Here's my take on v5 of Eric Snowberg's patches[1]:
This series of patches adds support for EFI_CERT_X509_GUID entries [2]. It has
been expanded to not only include dbx entries but also entries in the mokx.
Additionally Eric included his patches to preload these certificate [3].
The patches ca
Eric Snowberg wrote:
> >> @@ -11,7 +11,7 @@ hostprogs-always-$(CONFIG_ASN1)
> >> += asn1_compiler
> >> hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file
> >> hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += extract-cert
> >> hostprogs-always-$(
Dave Chinner wrote:
> > > There was a discussion about fsyncing a range of files on LSFMM [1].
> > > In the last comment on the article dchinner argues why we already have
> > > that
> > > API (and now also with io_uring(), but AFAIK, we do not have a useful
> > > wait_for_sync() API. And it doe
Dave Chinner wrote:
> > > With ->fiemap() you can at least make the distinction between a non
> > > existing and an UNWRITTEN extent.
> >
> > I can't use that for XFS, Ext4 or btrfs, I suspect. Christoph and Dave's
> > assertion is that the cache can't rely on the backing filesystem's metadata
J. Bruce Fields wrote:
> On Mon, Mar 08, 2021 at 09:13:55AM +0000, David Howells wrote:
> > Amir Goldstein wrote:
> > > With ->fiemap() you can at least make the distinction between a non
> > > existing
> > > and an UNWRITTEN extent.
> >
> >
Amir Goldstein wrote:
> > But after I've written and sync'd the data, I set the xattr to mark the
> > file not open. At the moment I'm doing this too lazily, only doing it
> > when a netfs file gets evicted or when the cache gets withdrawn, but I
> > really need to add a queue of objects to be s
Amir Goldstein wrote:
> > (0a) As (0) but using SEEK_DATA/SEEK_HOLE instead of bmap and opening the
> > file for every whole operation (which may combine reads and writes).
>
> I read that NFSv4 supports hole punching, so when using ->bmap() or SEEK_DATA
> to keep track of present data, i
Eric Snowberg wrote:
> @@ -11,7 +11,7 @@ hostprogs-always-$(CONFIG_ASN1)
> += asn1_compiler
> hostprogs-always-$(CONFIG_MODULE_SIG_FORMAT) += sign-file
> hostprogs-always-$(CONFIG_SYSTEM_TRUSTED_KEYRING)+= extract-cert
> hostprogs-always-$(CONFIG_SYSTEM
Eric Snowberg wrote:
> Since S_R_K is a string, I could not get that to work.
Okay.
> >> + hostprogs-always-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += extract-cert
I think this should then refer to CONFIG_SYSTEM_REVOCATION_LIST.
David
David Howells wrote:
>
> (3) OpenAFS-style format. One index file to look up {file_key,block#} and an
> array of data files, each holding one block (e.g. a 256KiB-aligned chunk
> of a file). Each index entry has valid start/end offsets for easy
> truncation
I'm looking at redesigning the on-disk cache format used by fscache's
cachefiles driver to try and eliminate the number of synchronous metadata
operations done by the driver, to improve culling performance and to reduce
the amount of opens/files open. I also need to stop relying on the backing
fil
I've fixed this already, thanks. The fix should turn up in linux-next at some
point.
David
Christian Brauner wrote:
> In order to answer this more confidently I need to know a bit more about
> how cachefiles are supposed to work.
>
> From what I gather here it seemed what this code is trying to set here
> is an internal "CacheFiles.cache" extended attribute on the indode. This
> exten
Christian Brauner wrote:
> diff --git a/fs/cachefiles/xattr.c b/fs/cachefiles/xattr.c
> index 72e42438f3d7..a591b5e09637 100644
> --- a/fs/cachefiles/xattr.c
> +++ b/fs/cachefiles/xattr.c
> @@ -39,8 +39,8 @@ int cachefiles_check_object_type(struct cachefiles_object
> *object)
> _enter("%p{
Eric Snowberg wrote:
> +ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y)
> +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += revocation_certificates.o
> +endif
Should the ifeq be referring to CONFIG_SYSTEM_REVOCATION_KEYS rather than
CONFIG_SYSTEM_REVOCATION_LIST? In fact, since S_R_K depends indirectly on
S
Wei Yongjun wrote:
> GCC reports the following warning with W=1:
>
> fs/afs/file.c:291:6: warning:
> unused variable 'ret' [-Wunused-variable]
> 291 | int ret;
> | ^~~
>
> After commit 799fbdf96cd51, this variable is not used in function
> afs_req_issue_op(), so this commit remov
Stephen Rothwell wrote:
> After merging the fscache tree, today's linux-next build (x86_64
> allmodconfig) produced this warning:
>
> fs/afs/file.c: In function 'afs_req_issue_op':
> fs/afs/file.c:291:6: warning: unused variable 'ret' [-Wunused-variable]
> 291 | int ret;
> | ^~~
>
Stephen Rothwell wrote:
> This is now a conflict between the fscache tree and Linus' tree.
I've rebased to -rc1 and repushed.
David
.
Add the ability to load mokx into the blacklist keyring during boot.
Signed-off-by: Eric Snowberg
Suggested-by: James Bottomley
Signed-off-by: David Howells
cc: Jarkko Sakkinen
Link:
https://lore.kernel.org/r/20210122181054.32635-5-eric.snowb...@oracle.com/ # v5
Link:
https://lore.kernel.org/r
enable the facility.]
