Re: [PATCH 4/9] KEYS: Allow unrestricted boot-time addition of keys to secondary keyring

From: David Howells
Date: Mon Nov 21 2016 - 10:17:19 EST

Next message: Walt Feasel: "[PATCH v2 0/2] staging: speakup: speakup_spkout.c checkpatch modifications"
Previous message: John Garry: "Re: [RFC PATCH] scsi: libsas: fix WARN on device removal"
In reply to: Mimi Zohar: "Re: [PATCH 4/9] KEYS: Allow unrestricted boot-time addition of keys to secondary keyring"
Next in thread: Mimi Zohar: "Re: [PATCH 4/9] KEYS: Allow unrestricted boot-time addition of keys to secondary keyring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> > > > This allows keys in the UEFI database to be added in secure boot mode
> > > > for the purposes of module signing.
> > >
> > > The key import should not be automatic, it should be optional.
> >
> > You can argue this either way. There's a config option to allow you to
> > turn this on or off. Arguably, this should be split in two: one for the
> > whitelist (db, MokListRT) and one for the blacklist (dbx).
>
> By "config", you're not referring to a Kconfig option, but a UEFI db
> option, making it hidden/unknown to someone building a kernel. If you
> really want to add this support, make it clear and easily seen by
> defining a "restrict_link_by_builtin_or_uefi" function.

No: by "config" I *am* referring to Kconfig.

David

Next message: Walt Feasel: "[PATCH v2 0/2] staging: speakup: speakup_spkout.c checkpatch modifications"
Previous message: John Garry: "Re: [RFC PATCH] scsi: libsas: fix WARN on device removal"
In reply to: Mimi Zohar: "Re: [PATCH 4/9] KEYS: Allow unrestricted boot-time addition of keys to secondary keyring"
Next in thread: Mimi Zohar: "Re: [PATCH 4/9] KEYS: Allow unrestricted boot-time addition of keys to secondary keyring"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]