Re: [PATCH v8 03/17] integrity: Introduce a Linux keyring called machine

[PATCH v8 00/17] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
[PATCH v8 07/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 07/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Darren Kenny <hidden> · 2022-02-14
[PATCH v8 05/17] X.509: Parse Basic Constraints for CA · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 05/17] X.509: Parse Basic Constraints for CA · Jarkko Sakkinen <jarkko@kernel.org> · 2021-11-27
[PATCH v8 06/17] KEYS: CA link restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 06/17] KEYS: CA link restriction · Jarkko Sakkinen <jarkko@kernel.org> · 2021-11-27
[PATCH v8 03/17] integrity: Introduce a Linux keyring called machine · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 03/17] integrity: Introduce a Linux keyring called machine · Mimi Zohar <zohar@linux.ibm.com> · 2021-11-25
Re: [PATCH v8 03/17] integrity: Introduce a Linux keyring called machine · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-29
Re: [PATCH v8 03/17] integrity: Introduce a Linux keyring called machine · Jarkko Sakkinen <jarkko@kernel.org> · 2021-11-27
[PATCH v8 13/17] integrity: store reference to machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 13/17] integrity: store reference to machine keyring · Darren Kenny <hidden> · 2022-02-14
[PATCH v8 12/17] KEYS: integrity: change link restriction to trust the machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
[PATCH v8 09/17] KEYS: Rename get_builtin_and_secondary_restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 09/17] KEYS: Rename get_builtin_and_secondary_restriction · Jarkko Sakkinen <jarkko@kernel.org> · 2021-11-27
Re: [PATCH v8 09/17] KEYS: Rename get_builtin_and_secondary_restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-30
Re: [PATCH v8 09/17] KEYS: Rename get_builtin_and_secondary_restriction · Jarkko Sakkinen <jarkko@kernel.org> · 2021-12-01
Re: [PATCH v8 09/17] KEYS: Rename get_builtin_and_secondary_restriction · Mimi Zohar <zohar@linux.ibm.com> · 2021-12-01
Re: [PATCH v8 09/17] KEYS: Rename get_builtin_and_secondary_restriction · Jarkko Sakkinen <jarkko@kernel.org> · 2021-12-04
Re: [PATCH v8 09/17] KEYS: Rename get_builtin_and_secondary_restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-12-15
Re: [PATCH v8 09/17] KEYS: Rename get_builtin_and_secondary_restriction · Mimi Zohar <zohar@linux.ibm.com> · 2021-12-15
[PATCH v8 11/17] KEYS: Introduce link restriction for machine keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 11/17] KEYS: Introduce link restriction for machine keys · Darren Kenny <hidden> · 2022-02-14
[PATCH v8 10/17] KEYS: add a reference to machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 10/17] KEYS: add a reference to machine keyring · Darren Kenny <hidden> · 2022-02-14
[PATCH v8 14/17] KEYS: link machine trusted keys to secondary_trusted_keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 14/17] KEYS: link machine trusted keys to secondary_trusted_keys · Darren Kenny <hidden> · 2022-02-14
[PATCH v8 02/17] integrity: Fix warning about missing prototypes · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
[PATCH v8 17/17] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 17/17] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true · Darren Kenny <hidden> · 2022-02-14
[PATCH v8 15/17] efi/mokvar: move up init order · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 15/17] efi/mokvar: move up init order · Darren Kenny <hidden> · 2022-02-14
[PATCH v8 04/17] integrity: Do not allow machine keyring updates following init · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 04/17] integrity: Do not allow machine keyring updates following init · Jarkko Sakkinen <jarkko@kernel.org> · 2021-11-27
[PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found · Darren Kenny <hidden> · 2022-02-14
Re: [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found · Morten Linderud <hidden> · 2022-11-10
Re: [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2022-11-10
Re: [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found · Morten Linderud <hidden> · 2022-11-10
Re: [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found · James Bottomley <James.Bottomley@HansenPartnership.com> · 2022-11-10
Re: [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found · Ard Biesheuvel <ardb@kernel.org> · 2022-11-10
Re: [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found · Ard Biesheuvel <ardb@kernel.org> · 2022-11-10
Re: [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found · Morten Linderud <hidden> · 2022-11-10
Re: [PATCH v8 16/17] integrity: Trust MOK keys if MokListTrustedRT found · James Bottomley <James.Bottomley@HansenPartnership.com> · 2022-11-10
[PATCH v8 08/17] integrity: add new keyring handler for mok keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 08/17] integrity: add new keyring handler for mok keys · Jarkko Sakkinen <jarkko@kernel.org> · 2021-11-27
[PATCH v8 01/17] KEYS: Create static version of public_key_verify_signature · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-24
Re: [PATCH v8 00/17] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2022-02-20

From: Eric Snowberg <eric.snowberg@oracle.com>
Date: 2021-11-29 22:54:38
Also in: keyrings, linux-efi, linux-integrity, linux-security-module, lkml

On Nov 24, 2021, at 7:49 PM, Mimi Zohar [off-list ref] wrote:
On Tue, 2021-11-23 at 23:41 -0500, Eric Snowberg wrote:

quoted

+config INTEGRITY_MACHINE_KEYRING
+       bool "Provide a keyring to which CA Machine Owner Keys may be added"
+       depends on SECONDARY_TRUSTED_KEYRING
+       depends on INTEGRITY_ASYMMETRIC_KEYS

Shouldn't this be "ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y"?   With this
change, is  "KEYS: Create static version of
public_key_verify_signature" trusted needed?

I believe it is still needed. If someone were to use the same config as the build bot, 
where ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined and 
INTEGRITY_MACHINE_KEYRING is not defined, they would still hit the problem that 
has now been fixed in  "KEYS: Create static version of public_key_verify_signature”. 

I wish the first two patches in this series would be accepted, since I’m only carrying 
them to get past the build bot.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help