[PATCH v4 00/12] Enroll kernel keys thru MOK
Mimi Zohar
zohar at linux.ibm.com
Tue Aug 24 14:34:09 UTC 2021
> >> Jarkko, I think the emphasis should not be on "machine" from Machine
> >> Owner Key (MOK), but on "owner". Whereas Nayna is focusing more on the
> >> "_ca" aspect of the name. Perhaps consider naming it
> >> "system_owner_ca" or something along those lines.
> > What do you gain such overly long identifier? Makes no sense. What
> > is "ca aspect of the name" anyway?
>
> As I mentioned previously, the main usage of this new keyring is that it
> should contain only CA keys which can be later used to vouch for user
> keys loaded onto secondary or IMA keyring at runtime. Having ca in the
> name like .xxxx_ca, would make the keyring name self-describing. Since
> you preferred .system, we can call it .system_ca.
Sounds good to me. Jarkko?
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list