[PATCH v8 03/17] integrity: Introduce a Linux keyring called machine
Eric Snowberg
eric.snowberg at oracle.com
Mon Nov 29 22:50:55 UTC 2021
> On Nov 24, 2021, at 7:49 PM, Mimi Zohar <zohar at linux.ibm.com> wrote:
> On Tue, 2021-11-23 at 23:41 -0500, Eric Snowberg wrote:
>> +config INTEGRITY_MACHINE_KEYRING
>> + bool "Provide a keyring to which CA Machine Owner Keys may be added"
>> + depends on SECONDARY_TRUSTED_KEYRING
>> + depends on INTEGRITY_ASYMMETRIC_KEYS
>
> Shouldn't this be "ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y"? With this
> change, is "KEYS: Create static version of
> public_key_verify_signature" trusted needed?
I believe it is still needed. If someone were to use the same config as the build bot,
where ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined and
INTEGRITY_MACHINE_KEYRING is not defined, they would still hit the problem that
has now been fixed in "KEYS: Create static version of public_key_verify_signature”.
I wish the first two patches in this series would be accepted, since I’m only carrying
them to get past the build bot.
More information about the Linux-security-module-archive
mailing list