All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jarkko Sakkinen <jarkko@kernel.org>
To: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Eric Snowberg <eric.snowberg@oracle.com>,
	keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
	zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
	herbert@gondor.apana.org.au, davem@davemloft.net,
	jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
	torvalds@linux-foundation.org, weiyongjun1@huawei.com,
	nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
	nramas@linux.microsoft.com, lszubowi@redhat.com, jason@zx2c4.com,
	linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org,
	James.Bottomley@HansenPartnership.com, pjones@redhat.com
Subject: Re: [PATCH v7 00/17] Enroll kernel keys thru MOK
Date: Wed, 17 Nov 2021 09:51:25 +0200	[thread overview]
Message-ID: <3939a2fac50d2e836c48855b1b00c7b36659f23f.camel@kernel.org> (raw)
In-Reply-To: <8fcadcf2a5da5118fb7f9caea0a61440525a67b2.camel@kernel.org>

On Wed, 2021-11-17 at 09:50 +0200, Jarkko Sakkinen wrote:
> On Tue, 2021-11-16 at 11:39 -0500, Konrad Rzeszutek Wilk wrote:
> > On Tue, Nov 16, 2021 at 06:24:52PM +0200, Jarkko Sakkinen wrote:
> > > On Tue, 2021-11-16 at 11:18 -0500, Konrad Rzeszutek Wilk wrote:
> > > > > > I have included  a link to the mokutil [5] changes I have made to support 
> > > > > > this new functionality.  The shim changes have now been accepted
> > > > > > upstream [6].
> > > > 
> > > > ..snip..
> > > > > > [6] https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f
> > > > 
> > > > ..snip..
> > > > > 
> > > > > Does shim have the necessary features in a release?
> > > > 
> > > > Hi!
> > > > 
> > > > It has been accepted in the upstream shim. If you are looking
> > > > for a distribution having rolled out a shim with this feature (so signed
> > > > by MSF) I fear that distributions are not that fast with shim releases.
>          ~~~
> 
> Should that be MS, or what does MSF mean?
> 
> > > > 
> > > > Also these:
> > > > https://github.com/rhboot/shim/pulls
> > > > https://github.com/rhboot/shim/issues
> > > > 
> > > > do mean some extra work would need to go in before an official
> > > > release is cut.
> > > > 
> > > > Hope this helps?
> > > 
> > > Yes. I'll hold with this up until there is an official release. Thank you.
> > 
> > Not sure I understand - but what are the concerns you have with shim
> > code that has been accepted?
> 
> Maybe my concern is that none of the patches have a tested-by?
> 
> Probably would be easier to get a test coverage, e.g. for people like
> me who do not even know how to self-compile Shim, how to setup user
> space using the product and so forth.
        ~~~~~~~~~~~~~~~~~

for the end product

/Jarkko




  reply	other threads:[~2021-11-17  7:51 UTC|newest]

Thread overview: 43+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-16  0:15 [PATCH v7 00/17] Enroll kernel keys thru MOK Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 01/17] integrity: Introduce a Linux keyring called machine Eric Snowberg
2021-11-17 13:01   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 02/17] integrity: Do not allow machine keyring updates following init Eric Snowberg
2021-11-17 13:18   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 03/17] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2021-11-17 13:32   ` Mimi Zohar
2021-11-17 13:53     ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 04/17] X.509: Parse Basic Constraints for CA Eric Snowberg
2021-11-18 22:59   ` Mimi Zohar
2021-11-18 23:29     ` Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 05/17] KEYS: CA link restriction Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 06/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Eric Snowberg
2021-11-23  2:09   ` kernel test robot
2021-11-23  2:09     ` kernel test robot
2021-11-16  0:15 ` [PATCH v7 07/17] integrity: Fix warning about missing prototypes Eric Snowberg
2021-11-17 15:16   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 08/17] integrity: add new keyring handler for mok keys Eric Snowberg
2021-11-19  0:05   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 09/17] KEYS: Rename get_builtin_and_secondary_restriction Eric Snowberg
2021-11-19  0:05   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 10/17] KEYS: add a reference to machine keyring Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 11/17] KEYS: Introduce link restriction for machine keys Eric Snowberg
2021-11-19  0:20   ` Mimi Zohar
2021-11-19  2:50     ` Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 12/17] KEYS: integrity: change link restriction to trust the machine keyring Eric Snowberg
2021-11-19  0:23   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 13/17] KEYS: link secondary_trusted_keys to machine trusted keys Eric Snowberg
2021-11-18 12:32   ` Mimi Zohar
2021-11-18 21:37     ` Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 14/17] integrity: store reference to machine keyring Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 15/17] efi/mokvar: move up init order Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 16/17] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 17/17] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2021-11-16 16:00 ` [PATCH v7 00/17] Enroll kernel keys thru MOK Jarkko Sakkinen
2021-11-16 16:18   ` Konrad Rzeszutek Wilk
2021-11-16 16:24     ` Jarkko Sakkinen
2021-11-16 16:39       ` Konrad Rzeszutek Wilk
2021-11-17  7:50         ` Jarkko Sakkinen
2021-11-17  7:51           ` Jarkko Sakkinen [this message]
2021-11-17 17:02             ` Konrad Rzeszutek Wilk
2021-11-17 17:20               ` Eric Snowberg
2021-11-18  3:14                 ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3939a2fac50d2e836c48855b1b00c7b36659f23f.camel@kernel.org \
    --to=jarkko@kernel.org \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=ardb@kernel.org \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=ebiggers@google.com \
    --cc=eric.snowberg@oracle.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jason@zx2c4.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=keyrings@vger.kernel.org \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=lszubowi@redhat.com \
    --cc=nayna@linux.ibm.com \
    --cc=nramas@linux.microsoft.com \
    --cc=pjones@redhat.com \
    --cc=serge@hallyn.com \
    --cc=torvalds@linux-foundation.org \
    --cc=weiyongjun1@huawei.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.