[PATCH] integrity: powerpc: Do not select CA_MACHINE_KEYRING

Michal Suchánek msuchanek at suse.de
Tue Sep 12 10:20:06 UTC 2023


On Tue, Sep 12, 2023 at 12:46:32PM +0300, Jarkko Sakkinen wrote:
> On Tue Sep 12, 2023 at 10:51 AM EEST, Michal Suchánek wrote:
> > On Tue, Sep 12, 2023 at 12:45:35AM +0300, Jarkko Sakkinen wrote:
> > > On Thu Sep 7, 2023 at 7:52 PM EEST, Michal Suchanek wrote:
> > > > No other platform needs CA_MACHINE_KEYRING, either.
> > > >
> > > > This is policy that should be decided by the administrator, not Kconfig
> > > 
> > > s/administrator/distributor/ ?
> >
> > It depends on the situation. Ideally the administrator would pick the
> > distributor that provides a policy that is considered fitting for the
> > purpose or roll their own. Unfortunately, they don't always have the
> > choice.
> >
> > For the kerenel's part it should support wide range of policies for
> > different use cases, and not force the hand of the administrator or
> > distributor.
> >
> > > 
> > > > dependencies.
> > > >
> > > > cc: joeyli <jlee at suse.com>
> > > > Signed-off-by: Michal Suchanek <msuchanek at suse.de>
> > > > ---
> > > >  security/integrity/Kconfig | 2 --
> > > >  1 file changed, 2 deletions(-)
> > > >
> > > > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> > > > index 232191ee09e3..b6e074ac0227 100644
> > > > --- a/security/integrity/Kconfig
> > > > +++ b/security/integrity/Kconfig
> > > > @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
> > > >  	depends on INTEGRITY_ASYMMETRIC_KEYS
> > > >  	depends on SYSTEM_BLACKLIST_KEYRING
> > > >  	depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
> > > > -	select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
> > > > -	select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
> > > >  	help
> > > >  	 If set, provide a keyring to which Machine Owner Keys (MOK) may
> > > >  	 be added. This keyring shall contain just MOK keys.  Unlike keys
> > > > -- 
> > > > 2.41.0
> > > 
> > > I'd suggest to add even fixes tag.
> >
> > Here it is
> >
> > Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
> 
> commit b755dd58d180b796d21bc14d03045e4ab84222b0 (HEAD -> next, origin/next)
> Author: Michal Suchanek <msuchanek at suse.de>
> Date:   Thu Sep 7 18:52:19 2023 +0200
> 
>     integrity: powerpc: Do not select CA_MACHINE_KEYRING
> 
>     No other platform needs CA_MACHINE_KEYRING, either.
> 
>     This is policy that should be decided by the administrator, not Kconfig
>     dependencies.
> 
>     Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
>     Signed-off-by: Michal Suchanek <msuchanek at suse.de>
>     Signed-off-by: Jarkko Sakkinen <jarkko at kernel.org>
> 
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index 232191ee09e3..b6e074ac0227 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
>         depends on INTEGRITY_ASYMMETRIC_KEYS
>         depends on SYSTEM_BLACKLIST_KEYRING
>         depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
> -       select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
> -       select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
>         help
>          If set, provide a keyring to which Machine Owner Keys (MOK) may
>          be added. This keyring shall contain just MOK keys.  Unlike keys
> 
> If this look good to you, I'll put it to the -rc2 pull request.

Looks good

Thanks

Michal



More information about the Linux-security-module-archive mailing list