lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <78d2c13ad60b5f845cb841d257d1b41290f575c6.camel@linux.ibm.com> Date: Wed, 26 Jan 2022 17:06:09 -0500 From: Mimi Zohar <zohar@...ux.ibm.com> To: Jarkko Sakkinen <jarkko@...nel.org>, Eric Snowberg <eric.snowberg@...cle.com> Cc: dhowells@...hat.com, dwmw2@...radead.org, ardb@...nel.org, jmorris@...ei.org, serge@...lyn.com, nayna@...ux.ibm.com, keescook@...omium.org, torvalds@...ux-foundation.org, weiyongjun1@...wei.com, keyrings@...r.kernel.org, linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org, linux-security-module@...r.kernel.org, James.Bottomley@...senpartnership.com, pjones@...hat.com, konrad.wilk@...cle.com Subject: Re: [PATCH v10 0/8] Enroll kernel keys thru MOK Hi Jarkko, > > Thank you. I'll pick these soon. Is there any objections? No objections. > > Mimi brought up that we need a MAINTAINERS update for this and also > .platform. > > We have these: > > - KEYS/KEYRINGS > - CERTIFICATE HANDLING > > I would put them under KEYRINGS for now and would not consider further > subdivision for the moment. IMA has dependencies on the platform_certs/ and now on the new .machine keyring. Just adding "F: security/integrity/platform_certs/" to the KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't even be on the linux-integrity mailing list. Existing requirement: - The keys on the .platform keyring are limited to verifying the kexec image. New requirements based on Eric Snowbergs' patch set: - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled, the MOK keys will not be loaded directly onto the .machine keyring or indirectly onto the .secondary_trusted_keys keyring. - Only when a new IMA Kconfig explicitly allows the keys on the .machine keyrings, will the CA keys stored in MOK be loaded onto the .machine keyring. Unfortunately I don't think there is any choice, but to define a new MAINTAINERS entry. Perhaps something along the lines of: KEYS/KEYRINGS_INTEGRITY M: Jarkko Sakkinen <jarkko@...nel.org> M: Mimi Zohar <zohar@...ux.ibm.com> L: keyrings@...r.kernel.org L: linux-integrity@...r.kernel.org F: security/integrity/platform_certs thanks, Mimi
Powered by blists - more mailing lists