On Wed, Jan 04, 2023 at 11:51:52AM +0000, Jarkko Sakkinen wrote:

On Tue, Dec 13, 2022 at 07:34:00PM -0500, Eric Snowberg wrote:

quoted

+/**
+ * restrict_link_by_ca - Restrict additions to a ring of CA keys
+ * @dest_keyring: Keyring being linked to.
+ * @type: The type of key being added.
+ * @payload: The payload of the new key.
+ * @trust_keyring: Unused.
+ *
+ * Check if the new certificate is a CA. If it is a CA, then mark the new
+ * certificate as being ok to link.
+ *
+ * Returns 0 if the new certificate was accepted, -ENOKEY if the
+ * certificate is not a CA. -ENOPKG if the signature uses unsupported
+ * crypto, or some other error if there is a matching certificate but
+ * the signature check cannot be performed.
+ */
+int restrict_link_by_ca(struct key *dest_keyring,
+			const struct key_type *type,
+			const union key_payload *payload,
+			struct key *trust_keyring)

Why you want to define trust_keyring, other than matching the parameter
list in restrict_link_by_signature()?

Also if it is unused, it should be then just "struct key *)", right?

Please ignore, I forgot how this worked, i.e. "restriction" is set to
the correct function so this looks correct to me :-) So it's good.
Sorry for the confusion.

BR, Jarkko