Remove the CONFIG_INTEGRITY_PLATFORM_KEYRING ifdef check so this
pattern does not need to be repeated with new code.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
---
 certs/system_keyring.c | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/certs/system_keyring.c b/certs/system_keyring.c
index 9de610bf1f4b..e344cee10d28 100644
--- a/certs/system_keyring.c
+++ b/certs/system_keyring.c
@@ -24,9 +24,7 @@ static struct key *secondary_trusted_keys;
 #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
 static struct key *machine_trusted_keys;
 #endif
-#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
 static struct key *platform_trusted_keys;
-#endif
 
 extern __initconst const u8 system_certificate_list[];
 extern __initconst const unsigned long system_certificate_list_size;
@@ -345,11 +343,7 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
 		trusted_keys = builtin_trusted_keys;
 #endif
 	} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
-#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
 		trusted_keys = platform_trusted_keys;
-#else
-		trusted_keys = NULL;
-#endif
 		if (!trusted_keys) {
 			ret = -ENOKEY;
 			pr_devel("PKCS#7 platform keyring is not available\n");
-- 
2.45.0

Hi Eric,

On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
> Remove the CONFIG_INTEGRITY_PLATFORM_KEYRING ifdef check so this
> pattern does not need to be repeated with new code.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>

Ok. The reason why testing the Kconfig is unnecessary should be included in the
patch description.  For example,

Commit 219a3e8676f3 ("integrity, KEYS: add a reference to platform keyring")
unnecessarily added the Kconfig test.  As platform_trusted_keys is already
initialized, simply use it.

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

> ---
>  certs/system_keyring.c | 6 ------
>  1 file changed, 6 deletions(-)
> 
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 9de610bf1f4b..e344cee10d28 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,9 +24,7 @@ static struct key *secondary_trusted_keys;
>  #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
>  static struct key *machine_trusted_keys;
>  #endif
> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
>  static struct key *platform_trusted_keys;
> -#endif
>  
>  extern __initconst const u8 system_certificate_list[];
>  extern __initconst const unsigned long system_certificate_list_size;
> @@ -345,11 +343,7 @@ int verify_pkcs7_message_sig(const void *data, size_t len,
>  		trusted_keys = builtin_trusted_keys;
>  #endif
>  	} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
>  		trusted_keys = platform_trusted_keys;
> -#else
> -		trusted_keys = NULL;
> -#endif
>  		if (!trusted_keys) {
>  			ret = -ENOKEY;
>  			pr_devel("PKCS#7 platform keyring is not available\n");

> On Dec 23, 2024, at 6:21 AM, Mimi Zohar <zohar@linux.ibm.com> wrote:
> 
> Hi Eric,
> 
> On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
>> Remove the CONFIG_INTEGRITY_PLATFORM_KEYRING ifdef check so this
>> pattern does not need to be repeated with new code.
>> 
>> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> 
> Ok. The reason why testing the Kconfig is unnecessary should be included in the
> patch description.  For example,
> 
> Commit 219a3e8676f3 ("integrity, KEYS: add a reference to platform keyring")
> unnecessarily added the Kconfig test.  As platform_trusted_keys is already
> initialized, simply use it.

Thanks, I'll add that in the next round.

> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
> Remove the CONFIG_INTEGRITY_PLATFORM_KEYRING ifdef check so this
> pattern does not need to be repeated with new code.
> 
> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
> ---
>  certs/system_keyring.c | 6 ------
>  1 file changed, 6 deletions(-)
> 
> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
> index 9de610bf1f4b..e344cee10d28 100644
> --- a/certs/system_keyring.c
> +++ b/certs/system_keyring.c
> @@ -24,9 +24,7 @@ static struct key *secondary_trusted_keys;
>  #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
>  static struct key *machine_trusted_keys;
>  #endif
> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
>  static struct key *platform_trusted_keys;
> -#endif
>  
>  extern __initconst const u8 system_certificate_list[];
>  extern __initconst const unsigned long system_certificate_list_size;
> @@ -345,11 +343,7 @@ int verify_pkcs7_message_sig(const void *data,
> size_t len,
>  		trusted_keys = builtin_trusted_keys;
>  #endif
>  	} else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
>  		trusted_keys = platform_trusted_keys;
> -#else
> -		trusted_keys = NULL;
> -#endif
>  		if (!trusted_keys) {
>  			ret = -ENOKEY;
>  			pr_devel("PKCS#7 platform keyring is not
> available\n");

Just to check with the argument that any commit should bring the Git
tree to another "good state". Why this was flagged? What would be the
collateral damage if only this commit was picked and put to a pull
request? No intentions to do that, this more like forming a better
understanding what is at stake here.

I.e. I get that you need this for subsequent commits but I think the
commit message should also have like explanation why this is a legit
change otherwise.

I mean, less flagging better if it does not cause harm is already
great without higher level goals.

BR, Jarkko

> On Oct 17, 2024, at 10:13 AM, Jarkko Sakkinen <jarkko@kernel.org> wrote:
> 
> On Thu, 2024-10-17 at 09:55 -0600, Eric Snowberg wrote:
>> Remove the CONFIG_INTEGRITY_PLATFORM_KEYRING ifdef check so this
>> pattern does not need to be repeated with new code.
>> 
>> Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
>> ---
>>  certs/system_keyring.c | 6 ------
>>  1 file changed, 6 deletions(-)
>> 
>> diff --git a/certs/system_keyring.c b/certs/system_keyring.c
>> index 9de610bf1f4b..e344cee10d28 100644
>> --- a/certs/system_keyring.c
>> +++ b/certs/system_keyring.c
>> @@ -24,9 +24,7 @@ static struct key *secondary_trusted_keys;
>>  #ifdef CONFIG_INTEGRITY_MACHINE_KEYRING
>>  static struct key *machine_trusted_keys;
>>  #endif
>> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
>>  static struct key *platform_trusted_keys;
>> -#endif
>>  
>>  extern __initconst const u8 system_certificate_list[];
>>  extern __initconst const unsigned long system_certificate_list_size;
>> @@ -345,11 +343,7 @@ int verify_pkcs7_message_sig(const void *data,
>> size_t len,
>>   trusted_keys = builtin_trusted_keys;
>>  #endif
>>   } else if (trusted_keys == VERIFY_USE_PLATFORM_KEYRING) {
>> -#ifdef CONFIG_INTEGRITY_PLATFORM_KEYRING
>>   trusted_keys = platform_trusted_keys;
>> -#else
>> - trusted_keys = NULL;
>> -#endif
>>   if (!trusted_keys) {
>>   ret = -ENOKEY;
>>   pr_devel("PKCS#7 platform keyring is not
>> available\n");
> 
> Just to check with the argument that any commit should bring the Git
> tree to another "good state". Why this was flagged? What would be the
> collateral damage if only this commit was picked and put to a pull
> request? No intentions to do that, this more like forming a better
> understanding what is at stake here.
> 
> I.e. I get that you need this for subsequent commits but I think the
> commit message should also have like explanation why this is a legit
> change otherwise.

Thanks for taking a look at this, I will add a better explanation in the
next round.