Eric Snowberg [off-list ref] wrote:

quoted

On Feb 3, 2021, at 11:49 AM, Mickaël Salaün [off-list ref] wrote:

This looks good to me, and it still works for my use case. Eric's
patchset only looks for asymmetric keys in the blacklist keyring, so
even if we use the same keyring we don't look for the same key types. My
patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
to be added by user space (if authenticated), but because Eric's
asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
be OK for his use case.  There should be no interference between the two
new features, but I find it a bit confusing to have such distinct use of
keys from the same keyring depending on their type.

I agree, it is a bit confusing.  What is the thought of having a dbx 
keyring, similar to how the platform keyring works?

https://www.spinics.net/lists/linux-security-module/msg40262.html

That would be fine by me.

David