Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries]
David Howells
dhowells at redhat.com
Thu Feb 4 09:11:35 UTC 2021
Eric Snowberg <eric.snowberg at oracle.com> wrote:
> > On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic at digikod.net> wrote:
> >
> > This looks good to me, and it still works for my use case. Eric's
> > patchset only looks for asymmetric keys in the blacklist keyring, so
> > even if we use the same keyring we don't look for the same key types. My
> > patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
> > to be added by user space (if authenticated), but because Eric's
> > asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
> > be OK for his use case. There should be no interference between the two
> > new features, but I find it a bit confusing to have such distinct use of
> > keys from the same keyring depending on their type.
>
> I agree, it is a bit confusing. What is the thought of having a dbx
> keyring, similar to how the platform keyring works?
>
> https://www.spinics.net/lists/linux-security-module/msg40262.html
That would be fine by me.
David
More information about the Linux-security-module-archive
mailing list