| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4038761f32f97ab60802fc0bc9cfa65fa0ed4bca.camel@linux.ibm.com>
Date: Sun, 09 Jan 2022 17:42:09 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Eric Snowberg <eric.snowberg@...cle.com>, dhowells@...hat.com,
dwmw2@...radead.org, ardb@...nel.org, jarkko@...nel.org
Cc: jmorris@...ei.org, serge@...lyn.com, nayna@...ux.ibm.com,
keescook@...omium.org, torvalds@...ux-foundation.org,
weiyongjun1@...wei.com, keyrings@...r.kernel.org,
linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org,
linux-security-module@...r.kernel.org,
James.Bottomley@...senPartnership.com, pjones@...hat.com,
konrad.wilk@...cle.com
Subject: Re: [PATCH v9 5/8] KEYS: Introduce link restriction for machine keys
On Wed, 2022-01-05 at 18:50 -0500, Eric Snowberg wrote:
> Introduce a new link restriction that includes the trusted builtin,
> secondary and machine keys. The restriction is based on the key to be
> added being vouched for by a key in any of these three keyrings.
>
> With the introduction of the machine keyring, the end-user may choose to
> trust Machine Owner Keys (MOK) within the kernel. If they have chosen to
> trust them, the .machine keyring will contain these keys. If not, the
> machine keyring will always be empty. Update the restriction check to
> allow the secondary trusted keyring and ima keyring to also trust
> machine keys.
As suggested the Kconfig in "[PATCH v9 2/8] integrity: Introduce a
Linux keyring called machine" only loads the platform keys onto the
.machine keyring, when
IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not enabled. The
last sentence needs to be updated to reflect v9.
thanks,
Mimi
Powered by blists - more mailing lists