From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jiri Slaby Date: Tue, 06 Mar 2018 14:05:50 +0000 Subject: Re: [PATCH 0/9] KEYS: Blacklisting & UEFI database load Message-Id: <6eabbb43-295e-9ba0-c0d9-120f48aa0e1d@suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit List-Id: References: <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> In-Reply-To: <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> To: David Howells , keyrings@vger.kernel.org Cc: matthew.garrett@nebula.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org On 11/16/2016, 07:10 PM, David Howells wrote: > Here are two sets of patches. Firstly, the first three patches provide a > blacklist, making the following changes: ... > Secondly, the remaining patches allow the UEFI database to be used to load > the system keyrings: ... > Dave Howells (2): > efi: Add EFI signature data types > efi: Add an EFI signature blob parser > > David Howells (5): > KEYS: Add a system blacklist keyring > X.509: Allow X.509 certs to be blacklisted > PKCS#7: Handle blacklisted certificates > KEYS: Allow unrestricted boot-time addition of keys to secondary keyring > efi: Add SHIM and image security database GUID definitions > > Josh Boyer (2): > MODSIGN: Import certificates from UEFI Secure Boot > MODSIGN: Allow the "db" UEFI variable to be suppressed Hi, what's the status of this please? Distributors (I checked SUSE, RedHat and Ubuntu) have to carry these patches and every of them have to forward-port the patches to new kernels. So are you going to resend the PR to have this merged? thanks, -- js suse labs From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933015AbeCFOF4 (ORCPT ); Tue, 6 Mar 2018 09:05:56 -0500 Received: from mail-wr0-f180.google.com ([209.85.128.180]:37066 "EHLO mail-wr0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932537AbeCFOFy (ORCPT ); Tue, 6 Mar 2018 09:05:54 -0500 X-Google-Smtp-Source: AG47ELsA2+POC50h1dk6qSzOCQ8JXtQ16UhknbFB26i+1Ai6TQJMPvjZoxlADmVc3FPZKRH/GoJ++A== Subject: Re: [PATCH 0/9] KEYS: Blacklisting & UEFI database load To: David Howells , keyrings@vger.kernel.org Cc: matthew.garrett@nebula.com, linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org References: <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> From: Jiri Slaby Message-ID: <6eabbb43-295e-9ba0-c0d9-120f48aa0e1d@suse.cz> Date: Tue, 6 Mar 2018 15:05:50 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0 MIME-Version: 1.0 In-Reply-To: <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> Content-Type: text/plain; charset=utf-8 Content-Language: en-GB Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/16/2016, 07:10 PM, David Howells wrote: > Here are two sets of patches. Firstly, the first three patches provide a > blacklist, making the following changes: ... > Secondly, the remaining patches allow the UEFI database to be used to load > the system keyrings: ... > Dave Howells (2): > efi: Add EFI signature data types > efi: Add an EFI signature blob parser > > David Howells (5): > KEYS: Add a system blacklist keyring > X.509: Allow X.509 certs to be blacklisted > PKCS#7: Handle blacklisted certificates > KEYS: Allow unrestricted boot-time addition of keys to secondary keyring > efi: Add SHIM and image security database GUID definitions > > Josh Boyer (2): > MODSIGN: Import certificates from UEFI Secure Boot > MODSIGN: Allow the "db" UEFI variable to be suppressed Hi, what's the status of this please? Distributors (I checked SUSE, RedHat and Ubuntu) have to carry these patches and every of them have to forward-port the patches to new kernels. So are you going to resend the PR to have this merged? thanks, -- js suse labs From mboxrd@z Thu Jan 1 00:00:00 1970 From: jslaby@suse.cz (Jiri Slaby) Date: Tue, 6 Mar 2018 15:05:50 +0100 Subject: [PATCH 0/9] KEYS: Blacklisting & UEFI database load In-Reply-To: <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> References: <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> Message-ID: <6eabbb43-295e-9ba0-c0d9-120f48aa0e1d@suse.cz> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org On 11/16/2016, 07:10 PM, David Howells wrote: > Here are two sets of patches. Firstly, the first three patches provide a > blacklist, making the following changes: ... > Secondly, the remaining patches allow the UEFI database to be used to load > the system keyrings: ... > Dave Howells (2): > efi: Add EFI signature data types > efi: Add an EFI signature blob parser > > David Howells (5): > KEYS: Add a system blacklist keyring > X.509: Allow X.509 certs to be blacklisted > PKCS#7: Handle blacklisted certificates > KEYS: Allow unrestricted boot-time addition of keys to secondary keyring > efi: Add SHIM and image security database GUID definitions > > Josh Boyer (2): > MODSIGN: Import certificates from UEFI Secure Boot > MODSIGN: Allow the "db" UEFI variable to be suppressed Hi, what's the status of this please? Distributors (I checked SUSE, RedHat and Ubuntu) have to carry these patches and every of them have to forward-port the patches to new kernels. So are you going to resend the PR to have this merged? thanks, -- js suse labs -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html