Re: [PATCH v7 00/17] Enroll kernel keys thru MOK

[PATCH v7 00/17] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
[PATCH v7 05/17] KEYS: CA link restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
[PATCH v7 03/17] KEYS: Create static version of public_key_verify_signature · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
Re: [PATCH v7 03/17] KEYS: Create static version of public_key_verify_signature · Mimi Zohar <zohar@linux.ibm.com> · 2021-11-17
Re: [PATCH v7 03/17] KEYS: Create static version of public_key_verify_signature · Mimi Zohar <zohar@linux.ibm.com> · 2021-11-17
[PATCH v7 04/17] X.509: Parse Basic Constraints for CA · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
Re: [PATCH v7 04/17] X.509: Parse Basic Constraints for CA · Mimi Zohar <zohar@linux.ibm.com> · 2021-11-18
Re: [PATCH v7 04/17] X.509: Parse Basic Constraints for CA · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-18
[PATCH v7 08/17] integrity: add new keyring handler for mok keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
Re: [PATCH v7 08/17] integrity: add new keyring handler for mok keys · Mimi Zohar <zohar@linux.ibm.com> · 2021-11-19
[PATCH v7 09/17] KEYS: Rename get_builtin_and_secondary_restriction · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
Re: [PATCH v7 09/17] KEYS: Rename get_builtin_and_secondary_restriction · Mimi Zohar <zohar@linux.ibm.com> · 2021-11-19
[PATCH v7 10/17] KEYS: add a reference to machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
[PATCH v7 11/17] KEYS: Introduce link restriction for machine keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
Re: [PATCH v7 11/17] KEYS: Introduce link restriction for machine keys · Mimi Zohar <zohar@linux.ibm.com> · 2021-11-19
Re: [PATCH v7 11/17] KEYS: Introduce link restriction for machine keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-19
[PATCH v7 12/17] KEYS: integrity: change link restriction to trust the machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
Re: [PATCH v7 12/17] KEYS: integrity: change link restriction to trust the machine keyring · Mimi Zohar <zohar@linux.ibm.com> · 2021-11-19
[PATCH v7 02/17] integrity: Do not allow machine keyring updates following init · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
Re: [PATCH v7 02/17] integrity: Do not allow machine keyring updates following init · Mimi Zohar <zohar@linux.ibm.com> · 2021-11-17
[PATCH v7 13/17] KEYS: link secondary_trusted_keys to machine trusted keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
Re: [PATCH v7 13/17] KEYS: link secondary_trusted_keys to machine trusted keys · Mimi Zohar <zohar@linux.ibm.com> · 2021-11-18
Re: [PATCH v7 13/17] KEYS: link secondary_trusted_keys to machine trusted keys · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-18
[PATCH v7 16/17] integrity: Trust MOK keys if MokListTrustedRT found · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
[PATCH v7 17/17] integrity: Only use machine keyring when uefi_check_trust_mok_keys is true · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
[PATCH v7 01/17] integrity: Introduce a Linux keyring called machine · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
Re: [PATCH v7 01/17] integrity: Introduce a Linux keyring called machine · Mimi Zohar <zohar@linux.ibm.com> · 2021-11-17
[PATCH v7 07/17] integrity: Fix warning about missing prototypes · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
Re: [PATCH v7 07/17] integrity: Fix warning about missing prototypes · Mimi Zohar <zohar@linux.ibm.com> · 2021-11-17
[PATCH v7 06/17] integrity: restrict INTEGRITY_KEYRING_MACHINE to restrict_link_by_ca · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
[PATCH v7 15/17] efi/mokvar: move up init order · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
[PATCH v7 14/17] integrity: store reference to machine keyring · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-16
Re: [PATCH v7 00/17] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-11-16
Re: [PATCH v7 00/17] Enroll kernel keys thru MOK · Konrad Rzeszutek Wilk <hidden> · 2021-11-16
Re: [PATCH v7 00/17] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-11-16
Re: [PATCH v7 00/17] Enroll kernel keys thru MOK · Konrad Rzeszutek Wilk <hidden> · 2021-11-16
Re: [PATCH v7 00/17] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-11-17
Re: [PATCH v7 00/17] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-11-17
Re: [PATCH v7 00/17] Enroll kernel keys thru MOK · Konrad Rzeszutek Wilk <hidden> · 2021-11-17
Re: [PATCH v7 00/17] Enroll kernel keys thru MOK · Eric Snowberg <eric.snowberg@oracle.com> · 2021-11-17
Re: [PATCH v7 00/17] Enroll kernel keys thru MOK · Jarkko Sakkinen <jarkko@kernel.org> · 2021-11-18

From: Eric Snowberg <eric.snowberg@oracle.com>
Date: 2021-11-17 17:21:41
Also in: keyrings, linux-crypto, linux-efi, linux-integrity, lkml

On Nov 17, 2021, at 10:02 AM, Konrad Wilk [off-list ref] wrote:

On Wed, Nov 17, 2021 at 09:51:25AM +0200, Jarkko Sakkinen wrote:

quoted

On Wed, 2021-11-17 at 09:50 +0200, Jarkko Sakkinen wrote:

quoted

On Tue, 2021-11-16 at 11:39 -0500, Konrad Rzeszutek Wilk wrote:

quoted

On Tue, Nov 16, 2021 at 06:24:52PM +0200, Jarkko Sakkinen wrote:

quoted

On Tue, 2021-11-16 at 11:18 -0500, Konrad Rzeszutek Wilk wrote:

quoted

I have included  a link to the mokutil [5] changes I have made to support 
this new functionality.  The shim changes have now been accepted
upstream [6].

..snip..

quoted

[6] https://github.com/rhboot/shim/commit/4e513405b4f1641710115780d19dcec130c5208f

..snip..

quoted

Does shim have the necessary features in a release?

Hi!

It has been accepted in the upstream shim. If you are looking
for a distribution having rolled out a shim with this feature (so signed
by MSF) I fear that distributions are not that fast with shim releases.

         ~~~

Should that be MS, or what does MSF mean?

Microsoft :-)

Correct, I’ll fix that in the next round.

quoted

Also these:
https://github.com/rhboot/shim/pulls
https://github.com/rhboot/shim/issues

do mean some extra work would need to go in before an official
release is cut.

Hope this helps?

Yes. I'll hold with this up until there is an official release. Thank you.

Not sure I understand - but what are the concerns you have with shim
code that has been accepted?

Maybe my concern is that none of the patches have a tested-by?

Probably would be easier to get a test coverage, e.g. for people like
me who do not even know how to self-compile Shim, how to setup user
space using the product and so forth.

       ~~~~~~~~~~~~~~~~~

for the end product

<nods> That makes total sense. Thanks for the explanation, let me double
check whether

https://github.com/rhboot/shim/blob/main/BUILDING

is still correct.

Those are the steps I use for building.   I then move over mmx64.efi and  
shimx64.efi to the ESP.  I can add the shim build/install instructions to the next
cover letter If you think that would be appropriate.

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help