[PATCH v10 0/8] Enroll kernel keys thru MOK
Mimi Zohar
zohar at linux.ibm.com
Wed Jan 26 22:06:09 UTC 2022
Hi Jarkko,
> > Thank you. I'll pick these soon. Is there any objections?
No objections.
>
> Mimi brought up that we need a MAINTAINERS update for this and also
> .platform.
>
> We have these:
>
> - KEYS/KEYRINGS
> - CERTIFICATE HANDLING
>
> I would put them under KEYRINGS for now and would not consider further
> subdivision for the moment.
IMA has dependencies on the platform_certs/ and now on the new .machine
keyring. Just adding "F: security/integrity/platform_certs/" to the
KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't
even be on the linux-integrity mailing list.
Existing requirement:
- The keys on the .platform keyring are limited to verifying the kexec
image.
New requirements based on Eric Snowbergs' patch set:
- When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled,
the MOK keys will not be loaded directly onto the .machine keyring or
indirectly onto the .secondary_trusted_keys keyring.
- Only when a new IMA Kconfig explicitly allows the keys on the
.machine keyrings, will the CA keys stored in MOK be loaded onto the
.machine keyring.
Unfortunately I don't think there is any choice, but to define a new
MAINTAINERS entry. Perhaps something along the lines of:
KEYS/KEYRINGS_INTEGRITY
M: Jarkko Sakkinen <jarkko at kernel.org>
M: Mimi Zohar <zohar at linux.ibm.com>
L: keyrings at vger.kernel.org
L: linux-integrity at vger.kernel.org
F: security/integrity/platform_certs
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list