From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1754764AbcKUPRQ (ORCPT <rfc822;w@1wt.eu>);
        Mon, 21 Nov 2016 10:17:16 -0500
Received: from mx1.redhat.com ([209.132.183.28]:57498 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1753227AbcKUPRN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 21 Nov 2016 10:17:13 -0500
Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley
        Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United
        Kingdom.
        Registered in England and Wales under Company Registration No. 3798903
From: David Howells <dhowells@redhat.com>
In-Reply-To: <1479737095.2487.34.camel@linux.vnet.ibm.com>
References: <1479737095.2487.34.camel@linux.vnet.ibm.com> <20161117064100.hmjmfw42ytm526yh@p310> <147931984418.16460.6639993676886095760.stgit@warthog.procyon.org.uk> <147931987366.16460.12891767069975068260.stgit@warthog.procyon.org.uk> <26349.1479376560@warthog.procyon.org.uk>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: dhowells@redhat.com, Petko Manolov <petkan@mip-labs.com>,
        keyrings@vger.kernel.org, matthew.garrett@nebula.com,
        linux-security-module@vger.kernel.org, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org,
        linux-ima-devel <linux-ima-devel@lists.sourceforge.net>
Subject: Re: [PATCH 4/9] KEYS: Allow unrestricted boot-time addition of keys to secondary keyring
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-ID: <18863.1479741430.1@warthog.procyon.org.uk>
Date: Mon, 21 Nov 2016 15:17:10 +0000
Message-ID: <18864.1479741430@warthog.procyon.org.uk>
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Mon, 21 Nov 2016 15:17:13 +0000 (UTC)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:

> > > > This allows keys in the UEFI database to be added in secure boot mode
> > > > for the purposes of module signing.
> > > 
> > > The key import should not be automatic, it should be optional.
> > 
> > You can argue this either way.  There's a config option to allow you to
> > turn this on or off.  Arguably, this should be split in two: one for the
> > whitelist (db, MokListRT) and one for the blacklist (dbx).
> 
> By "config", you're not referring to a Kconfig option, but a UEFI db
> option, making it hidden/unknown to someone building a kernel.  If you
> really want to add this support, make it clear and easily seen by
> defining a "restrict_link_by_builtin_or_uefi" function.

No: by "config" I *am* referring to Kconfig.

David