[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YhKP12KEmyqyS8rj@iki.fi>
Date: Sun, 20 Feb 2022 20:00:39 +0100
From: Jarkko Sakkinen <jarkko@...nel.org>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: Eric Snowberg <eric.snowberg@...cle.com>, dhowells@...hat.com,
dwmw2@...radead.org, ardb@...nel.org, jmorris@...ei.org,
serge@...lyn.com, nayna@...ux.ibm.com, keescook@...omium.org,
torvalds@...ux-foundation.org, weiyongjun1@...wei.com,
keyrings@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-efi@...r.kernel.org, linux-security-module@...r.kernel.org,
James.Bottomley@...senpartnership.com, pjones@...hat.com,
konrad.wilk@...cle.com
Subject: Re: [PATCH v10 0/8] Enroll kernel keys thru MOK
On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote:
> Hi Jarkko,
>
> > > Thank you. I'll pick these soon. Is there any objections?
>
> No objections.
> >
> > Mimi brought up that we need a MAINTAINERS update for this and also
> > .platform.
> >
> > We have these:
> >
> > - KEYS/KEYRINGS
> > - CERTIFICATE HANDLING
> >
> > I would put them under KEYRINGS for now and would not consider further
> > subdivision for the moment.
>
> IMA has dependencies on the platform_certs/ and now on the new .machine
> keyring. Just adding "F: security/integrity/platform_certs/" to the
> KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't
> even be on the linux-integrity mailing list.
>
> Existing requirement:
> - The keys on the .platform keyring are limited to verifying the kexec
> image.
>
> New requirements based on Eric Snowbergs' patch set:
> - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled,
> the MOK keys will not be loaded directly onto the .machine keyring or
> indirectly onto the .secondary_trusted_keys keyring.
>
> - Only when a new IMA Kconfig explicitly allows the keys on the
> .machine keyrings, will the CA keys stored in MOK be loaded onto the
> .machine keyring.
>
> Unfortunately I don't think there is any choice, but to define a new
> MAINTAINERS entry. Perhaps something along the lines of:
>
> KEYS/KEYRINGS_INTEGRITY
> M: Jarkko Sakkinen <jarkko@...nel.org>
> M: Mimi Zohar <zohar@...ux.ibm.com>
> L: keyrings@...r.kernel.org
> L: linux-integrity@...r.kernel.org
> F: security/integrity/platform_certs
>
> thanks,
>
> Mimi
This would work for me.
BR, Jarkko
Powered by blists - more mailing lists