linux-efi.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Jarkko Sakkinen <jarkko@kernel.org>
To: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Eric Snowberg <eric.snowberg@oracle.com>,
	keyrings@vger.kernel.org, linux-integrity@vger.kernel.org,
	zohar@linux.ibm.com, dhowells@redhat.com, dwmw2@infradead.org,
	herbert@gondor.apana.org.au, davem@davemloft.net,
	jmorris@namei.org, serge@hallyn.com, keescook@chromium.org,
	torvalds@linux-foundation.org, weiyongjun1@huawei.com,
	nayna@linux.ibm.com, ebiggers@google.com, ardb@kernel.org,
	nramas@linux.microsoft.com, lszubowi@redhat.com, jason@zx2c4.com,
	linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org,
	linux-efi@vger.kernel.org, linux-security-module@vger.kernel.org,
	James.Bottomley@HansenPartnership.com, pjones@redhat.com
Subject: Re: [PATCH v7 00/17] Enroll kernel keys thru MOK
Date: Wed, 17 Nov 2021 09:50:33 +0200	[thread overview]
Message-ID: <8fcadcf2a5da5118fb7f9caea0a61440525a67b2.camel@kernel.org> (raw)
In-Reply-To: <YZPevFtTucji7gIm@0xbeefdead.lan>

On Tue, 2021-11-16 at 11:39 -0500, Konrad Rzeszutek Wilk wrote:
> On Tue, Nov 16, 2021 at 06:24:52PM +0200, Jarkko Sakkinen wrote:
> > On Tue, 2021-11-16 at 11:18 -0500, Konrad Rzeszutek Wilk wrote:
> > > > > I have included  a link to the mokutil [5] changes I have made to support 
> > > > > this new functionality.  The shim changes have now been accepted
> > > > > upstream [6].
> > > 
> > > ..snip..
> > > > > [6] https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f
> > > 
> > > ..snip..
> > > > 
> > > > Does shim have the necessary features in a release?
> > > 
> > > Hi!
> > > 
> > > It has been accepted in the upstream shim. If you are looking
> > > for a distribution having rolled out a shim with this feature (so signed
> > > by MSF) I fear that distributions are not that fast with shim releases.
         ~~~

Should that be MS, or what does MSF mean?

> > > 
> > > Also these:
> > > https://github.com/rhboot/shim/pulls
> > > https://github.com/rhboot/shim/issues
> > > 
> > > do mean some extra work would need to go in before an official
> > > release is cut.
> > > 
> > > Hope this helps?
> > 
> > Yes. I'll hold with this up until there is an official release. Thank you.
> 
> Not sure I understand - but what are the concerns you have with shim
> code that has been accepted?

Maybe my concern is that none of the patches have a tested-by?

Probably would be easier to get a test coverage, e.g. for people like
me who do not even know how to self-compile Shim, how to setup user
space using the product and so forth.

I don't demand a release, if the changes have been accepted, but 17
patches do need to be tested.

/Jarkko



  reply	other threads:[~2021-11-17  7:50 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-16  0:15 [PATCH v7 00/17] Enroll kernel keys thru MOK Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 01/17] integrity: Introduce a Linux keyring called machine Eric Snowberg
2021-11-17 13:01   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 02/17] integrity: Do not allow machine keyring updates following init Eric Snowberg
2021-11-17 13:18   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 03/17] KEYS: Create static version of public_key_verify_signature Eric Snowberg
2021-11-17 13:32   ` Mimi Zohar
2021-11-17 13:53     ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 04/17] X.509: Parse Basic Constraints for CA Eric Snowberg
2021-11-18 22:59   ` Mimi Zohar
2021-11-18 23:29     ` Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 05/17] KEYS: CA link restriction Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 06/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 07/17] integrity: Fix warning about missing prototypes Eric Snowberg
2021-11-17 15:16   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 08/17] integrity: add new keyring handler for mok keys Eric Snowberg
2021-11-19  0:05   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 09/17] KEYS: Rename get_builtin_and_secondary_restriction Eric Snowberg
2021-11-19  0:05   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 10/17] KEYS: add a reference to machine keyring Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 11/17] KEYS: Introduce link restriction for machine keys Eric Snowberg
2021-11-19  0:20   ` Mimi Zohar
2021-11-19  2:50     ` Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 12/17] KEYS: integrity: change link restriction to trust the machine keyring Eric Snowberg
2021-11-19  0:23   ` Mimi Zohar
2021-11-16  0:15 ` [PATCH v7 13/17] KEYS: link secondary_trusted_keys to machine trusted keys Eric Snowberg
2021-11-18 12:32   ` Mimi Zohar
2021-11-18 21:37     ` Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 14/17] integrity: store reference to machine keyring Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 15/17] efi/mokvar: move up init order Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 16/17] integrity: Trust MOK keys if MokListTrustedRT found Eric Snowberg
2021-11-16  0:15 ` [PATCH v7 17/17] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true Eric Snowberg
2021-11-16 16:00 ` [PATCH v7 00/17] Enroll kernel keys thru MOK Jarkko Sakkinen
2021-11-16 16:18   ` Konrad Rzeszutek Wilk
2021-11-16 16:24     ` Jarkko Sakkinen
2021-11-16 16:39       ` Konrad Rzeszutek Wilk
2021-11-17  7:50         ` Jarkko Sakkinen [this message]
2021-11-17  7:51           ` Jarkko Sakkinen
2021-11-17 17:02             ` Konrad Rzeszutek Wilk
2021-11-17 17:20               ` Eric Snowberg
2021-11-18  3:14                 ` Jarkko Sakkinen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8fcadcf2a5da5118fb7f9caea0a61440525a67b2.camel@kernel.org \
    --to=jarkko@kernel.org \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=ardb@kernel.org \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=ebiggers@google.com \
    --cc=eric.snowberg@oracle.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=jason@zx2c4.com \
    --cc=jmorris@namei.org \
    --cc=keescook@chromium.org \
    --cc=keyrings@vger.kernel.org \
    --cc=konrad.wilk@oracle.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-efi@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=lszubowi@redhat.com \
    --cc=nayna@linux.ibm.com \
    --cc=nramas@linux.microsoft.com \
    --cc=pjones@redhat.com \
    --cc=serge@hallyn.com \
    --cc=torvalds@linux-foundation.org \
    --cc=weiyongjun1@huawei.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).