lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <YgI32LAFgGSW6ugh@iki.fi> Date: Tue, 8 Feb 2022 10:28:56 +0100 From: Jarkko Sakkinen <jarkko@...nel.org> To: Mimi Zohar <zohar@...ux.ibm.com> Cc: Eric Snowberg <eric.snowberg@...cle.com>, dhowells@...hat.com, dwmw2@...radead.org, ardb@...nel.org, jmorris@...ei.org, serge@...lyn.com, nayna@...ux.ibm.com, keescook@...omium.org, torvalds@...ux-foundation.org, weiyongjun1@...wei.com, keyrings@...r.kernel.org, linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org, linux-security-module@...r.kernel.org, James.Bottomley@...senpartnership.com, pjones@...hat.com, konrad.wilk@...cle.com Subject: Re: [PATCH v10 0/8] Enroll kernel keys thru MOK On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote: > Hi Jarkko, > > > > Thank you. I'll pick these soon. Is there any objections? > > No objections. > > > > Mimi brought up that we need a MAINTAINERS update for this and also > > .platform. > > > > We have these: > > > > - KEYS/KEYRINGS > > - CERTIFICATE HANDLING > > > > I would put them under KEYRINGS for now and would not consider further > > subdivision for the moment. > > IMA has dependencies on the platform_certs/ and now on the new .machine > keyring. Just adding "F: security/integrity/platform_certs/" to the > KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't > even be on the linux-integrity mailing list. > > Existing requirement: > - The keys on the .platform keyring are limited to verifying the kexec > image. > > New requirements based on Eric Snowbergs' patch set: > - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled, > the MOK keys will not be loaded directly onto the .machine keyring or > indirectly onto the .secondary_trusted_keys keyring. > > - Only when a new IMA Kconfig explicitly allows the keys on the > .machine keyrings, will the CA keys stored in MOK be loaded onto the > .machine keyring. > > Unfortunately I don't think there is any choice, but to define a new > MAINTAINERS entry. Perhaps something along the lines of: > > KEYS/KEYRINGS_INTEGRITY > M: Jarkko Sakkinen <jarkko@...nel.org> > M: Mimi Zohar <zohar@...ux.ibm.com> > L: keyrings@...r.kernel.org > L: linux-integrity@...r.kernel.org > F: security/integrity/platform_certs WFM. BTW, the patches are now in my tree: git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git I can add any tags requested. I'll mirror this at some point to linux-next. /Jarkko
Powered by blists - more mailing lists