Re: [PATCH] certs: move the 'depends on' to the choice of module signing keys
From: Masahiro Yamada
Date: Sat Dec 11 2021 - 08:11:27 EST
On Fri, Oct 1, 2021 at 1:02 PM Masahiro Yamada <masahiroy@xxxxxxxxxx> wrote:
>
> When the condition "MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)"
> is unmet, you cannot choose anything in the choice, but the choice
> menu is still displayed in the menuconfig etc.
>
> Move the 'depends on' to the choice to hide the meaningless menu.
>
> Also delete the redundant 'default'. In a choice, the first entry is
> the default.
>
> Signed-off-by: Masahiro Yamada <masahiroy@xxxxxxxxxx>
> ---
Applied to linux-kbuild.
>
> certs/Kconfig | 4 +---
> 1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/certs/Kconfig b/certs/Kconfig
> index ae7f2e876a31..73d1350c223a 100644
> --- a/certs/Kconfig
> +++ b/certs/Kconfig
> @@ -17,21 +17,19 @@ config MODULE_SIG_KEY
>
> choice
> prompt "Type of module signing key to be generated"
> - default MODULE_SIG_KEY_TYPE_RSA
> + depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
> help
> The type of module signing key type to generate. This option
> does not apply if a #PKCS11 URI is used.
>
> config MODULE_SIG_KEY_TYPE_RSA
> bool "RSA"
> - depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
> help
> Use an RSA key for module signing.
>
> config MODULE_SIG_KEY_TYPE_ECDSA
> bool "ECDSA"
> select CRYPTO_ECDSA
> - depends on MODULE_SIG || (IMA_APPRAISE_MODSIG && MODULES)
> help
> Use an elliptic curve key (NIST P384) for module signing. Consider
> using a strong hash like sha256 or sha384 for hashing modules.
> --
> 2.30.2
>
--
Best Regards
Masahiro Yamada