Re: [PATCH v7 00/17] Enroll kernel keys thru MOK

From: Eric Snowberg <eric.snowberg@oracle.com>
To: Konrad Wilk <konrad.wilk@oracle.com>,
	Jarkko Sakkinen <jarkko@kernel.org>
Cc: "keyrings@vger.kernel.org" <keyrings@vger.kernel.org>,
	"linux-integrity@vger.kernel.org"
	<linux-integrity@vger.kernel.org>,
	"zohar@linux.ibm.com" <zohar@linux.ibm.com>,
	"dhowells@redhat.com" <dhowells@redhat.com>,
	"dwmw2@infradead.org" <dwmw2@infradead.org>,
	"herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>,
	"davem@davemloft.net" <davem@davemloft.net>,
	"jmorris@namei.org" <jmorris@namei.org>,
	"serge@hallyn.com" <serge@hallyn.com>,
	"keescook@chromium.org" <keescook@chromium.org>,
	"torvalds@linux-foundation.org" <torvalds@linux-foundation.org>,
	"weiyongjun1@huawei.com" <weiyongjun1@huawei.com>,
	"nayna@linux.ibm.com" <nayna@linux.ibm.com>,
	"ebiggers@google.com" <ebiggers@google.com>,
	"ardb@kernel.org" <ardb@kernel.org>,
	"nramas@linux.microsoft.com" <nramas@linux.microsoft.com>,
	"lszubowi@redhat.com" <lszubowi@redhat.com>,
	"jason@zx2c4.com" <jason@zx2c4.com>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
	"linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
	"linux-security-module@vger.kernel.org" 
	<linux-security-module@vger.kernel.org>,
	"James.Bottomley@hansenpartnership.com" 
	<James.Bottomley@HansenPartnership.com>,
	"pjones@redhat.com" <pjones@redhat.com>
Subject: Re: [PATCH v7 00/17] Enroll kernel keys thru MOK
Date: Wed, 17 Nov 2021 17:20:52 +0000	[thread overview]
Message-ID: <7E672BCB-EEA7-4DB8-AEB1-644B46EBE124@oracle.com> (raw)
In-Reply-To: <YZU1lkBkphf73dF+@0xbeefdead.lan>

> On Nov 17, 2021, at 10:02 AM, Konrad Wilk <konrad.wilk@oracle.com> wrote:
> 
> On Wed, Nov 17, 2021 at 09:51:25AM +0200, Jarkko Sakkinen wrote:
>> On Wed, 2021-11-17 at 09:50 +0200, Jarkko Sakkinen wrote:
>>> On Tue, 2021-11-16 at 11:39 -0500, Konrad Rzeszutek Wilk wrote:
>>>> On Tue, Nov 16, 2021 at 06:24:52PM +0200, Jarkko Sakkinen wrote:
>>>>> On Tue, 2021-11-16 at 11:18 -0500, Konrad Rzeszutek Wilk wrote:
>>>>>>>> I have included  a link to the mokutil [5] changes I have made to support 
>>>>>>>> this new functionality.  The shim changes have now been accepted
>>>>>>>> upstream [6].
>>>>>> 
>>>>>> ..snip..
>>>>>>>> [6] https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f
>>>>>> 
>>>>>> ..snip..
>>>>>>> 
>>>>>>> Does shim have the necessary features in a release?
>>>>>> 
>>>>>> Hi!
>>>>>> 
>>>>>> It has been accepted in the upstream shim. If you are looking
>>>>>> for a distribution having rolled out a shim with this feature (so signed
>>>>>> by MSF) I fear that distributions are not that fast with shim releases.
>>>          ~~~
>>> 
>>> Should that be MS, or what does MSF mean?
> 
> Microsoft :-)

Correct, I’ll fix that in the next round.

>>>>>> 
>>>>>> Also these:
>>>>>> https://github.com/rhboot/shim/pulls
>>>>>> https://github.com/rhboot/shim/issues
>>>>>> 
>>>>>> do mean some extra work would need to go in before an official
>>>>>> release is cut.
>>>>>> 
>>>>>> Hope this helps?
>>>>> 
>>>>> Yes. I'll hold with this up until there is an official release. Thank you.
>>>> 
>>>> Not sure I understand - but what are the concerns you have with shim
>>>> code that has been accepted?
>>> 
>>> Maybe my concern is that none of the patches have a tested-by?
>>> 
>>> Probably would be easier to get a test coverage, e.g. for people like
>>> me who do not even know how to self-compile Shim, how to setup user
>>> space using the product and so forth.
>>        ~~~~~~~~~~~~~~~~~
>> 
>> for the end product
> 
> <nods> That makes total sense. Thanks for the explanation, let me double
> check whether
> 
> https://github.com/rhboot/shim/blob/main/BUILDING
> 
> is still correct.

Those are the steps I use for building.   I then move over mmx64.efi and  
shimx64.efi to the ESP.  I can add the shim build/install instructions to the next
cover letter If you think that would be appropriate.