[PATCH 4/4] module, KEYS: Make use of platform keyring for signature verification

Mimi Zohar zohar at linux.ibm.com
Tue Feb 15 20:08:18 UTC 2022


[Cc'ing Eric Snowberg]

Hi Michal,

On Tue, 2022-02-15 at 20:39 +0100, Michal Suchanek wrote:
> Commit 278311e417be ("kexec, KEYS: Make use of platform keyring for signature verify")
> adds support for use of platform keyring in kexec verification but
> support for modules is missing.
> 
> Add support for verification of modules with keys from platform keyring
> as well.

Permission for loading the pre-OS keys onto the "platform" keyring and
using them is limited to verifying the kexec kernel image, nothing
else.

FYI, Eric Snowberg's initial patch set titled "[PATCH v10 0/8] Enroll
kernel keys thru MOK" is queued in Jarkko's git repo to be usptreamed. 
A subsequent patch set is expected.

-- 
thanks,

Mimi

[1] Message-Id: <20211124044124.998170-11-eric.snowberg at oracle.com>



More information about the Linux-security-module-archive mailing list