Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries]

David Howells dhowells at
Thu Feb 4 09:11:35 UTC 2021

Eric Snowberg <eric.snowberg at> wrote:

> > On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic at> wrote:
> > 
> > This looks good to me, and it still works for my use case. Eric's
> > patchset only looks for asymmetric keys in the blacklist keyring, so
> > even if we use the same keyring we don't look for the same key types. My
> > patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
> > to be added by user space (if authenticated), but because Eric's
> > asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
> > be OK for his use case.  There should be no interference between the two
> > new features, but I find it a bit confusing to have such distinct use of
> > keys from the same keyring depending on their type.
> I agree, it is a bit confusing.  What is the thought of having a dbx 
> keyring, similar to how the platform keyring works?

That would be fine by me.


More information about the Linux-security-module-archive mailing list