lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230912075134.GM8826@kitsune.suse.cz>
Date:   Tue, 12 Sep 2023 09:51:34 +0200
From:   Michal Suchánek <msuchanek@...e.de>
To:     Jarkko Sakkinen <jarkko@...nel.org>
Cc:     linux-integrity@...r.kernel.org, Mimi Zohar <zohar@...ux.ibm.com>,
        Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
        Paul Moore <paul@...l-moore.com>,
        James Morris <jmorris@...ei.org>,
        "Serge E. Hallyn" <serge@...lyn.com>,
        linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, joeyli <jlee@...e.com>
Subject: Re: [PATCH] integrity: powerpc: Do not select CA_MACHINE_KEYRING

On Tue, Sep 12, 2023 at 12:45:35AM +0300, Jarkko Sakkinen wrote:
> On Thu Sep 7, 2023 at 7:52 PM EEST, Michal Suchanek wrote:
> > No other platform needs CA_MACHINE_KEYRING, either.
> >
> > This is policy that should be decided by the administrator, not Kconfig
> 
> s/administrator/distributor/ ?

It depends on the situation. Ideally the administrator would pick the
distributor that provides a policy that is considered fitting for the
purpose or roll their own. Unfortunately, they don't always have the
choice.

For the kerenel's part it should support wide range of policies for
different use cases, and not force the hand of the administrator or
distributor.

> 
> > dependencies.
> >
> > cc: joeyli <jlee@...e.com>
> > Signed-off-by: Michal Suchanek <msuchanek@...e.de>
> > ---
> >  security/integrity/Kconfig | 2 --
> >  1 file changed, 2 deletions(-)
> >
> > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> > index 232191ee09e3..b6e074ac0227 100644
> > --- a/security/integrity/Kconfig
> > +++ b/security/integrity/Kconfig
> > @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
> >  	depends on INTEGRITY_ASYMMETRIC_KEYS
> >  	depends on SYSTEM_BLACKLIST_KEYRING
> >  	depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
> > -	select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
> > -	select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
> >  	help
> >  	 If set, provide a keyring to which Machine Owner Keys (MOK) may
> >  	 be added. This keyring shall contain just MOK keys.  Unlike keys
> > -- 
> > 2.41.0
> 
> I'd suggest to add even fixes tag.

Here it is

Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")

Thanks

Michal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