From: Eric Biggers <ebiggers@kernel.org>
To: Aleksander Adamowski <olo@fb.com>
Cc: "linux-fscrypt@vger.kernel.org" <linux-fscrypt@vger.kernel.org>
Subject: Re: [fsverity-utils PATCH v2] Implement PKCS#11 opaque keys support through OpenSSL pkcs11 engine
Date: Wed, 8 Sep 2021 17:28:14 -0700 [thread overview]
Message-ID: <YTlVHtvjuCxsI0DS@gmail.com> (raw)
In-Reply-To: <SA1PR15MB48244271F45CF01744C5074EDDD59@SA1PR15MB4824.namprd15.prod.outlook.com>
On Thu, Sep 09, 2021 at 12:20:35AM +0000, Aleksander Adamowski wrote:
> On Wednesday, September 8, 2021 4:48 PM, Eric Biggers wrote:
> > Regarding struct libfsverity_signature_params, I wrote "Please write a comment
> > that clearly explains which parameters must be specified and when.".
>
> Got it. I assumed that the detailed explanation in the manpage covering the
> same parameters would be sufficient, as repeating it in struct comments would
> make the information redundant and require reformatting that part to multi-line
> comments.
>
> I can add it to the struct comments, but this will mean I'll need to change
> them to multi-line comments (above each struct member) and add empty lines
> between members (following the same commenting style as in struct
> libfsverity_merkle_tree_params). Are you okay with that change?
The fsverity.1 man page documents the fsverity tool, whereas the comments in
libfsverity.h document the interface to libfsverity. These are different
things, so the documentation for one doesn't really apply to the other, unless
they explicitly reference each other. (Which you can do if it would avoid
redundancy. The point is, if the documentation is somewhere else, people
actually need to be told where to find it.)
It's fine to reformat the comments and code if necessary.
>
> > Also I mentioned "The !OPENSSL_IS_BORINGSSL case no longer returns an error if
> > sig_params->keyfile or sig_params->certfile is unset". That wasn't addressed
> > for sig_params->certfile.
>
> Ah, I see. In my patch V2, after your suggestion, there's a new NULL check for
> certfile in lib/sign_digest.c:87 that I intended as a replacement for the
> previous check in lib/sign_digest.c:337. I think it's a better place for that
> check, as it's in the place of actual use.
>
> Do you want me to place that check back in the pre-check logic in
> libfsverity_sign_digest()?
Your patch has:
if (!certfile) {
libfsverity_error_msg("certfile must be specified");
}
It needs to be:
if (!certfile) {
libfsverity_error_msg("certfile must be specified");
return -EINVAL;
}
- Eric
next prev parent reply other threads:[~2021-09-09 0:28 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-28 1:30 [fsverity-utils PATCH v2] Implement PKCS#11 opaque keys support through OpenSSL pkcs11 engine Aleksander Adamowski
2021-09-08 22:44 ` Eric Biggers
2021-09-08 23:32 ` Aleksander Adamowski
2021-09-08 23:48 ` Eric Biggers
2021-09-09 0:20 ` Aleksander Adamowski
2021-09-09 0:28 ` Eric Biggers [this message]
2021-09-09 0:55 ` Aleksander Adamowski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YTlVHtvjuCxsI0DS@gmail.com \
--to=ebiggers@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=olo@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox