From: Jarkko Sakkinen <jarkko@kernel.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: Eric Snowberg <eric.snowberg@oracle.com>,
dhowells@redhat.com, dwmw2@infradead.org, ardb@kernel.org,
jmorris@namei.org, serge@hallyn.com, nayna@linux.ibm.com,
keescook@chromium.org, torvalds@linux-foundation.org,
weiyongjun1@huawei.com, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org,
linux-security-module@vger.kernel.org,
James.Bottomley@hansenpartnership.com, pjones@redhat.com,
konrad.wilk@oracle.com
Subject: Re: [PATCH v10 0/8] Enroll kernel keys thru MOK
Date: Sun, 20 Feb 2022 20:00:39 +0100 [thread overview]
Message-ID: <YhKP12KEmyqyS8rj@iki.fi> (raw)
In-Reply-To: <78d2c13ad60b5f845cb841d257d1b41290f575c6.camel@linux.ibm.com>
On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote:
> Hi Jarkko,
>
> > > Thank you. I'll pick these soon. Is there any objections?
>
> No objections.
> >
> > Mimi brought up that we need a MAINTAINERS update for this and also
> > .platform.
> >
> > We have these:
> >
> > - KEYS/KEYRINGS
> > - CERTIFICATE HANDLING
> >
> > I would put them under KEYRINGS for now and would not consider further
> > subdivision for the moment.
>
> IMA has dependencies on the platform_certs/ and now on the new .machine
> keyring. Just adding "F: security/integrity/platform_certs/" to the
> KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't
> even be on the linux-integrity mailing list.
>
> Existing requirement:
> - The keys on the .platform keyring are limited to verifying the kexec
> image.
>
> New requirements based on Eric Snowbergs' patch set:
> - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled,
> the MOK keys will not be loaded directly onto the .machine keyring or
> indirectly onto the .secondary_trusted_keys keyring.
>
> - Only when a new IMA Kconfig explicitly allows the keys on the
> .machine keyrings, will the CA keys stored in MOK be loaded onto the
> .machine keyring.
>
> Unfortunately I don't think there is any choice, but to define a new
> MAINTAINERS entry. Perhaps something along the lines of:
>
> KEYS/KEYRINGS_INTEGRITY
> M: Jarkko Sakkinen <jarkko@kernel.org>
> M: Mimi Zohar <zohar@linux.ibm.com>
> L: keyrings@vger.kernel.org
> L: linux-integrity@vger.kernel.org
> F: security/integrity/platform_certs
>
> thanks,
>
> Mimi
This would work for me.
BR, Jarkko
next prev parent reply other threads:[~2022-02-20 19:00 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-26 2:58 [PATCH v10 0/8] Enroll kernel keys thru MOK Eric Snowberg
2022-01-26 2:58 ` [PATCH v10 1/8] integrity: Fix warning about missing prototypes Eric Snowberg
2022-01-26 2:58 ` [PATCH v10 2/8] integrity: Introduce a Linux keyring called machine Eric Snowberg
2022-01-26 2:58 ` [PATCH v10 3/8] integrity: add new keyring handler for mok keys Eric Snowberg
2022-01-26 2:58 ` [PATCH v10 4/8] KEYS: store reference to machine keyring Eric Snowberg
2022-01-26 2:58 ` [PATCH v10 5/8] KEYS: Introduce link restriction for machine keys Eric Snowberg
2022-01-26 2:58 ` [PATCH v10 6/8] efi/mokvar: move up init order Eric Snowberg
2022-01-26 2:58 ` [PATCH v10 7/8] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2022-01-26 2:58 ` [PATCH v10 8/8] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2022-04-11 11:06 ` Michal Suchánek
2022-04-11 16:39 ` Eric Snowberg
2022-04-11 17:24 ` Michal Suchánek
2022-04-11 20:34 ` Eric Snowberg
2022-04-11 21:35 ` Michal Suchánek
2022-01-26 13:43 ` [PATCH v10 0/8] Enroll kernel keys thru MOK Jarkko Sakkinen
2022-01-26 13:58 ` Jarkko Sakkinen
2022-01-26 22:06 ` Mimi Zohar
2022-02-08 9:28 ` Jarkko Sakkinen
2022-02-08 15:26 ` MAINTAINERS update suggestion (subject change) Mimi Zohar
2022-02-20 19:00 ` Jarkko Sakkinen [this message]
2022-02-22 11:59 ` [PATCH v10 0/8] Enroll kernel keys thru MOK Mimi Zohar
2022-02-22 12:26 ` Jarkko Sakkinen
2022-02-22 12:32 ` Mimi Zohar
2022-02-23 15:32 ` Jarkko Sakkinen
2022-02-22 13:43 ` Mimi Zohar
2022-02-23 15:33 ` Jarkko Sakkinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YhKP12KEmyqyS8rj@iki.fi \
--to=jarkko@kernel.org \
--cc=James.Bottomley@hansenpartnership.com \
--cc=ardb@kernel.org \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=eric.snowberg@oracle.com \
--cc=jmorris@namei.org \
--cc=keescook@chromium.org \
--cc=keyrings@vger.kernel.org \
--cc=konrad.wilk@oracle.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=pjones@redhat.com \
--cc=serge@hallyn.com \
--cc=torvalds@linux-foundation.org \
--cc=weiyongjun1@huawei.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.