Re: [PATCH v5 12/12] integrity: Only use machine keyring when... | linux-crypto

[PATCH v5 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 04/12] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
Re: [PATCH v5 04/12] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-09
Re: [PATCH v5 04/12] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
Re: [PATCH v5 04/12] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-09
Re: [PATCH v5 04/12] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
[PATCH v5 07/12] KEYS: Introduce link restriction to include builtin, secondary and machine keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
Re: [PATCH v5 07/12] KEYS: Introduce link restriction to include builtin, secondary and machine keys · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
Re: [PATCH v5 07/12] KEYS: Introduce link restriction to include builtin, secondary and machine keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-09
Re: [PATCH v5 07/12] KEYS: Introduce link restriction to include builtin, secondary and machine keys · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
[PATCH v5 03/12] KEYS: CA link restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 05/12] integrity: add new keyring handler for mok keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 10/12] integrity: store reference to machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 08/12] KEYS: integrity: change link restriction to trust the machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
Re: [PATCH v5 08/12] KEYS: integrity: change link restriction to trust the machine keyring · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
[PATCH v5 01/12] integrity: Introduce a Linux keyring called machine · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
Re: [PATCH v5 01/12] integrity: Introduce a Linux keyring called machine · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-09
Re: [PATCH v5 01/12] integrity: Introduce a Linux keyring called machine · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
Re: [PATCH v5 01/12] integrity: Introduce a Linux keyring called machine · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-09
[PATCH v5 11/12] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 06/12] KEYS: add a reference to machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 02/12] integrity: Do not allow machine keyring updates following init · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
Re: [PATCH v5 02/12] integrity: Do not allow machine keyring updates following init · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-09
[PATCH v5 09/12] KEYS: link secondary_trusted_keys to machine trusted keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
[PATCH v5 12/12] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-07
Re: [PATCH v5 12/12] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-09
Re: [PATCH v5 00/12] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-08
Re: [PATCH v5 00/12] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-09-08
Re: [PATCH v5 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-08
Re: [PATCH v5 00/12] Enroll kernel keys thru MOK · Mimi Zohar <zohar@linux.ibm.com> · 2021-09-09
Re: [PATCH v5 00/12] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-09-08

Re: [PATCH v5 12/12] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true

From: Jarkko Sakkinen <jarkko@kernel.org>
Date: 2021-09-09 14:00:49
Also in: keyrings, linux-integrity, linux-security-module, lkml

On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote:

With the introduction of uefi_check_trust_mok_keys, it signifies the end-
user wants to trust the machine keyring as trusted keys.  If they have
chosen to trust the machine keyring, load the qualifying keys into it
during boot, then link it to the secondary keyring .  If the user has not
chosen to trust the machine keyring, it will be empty and not linked to
the secondary keyring.

Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>

I would not worry too much applying the code changes if the story
part made sense (to *almost anyone*) in the cover letter.

/Jarkko

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help