All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Jarkko Sakkinen <jarkko@kernel.org>,
	Eric Snowberg <eric.snowberg@oracle.com>
Cc: dhowells@redhat.com, dwmw2@infradead.org, ardb@kernel.org,
	jmorris@namei.org, serge@hallyn.com, nayna@linux.ibm.com,
	keescook@chromium.org, torvalds@linux-foundation.org,
	weiyongjun1@huawei.com, keyrings@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	James.Bottomley@hansenpartnership.com, pjones@redhat.com,
	konrad.wilk@oracle.com
Subject: Re: [PATCH v9 8/8] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true
Date: Sun, 09 Jan 2022 19:12:44 -0500	[thread overview]
Message-ID: <099cdb4d6d8f74247d57f9d48472968e57c9e5c2.camel@linux.ibm.com> (raw)
In-Reply-To: <2aa9e4b290424c869afe983ed63b5a0c4d12df36.camel@linux.ibm.com>

On Sat, 2022-01-08 at 20:47 -0500, Mimi Zohar wrote:
> On Sun, 2022-01-09 at 00:30 +0200, Jarkko Sakkinen wrote:
> > Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
> > 
> > Mimi, have you tested these patches already?
> 
> Sorry, not yet this version this of the patch set.  Planning to test
> shortly.

I've only tested v9 1/8 - 6/8 patches on top of Takashi Iwai and Joey
Lee's patches, which are queued to be upstreamed.

92ad19559ea9 integrity: Do not load MOK and MOKx when secure boot be
disabled
54bf7fa3efd0 ima: Fix undefined arch_ima_get_secureboot() and co

With secure boot enabled and
IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY disabled,  all of
the MOK keys are loaded onto the .machine keyring.  With secure boot
disabled, none of the MOK keys are loaded onto either the .platform or
.machine keyrings, irrespective of
IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY.

This patch set is working as expected, but the v9 2/8 & 5/8 patch
descriptions haven't been updated, nor have the related comments been
updated.  Please note that the subsequent patch set will limit the MOK
keys being loaded onto the .machine keyring to only the MOK CA keys.

thanks,

Mimi


  reply	other threads:[~2022-01-10  0:13 UTC|newest]

Thread overview: 36+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-05 23:50 [PATCH v9 0/8] Enroll kernel keys thru MOK Eric Snowberg
2022-01-05 23:50 ` [PATCH v9 1/8] integrity: Fix warning about missing prototypes Eric Snowberg
2022-01-08 16:25   ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 2/8] integrity: Introduce a Linux keyring called machine Eric Snowberg
2022-01-09 21:57   ` Mimi Zohar
2022-01-10 23:25     ` Eric Snowberg
2022-01-11 18:16       ` Mimi Zohar
2022-01-11 21:26         ` Eric Snowberg
2022-01-12  1:14           ` Mimi Zohar
2022-01-12 19:41             ` Mimi Zohar
2022-01-12 23:00               ` Eric Snowberg
2022-01-12 19:41             ` Mimi Zohar
2022-01-15 17:11               ` Jarkko Sakkinen
2022-01-15 19:12                 ` Eric Snowberg
2022-01-15 19:14                   ` Jarkko Sakkinen
2022-01-15 19:15                     ` Jarkko Sakkinen
2022-01-16  2:55                       ` Mimi Zohar
2022-01-16 20:10                         ` Jarkko Sakkinen
2022-01-18 16:32                           ` Eric Snowberg
2022-01-05 23:50 ` [PATCH v9 3/8] integrity: add new keyring handler for mok keys Eric Snowberg
2022-01-08 22:21   ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 4/8] KEYS: store reference to machine keyring Eric Snowberg
2022-01-08 22:22   ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 5/8] KEYS: Introduce link restriction for machine keys Eric Snowberg
2022-01-08 22:25   ` Jarkko Sakkinen
2022-01-09 22:42   ` Mimi Zohar
2022-01-10 23:36     ` Eric Snowberg
2022-01-05 23:50 ` [PATCH v9 6/8] efi/mokvar: move up init order Eric Snowberg
2022-01-08 22:27   ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 7/8] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2022-01-08 22:28   ` Jarkko Sakkinen
2022-01-05 23:50 ` [PATCH v9 8/8] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2022-01-08 22:30   ` Jarkko Sakkinen
2022-01-09  1:47     ` Mimi Zohar
2022-01-10  0:12       ` Mimi Zohar [this message]
2022-01-11  2:26       ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=099cdb4d6d8f74247d57f9d48472968e57c9e5c2.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=James.Bottomley@hansenpartnership.com \
    --cc=ardb@kernel.org \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=eric.snowberg@oracle.com \
    --cc=jarkko@kernel.org \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=keyrings@vger.kernel.org \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nayna@linux.ibm.com \
    --cc=pjones@redhat.com \
    --cc=serge@hallyn.com \
    --cc=torvalds@linux-foundation.org \
    --cc=weiyongjun1@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.