> On Mar 3, 2021, at 2:24 AM, David Howells <dhowe...@redhat.com> wrote: > > Eric Snowberg <eric.snowb...@oracle.com> wrote: > >> +ifeq ($(CONFIG_SYSTEM_REVOCATION_LIST),y) >> +obj-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += revocation_certificates.o >> +endif > > Should the ifeq be referring to CONFIG_SYSTEM_REVOCATION_KEYS rather than > CONFIG_SYSTEM_REVOCATION_LIST? In fact, since S_R_K depends indirectly on > S_B_K, you should be able to just do: > > +obj-$(CONFIG_SYSTEM_REVOCATION_KEYS) += revocation_certificates.o
Since S_R_K is a string, I could not get that to work. I could get this to work: obj-$(CONFIG_SYSTEM_REVOCATION_LIST) += revocation_certificates.o If there is another way of doing this with S_R_K instead, let me know. >> +#ifdef CONFIG_SYSTEM_REVOCATION_LIST > > Here also? When S_R_L is defined, S_R_K will also always be defined too. Either as an empty string or a path to a file. With my change, it works the same as the current code in CONFIG_SYSTEM_TRUSTED_KEYS and CONFIG_SYSTEM_TRUSTED_KEYRING, which also uses the extract_certs script. It can properly handle a NULL string. If I changed it to S_R_K here, it seems confusing to me, since one might assume it is only defined when someone adds a string to S_R_K. But, I can change it if you’d like. >> + hostprogs-always-$(CONFIG_SYSTEM_BLACKLIST_KEYRING) += extract-cert > > And here too?
