On Thu, 2025-07-24 at 10:34 -0400, James Bottomley wrote: > This patch series reduces the size of the implementing code and > eliminates allocations on the bpf_key_lookup paths. There is no > externally visible change to the BPF API. This last bit turns out to be slightly untrue because I've changed the bpf_lookup_system_key API to overload the NULL pointer: the builtin_trusted keyring is identified by a key id of 0 which is also a NULL pointer. I could fix this by giving a special return (like -1) to the builtin_trusted keyring and swizzling it back in bpf_verify_pkcs7_signature(), or I could alter bpf_lookup_system_key to return ERR_PTR, which would be an API change. The former is easier and maintains the API compatibilitys, it's just a bit icky. Regards, James
