[PATCH v10 0/8] Enroll kernel keys thru MOK

Jarkko Sakkinen jarkko at kernel.org
Tue Feb 8 09:28:56 UTC 2022


On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote:
> Hi Jarkko,
> 
> > > Thank you. I'll pick these soon. Is there any objections?
> 
> No objections.
> > 
> > Mimi brought up that we need a MAINTAINERS update for this and also
> > .platform.
> > 
> > We have these:
> > 
> > - KEYS/KEYRINGS
> > - CERTIFICATE HANDLING
> > 
> > I would put them under KEYRINGS for now and would not consider further
> > subdivision for the moment.
> 
> IMA has dependencies on the platform_certs/ and now on the new .machine
> keyring.  Just adding "F: security/integrity/platform_certs/" to the
> KEYS/KEYRINGS record, ignores that dependency.  The discussion wouldn't
> even be on the linux-integrity mailing list.
> 
> Existing requirement:
> - The keys on the .platform keyring are limited to verifying the kexec
> image.
> 
> New requirements based on Eric Snowbergs' patch set:
> - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled,
> the MOK keys will not be loaded directly onto the .machine keyring or
> indirectly onto the .secondary_trusted_keys keyring.
> 
> - Only when a new IMA Kconfig explicitly allows the keys on the
> .machine keyrings, will the CA keys stored in MOK be loaded onto the
> .machine keyring.
> 
> Unfortunately I don't think there is any choice, but to define a new
> MAINTAINERS entry.  Perhaps something along the lines of:
> 
> KEYS/KEYRINGS_INTEGRITY
> M:     Jarkko Sakkinen <jarkko at kernel.org>
> M:     Mimi Zohar <zohar at linux.ibm.com>
> L:      keyrings at vger.kernel.org
> L:      linux-integrity at vger.kernel.org
> F:      security/integrity/platform_certs

WFM. BTW, the patches are now in my tree:

git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git

I can add any tags requested. I'll mirror this at some point to linux-next.

/Jarkko



More information about the Linux-security-module-archive mailing list