Re: [PATCH v9 5/8] KEYS: Introduce link restriction for machine keys

From: Eric Snowberg
Date: Mon Jan 10 2022 - 18:36:49 EST

Next message: Raghavendra Rao Ananta: "Re: [RFC PATCH v3 03/11] KVM: Introduce KVM_CAP_ARM_HVC_FW_REG_BMAP"
Previous message: Kevin Hilman: "Re: [PATCH v3 1/2] drm/panel: panel-boe-tv101wum-nl6: tune the power sequence to avoid leakage"
In reply to: Mimi Zohar: "Re: [PATCH v9 5/8] KEYS: Introduce link restriction for machine keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Jan 9, 2022, at 3:42 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> On Wed, 2022-01-05 at 18:50 -0500, Eric Snowberg wrote:
>> Introduce a new link restriction that includes the trusted builtin,
>> secondary and machine keys. The restriction is based on the key to be
>> added being vouched for by a key in any of these three keyrings.
>>
>> With the introduction of the machine keyring, the end-user may choose to
>> trust Machine Owner Keys (MOK) within the kernel. If they have chosen to
>> trust them, the .machine keyring will contain these keys. If not, the
>> machine keyring will always be empty. Update the restriction check to
>> allow the secondary trusted keyring and ima keyring to also trust
>> machine keys.
>
> As suggested the Kconfig in "[PATCH v9 2/8] integrity: Introduce a
> Linux keyring called machine" only loads the platform keys onto the
> .machine keyring, when
> IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is not enabled. The
> last sentence needs to be updated to reflect v9.

I missed that when I dropped IMA support. I will remove the ima reference in the next
round. Thanks.

Next message: Raghavendra Rao Ananta: "Re: [RFC PATCH v3 03/11] KVM: Introduce KVM_CAP_ARM_HVC_FW_REG_BMAP"
Previous message: Kevin Hilman: "Re: [PATCH v3 1/2] drm/panel: panel-boe-tv101wum-nl6: tune the power sequence to avoid leakage"
In reply to: Mimi Zohar: "Re: [PATCH v9 5/8] KEYS: Introduce link restriction for machine keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]