On Fri, Mar 31, 2023 at 01:01:43PM -0700, Luis Chamberlain wrote:

On Fri, Mar 31, 2023 at 04:30:21PM +0200, Ahelenia Ziemiańska wrote:

quoted

This allows a cert in DB to be used to sign modules,
in addition to certs in the MoK and built-in keyrings.

This key policy matches what's used for kexec.

Before I nose dive, the commit log should explain why this patch never
was sent upstream, if it was, why it was rejected. 

How would I know that?

Searching around on the list, I found an equivalent 2022-02-15 patch:
  https://lore.kernel.org/linux-kernel/840433bc93a58d6dfc4d96c34c0c3b158a0e669d.1644953683.git.msuchanek@suse.de/t/#u (local)
and there's even a reply from you in there.

The discussion appears to boil down to
".platform is restricted to kexec",
"there are common setups in which it'd make much more sense to allow
 this, and also it's prety equivalent security-policy-wise",
(this repeats).

MoK/shim is also mentioned, for some reason, even though that solves a
different problem.

What makes it good now?

Debian and Fedora are using it, and it's what users expect to work.

Who is using it?

Debian (since 5.3.9-1, #935945) and Fedora (since the time of that bug
 at the very least, as Debian imported from there, so 2019-11-09).

What are other distributions doing about it?

What does that mean, and also how would I know that?

Best,