On Tue Sep 12, 2023 at 10:41 AM EEST, Michal Suchánek wrote:

On Mon, Sep 11, 2023 at 11:39:38PM -0400, Nayna wrote:

quoted

On 9/7/23 13:32, Michal Suchánek wrote:

quoted

Adding more CC's from the original patch, looks like get_maintainers is
not that great for this file.

On Thu, Sep 07, 2023 at 06:52:19PM +0200, Michal Suchanek wrote:

quoted

No other platform needs CA_MACHINE_KEYRING, either.

This is policy that should be decided by the administrator, not Kconfig
dependencies.

We certainly agree that flexibility is important. However, in this case,
this also implies that we are expecting system admins to be security
experts. As per our understanding, CA based infrastructure(PKI) is the
standard to be followed and not the policy decision. And we can only speak
for Power.

INTEGRITY_CA_MACHINE_KEYRING ensures that we always have CA signed leaf
certs.

And that's the problem.

From a distribution point of view there are two types of leaf certs:

 - leaf certs signed by the distribution CA which need not be imported
   because the distribution CA cert is enrolled one way or another
 - user generated ad-hoc certificates that are not signed in any way,
   and enrolled by the user

The latter are vouched for by the user by enrolling the certificate, and
confirming that they really want to trust this certificate. Enrolling
user certificates is vital for usability or secure boot. Adding extra
step of creating a CA certificate stored on the same system only
complicates things with no added benefit.

This all comes down to the generic fact that kernel should not
proactively define what it *expects* sysadmins.

CA based infrastructure like anything is a policy decision not
a decision to be enforced by kernel.

BR, Jarkko