linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: "Luis Chamberlain" <mcgrof@kernel.org>,
	"Michal Suchánek" <msuchanek@suse.de>
Cc: Catalin Marinas <catalin.marinas@arm.com>,
	Will Deacon <will@kernel.org>, Heiko Carstens <hca@linux.ibm.com>,
	Vasily Gorbik <gor@linux.ibm.com>,
	Alexander Gordeev <agordeev@linux.ibm.com>,
	Christian Borntraeger <borntraeger@linux.ibm.com>,
	Sven Schnelle <svens@linux.ibm.com>,
	Philipp Rudo <prudo@redhat.com>, Baoquan He <bhe@redhat.com>,
	Alexander Egorenkov <egorenar@linux.ibm.com>,
	AKASHI Takahiro <takahiro.akashi@linaro.org>,
	James Morse <james.morse@arm.com>, Dave Young <dyoung@redhat.com>,
	Kairui Song <kasong@redhat.com>,
	Martin Schwidefsky <schwidefsky@de.ibm.com>,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org, linux-s390@vger.kernel.org,
	linux-modules@vger.kernel.org, keyrings@vger.kernel.org,
	linux-security-module@vger.kernel.org, stable@kernel.org,
	Eric Snowberg <eric.snowberg@oracle.com>
Subject: Re: [PATCH 4/4] module, KEYS: Make use of platform keyring for signature verification
Date: Tue, 22 Mar 2022 14:55:07 -0400	[thread overview]
Message-ID: <c312556db3fa746c9c4004ffb6e77f23b2a4a609.camel@linux.ibm.com> (raw)
In-Reply-To: <YjoJVnTuaw/3l7Xp@bombadil.infradead.org>

Hi Luis,

On Tue, 2022-03-22 at 10:37 -0700, Luis Chamberlain wrote:
> How's this series going? Did you and Mimi sort things out? Either way,
> just wanted to let you kow you can base your changes on modules-testing
> [0] if you want to resubmit for v5.19 (v5.18 will be too late already).
> Once testing is done what is on modules-testing will go to modules-next
> for testing for v5.19. There are no changes planned for v5.18 other than
> fixes and so far there are none.
> 
> [0] https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git/log/?h=modules-testing

The "platform" keyring was upstreamed specifically to verify the kexec
kernel image. Orginally it contained only the UEFI db keys, but the MOK
keys were later added as well.  Any other usage of the "platform" is
not planned.

To allow end users to sign their own kernel modules, executables, or
any other file, Eric Snowberg is working on a patch set to only load
the MOK CA keys onto the ".machine" keyring, which is linked to the
"secondary" keyring[1].  Verifying kernel modules based on certificates
signed by a MOK CA will then be possible.

thanks,

Mimi

[1] 
https://lore.kernel.org/all/20220301173651.3435350-1-eric.snowberg@oracle.com/


  reply	other threads:[~2022-03-22 18:55 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-15 19:39 [PATCH 0/4] Unifrom keyring support across architectures and functions Michal Suchanek
2022-02-15 19:39 ` [PATCH 1/4] Fix arm64 kexec forbidding kernels signed with keys in the secondary keyring to boot Michal Suchanek
2022-04-06 15:41   ` joeyli
2022-04-08  7:11   ` Baoquan He
2022-02-15 19:39 ` [PATCH 2/4] kexec, KEYS, arm64: Make use of platform keyring for signature verification Michal Suchanek
2022-04-06 15:45   ` joeyli
2022-02-15 19:39 ` [PATCH 3/4] kexec, KEYS, s390: Make use of built-in and secondary " Michal Suchanek
2022-04-06 15:46   ` joeyli
2022-02-15 19:39 ` [PATCH 4/4] module, KEYS: Make use of platform " Michal Suchanek
2022-02-15 20:08   ` Mimi Zohar
2022-02-15 20:47     ` Michal Suchánek
2022-02-15 22:12       ` Mimi Zohar
2022-02-16 10:56         ` Michal Suchánek
2022-02-16 11:04           ` Michal Suchánek
2022-02-16 11:58           ` Mimi Zohar
2022-02-16 12:09             ` Michal Suchánek
2022-03-22 17:37               ` Luis Chamberlain
2022-03-22 18:55                 ` Mimi Zohar [this message]
2022-03-28 10:15       ` joeyli
2022-03-28 13:28         ` Mimi Zohar
2022-03-28 14:03           ` Michal Suchánek
2022-03-28 14:44         ` Eric Snowberg
2022-03-28 16:29           ` Michal Suchánek
2022-04-08  7:47 ` [PATCH 0/4] Unifrom keyring support across architectures and functions Coiby Xu
2022-04-08  8:51   ` Michal Suchánek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c312556db3fa746c9c4004ffb6e77f23b2a4a609.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=agordeev@linux.ibm.com \
    --cc=bhe@redhat.com \
    --cc=borntraeger@linux.ibm.com \
    --cc=catalin.marinas@arm.com \
    --cc=dyoung@redhat.com \
    --cc=egorenar@linux.ibm.com \
    --cc=eric.snowberg@oracle.com \
    --cc=gor@linux.ibm.com \
    --cc=hca@linux.ibm.com \
    --cc=james.morse@arm.com \
    --cc=kasong@redhat.com \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-modules@vger.kernel.org \
    --cc=linux-s390@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    --cc=msuchanek@suse.de \
    --cc=prudo@redhat.com \
    --cc=schwidefsky@de.ibm.com \
    --cc=stable@kernel.org \
    --cc=svens@linux.ibm.com \
    --cc=takahiro.akashi@linaro.org \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).