Signed-off-by: Eric Snowberg
Acked-by: Jarkko Sakkinen
Signed-off-by: David Howells
Link: https://lore.kernel.org/r/20200930201508.35113-3-eric.snowb...@oracle.com/
Link:
https://lore.kernel.org/r/20210122181054.32635-4-eric.snowb...@oracle.com/ # v5
Link:
https
.
- Moved the functions out from the middle of the blacklist functions.
- Added kerneldoc comments.]
Signed-off-by: Eric Snowberg
Signed-off-by: David Howells
cc: Jarkko Sakkinen
cc: Randy Dunlap
cc: Mickaël Salaün
cc: Arnd Bergmann
cc: keyri...@vger.kernel.org
Link: https://lore.kernel.org/r
From: Eric Snowberg
Move functionality within load_system_certificate_list to a common
function, so it can be reused in the future.
DH Changes:
- Added inclusion of common.h to common.c (Eric [1]).
Signed-off-by: Eric Snowberg
Acked-by: Jarkko Sakkinen
Signed-off-by: David Howells
Link
Here's my take on v5 of Eric Snowberg's patches[1]:
This series of patches adds support for EFI_CERT_X509_GUID entries [2]. It has
been expanded to not only include dbx entries but also entries in the mokx.
Additionally Eric included his patches to preload these certificate [3].
The patches ca
.
Add the ability to load mokx into the blacklist keyring during boot.
Signed-off-by: Eric Snowberg
Suggested-by: James Bottomley
Signed-off-by: David Howells
cc: Jarkko Sakkinen
Link:
https://lore.kernel.org/r/20210122181054.32635-5-eric.snowb...@oracle.com/ # v5
Link:
https://lore.kernel.org/r
enable the facility.]
Signed-off-by: Eric Snowberg
Acked-by: Jarkko Sakkinen
Signed-off-by: David Howells
Link: https://lore.kernel.org/r/20200930201508.35113-3-eric.snowb...@oracle.com/
Link:
https://lore.kernel.org/r/20210122181054.32635-4-eric.snowb...@oracle.com/ # v5
---
certs/Kconfig
From: Eric Snowberg
Move functionality within load_system_certificate_list to a common
function, so it can be reused in the future.
Signed-off-by: Eric Snowberg
Acked-by: Jarkko Sakkinen
Signed-off-by: David Howells
Link: https://lore.kernel.org/r/20200930201508.35113-2-eric.snowb
.
- Moved the functions out from the middle of the blacklist functions.
- Added kerneldoc comments.]
Signed-off-by: Eric Snowberg
Signed-off-by: David Howells
cc: Jarkko Sakkinen
cc: Randy Dunlap
cc: Mickaël Salaün
cc: Arnd Bergmann
cc: keyri...@vger.kernel.org
Link: https://lore.kernel.org/r
Here's my take on v5 of Eric Snowberg's patches[1]:
This series of patches adds support for EFI_CERT_X509_GUID entries [2]. It has
been expanded to not only include dbx entries but also entries in the mokx.
Additionally Eric included his patches to preload these certificate [3].
The patches ca
Eric Snowberg wrote:
> > I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support.
>
> I believe this is ok. However currently, whenever the kernel finds either a
> EFI_CERT_SHA256_GUID or EFI_CERT_X509_SHA256_GUID entry in the dbx, it loads
> it into the blacklist keyring.
Arnd Bergmann wrote:
> + select PKCS7_MESSAGE_PARSER if INTEGRITY_PLATFORM_KEYRING
I think a better way to do it is to add a separate config option for dealing
with revocation certs, which is part of what I suggested here:
https://lore.kernel.org/keyrings/3731128.1614163...@warthog
Steve French wrote:
> This (readahead behavior improvements in Linux, on single large file
> sequential read workloads like cp or grep) gets particularly interesting
> with SMB3 as multichannel becomes more common. With one channel having one
> readahead request pending on the network is subopti
Mickaël Salaün wrote:
> > +config SYSTEM_REVOCATION_LIST
> > + bool "Provide system-wide ring of revocation certificates"
> > + depends on SYSTEM_BLACKLIST_KEYRING
> > + depends on PKCS7_MESSAGE_PARSER=y
>
> The function verify_pkcs7_message_sig() (which is patched) is only
> available if
How about these changes?
I've added an extra config option to turn on SYSTEM_REVOCATION_LIST support.
I've also added kerneldoc comments and moved the functions so that they're not
in the middle of the blacklist-specific stuff.
I'm not sure uefi_revocation_list_x509() needs conditionalising as t
Eric Snowberg wrote:
> The kernel test robot reports when building with Kconfig
> CONFIG_INTEGRITY_PLATFORM_KEYRING defined and
> CONFIG_SYSTEM_DATA_VERIFICATION undefined:
>
> ld.lld: error: undefined symbol: pkcs7_validate_trust
> referenced by blacklist.c:128 (certs/blacklist.c:128)
>
David Howells wrote:
> This set of patches from Eric Snowberg that add support for
> EFI_CERT_X509_GUID entries in the dbx and mokx UEFI tables (such entries
> cause matching certificates to be rejected). These are currently ignored
> and only the hash entries are made use of
101 - 200 of 4355 matches
Mail list logo