Thread (49 messages) 49 messages, 7 authors, 2022-11-10

Re: [PATCH v8 03/17] integrity: Introduce a Linux keyring called machine

From: Mimi Zohar <zohar@linux.ibm.com>
Date: 2021-11-25 02:51:58
Also in: keyrings, linux-efi, linux-integrity, linux-security-module, lkml 

Hi Eric,

On Tue, 2021-11-23 at 23:41 -0500, Eric Snowberg wrote:
+config INTEGRITY_MACHINE_KEYRING
+       bool "Provide a keyring to which CA Machine Owner Keys may be added"
+       depends on SECONDARY_TRUSTED_KEYRING
+       depends on INTEGRITY_ASYMMETRIC_KEYS
Shouldn't this be "ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y"?   With this
change, is  "KEYS: Create static version of
public_key_verify_signature" trusted needed?

Mimi

+       depends on SYSTEM_BLACKLIST_KEYRING
+       depends on LOAD_UEFI_KEYS
+       help
+        If set, provide a keyring to which CA Machine Owner Keys (MOK) may
+        be added. This keyring shall contain just CA MOK keys.  Unlike keys
+        in the platform keyring, keys contained in the .machine keyring will
+        be trusted within the kernel.
+
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help