Message ID | 20220126025834.255493-1-eric.snowberg@oracle.com |
---|---|
Headers | show |
Series | Enroll kernel keys thru MOK | expand |
On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote: > Hi Jarkko, > > > > Thank you. I'll pick these soon. Is there any objections? > > No objections. > > > > Mimi brought up that we need a MAINTAINERS update for this and also > > .platform. > > > > We have these: > > > > - KEYS/KEYRINGS > > - CERTIFICATE HANDLING > > > > I would put them under KEYRINGS for now and would not consider further > > subdivision for the moment. > > IMA has dependencies on the platform_certs/ and now on the new .machine > keyring. Just adding "F: security/integrity/platform_certs/" to the > KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't > even be on the linux-integrity mailing list. > > Existing requirement: > - The keys on the .platform keyring are limited to verifying the kexec > image. > > New requirements based on Eric Snowbergs' patch set: > - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled, > the MOK keys will not be loaded directly onto the .machine keyring or > indirectly onto the .secondary_trusted_keys keyring. > > - Only when a new IMA Kconfig explicitly allows the keys on the > .machine keyrings, will the CA keys stored in MOK be loaded onto the > .machine keyring. > > Unfortunately I don't think there is any choice, but to define a new > MAINTAINERS entry. Perhaps something along the lines of: > > KEYS/KEYRINGS_INTEGRITY > M: Jarkko Sakkinen <jarkko@kernel.org> > M: Mimi Zohar <zohar@linux.ibm.com> > L: keyrings@vger.kernel.org > L: linux-integrity@vger.kernel.org > F: security/integrity/platform_certs WFM. BTW, the patches are now in my tree: git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git I can add any tags requested. I'll mirror this at some point to linux-next. /Jarkko
(Updated subject line) On Tue, 2022-02-08 at 10:28 +0100, Jarkko Sakkinen wrote: > On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote: > > > Mimi brought up that we need a MAINTAINERS update for this and also > > > .platform. > > > > > > We have these: > > > > > > - KEYS/KEYRINGS > > > - CERTIFICATE HANDLING > > > > > > I would put them under KEYRINGS for now and would not consider further > > > subdivision for the moment. > > > > IMA has dependencies on the platform_certs/ and now on the new .machine > > keyring. Just adding "F: security/integrity/platform_certs/" to the > > KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't > > even be on the linux-integrity mailing list. > > > > Existing requirement: > > - The keys on the .platform keyring are limited to verifying the kexec > > image. > > > > New requirements based on Eric Snowbergs' patch set: > > - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled, > > the MOK keys will not be loaded directly onto the .machine keyring or > > indirectly onto the .secondary_trusted_keys keyring. > > > > - Only when a new IMA Kconfig explicitly allows the keys on the > > .machine keyrings, will the CA keys stored in MOK be loaded onto the > > .machine keyring. > > > > Unfortunately I don't think there is any choice, but to define a new > > MAINTAINERS entry. Perhaps something along the lines of: > > > > KEYS/KEYRINGS_INTEGRITY > > M: Jarkko Sakkinen <jarkko@kernel.org> > > M: Mimi Zohar <zohar@linux.ibm.com> > > L: keyrings@vger.kernel.org > > L: linux-integrity@vger.kernel.org > > F: security/integrity/platform_certs > > WFM. BTW, the patches are now in my tree: > > git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git > > I can add any tags requested. I'll mirror this at some point to linux-next. Thanks, Jarkko.
On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote: > Hi Jarkko, > > > > Thank you. I'll pick these soon. Is there any objections? > > No objections. > > > > Mimi brought up that we need a MAINTAINERS update for this and also > > .platform. > > > > We have these: > > > > - KEYS/KEYRINGS > > - CERTIFICATE HANDLING > > > > I would put them under KEYRINGS for now and would not consider further > > subdivision for the moment. > > IMA has dependencies on the platform_certs/ and now on the new .machine > keyring. Just adding "F: security/integrity/platform_certs/" to the > KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't > even be on the linux-integrity mailing list. > > Existing requirement: > - The keys on the .platform keyring are limited to verifying the kexec > image. > > New requirements based on Eric Snowbergs' patch set: > - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled, > the MOK keys will not be loaded directly onto the .machine keyring or > indirectly onto the .secondary_trusted_keys keyring. > > - Only when a new IMA Kconfig explicitly allows the keys on the > .machine keyrings, will the CA keys stored in MOK be loaded onto the > .machine keyring. > > Unfortunately I don't think there is any choice, but to define a new > MAINTAINERS entry. Perhaps something along the lines of: > > KEYS/KEYRINGS_INTEGRITY > M: Jarkko Sakkinen <jarkko@kernel.org> > M: Mimi Zohar <zohar@linux.ibm.com> > L: keyrings@vger.kernel.org > L: linux-integrity@vger.kernel.org > F: security/integrity/platform_certs > > thanks, > > Mimi This would work for me. BR, Jarkko
On Sun, 2022-02-20 at 20:00 +0100, Jarkko Sakkinen wrote: > On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote: > > > > > > Mimi brought up that we need a MAINTAINERS update for this and also > > > .platform. > > > > > > We have these: > > > > > > - KEYS/KEYRINGS > > > - CERTIFICATE HANDLING > > > > > > I would put them under KEYRINGS for now and would not consider further > > > subdivision for the moment. > > > > IMA has dependencies on the platform_certs/ and now on the new .machine > > keyring. Just adding "F: security/integrity/platform_certs/" to the > > KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't > > even be on the linux-integrity mailing list. > > > > Existing requirement: > > - The keys on the .platform keyring are limited to verifying the kexec > > image. > > > > New requirements based on Eric Snowbergs' patch set: > > - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled, > > the MOK keys will not be loaded directly onto the .machine keyring or > > indirectly onto the .secondary_trusted_keys keyring. > > > > - Only when a new IMA Kconfig explicitly allows the keys on the > > .machine keyrings, will the CA keys stored in MOK be loaded onto the > > .machine keyring. > > > > Unfortunately I don't think there is any choice, but to define a new > > MAINTAINERS entry. Perhaps something along the lines of: > > > > KEYS/KEYRINGS_INTEGRITY > > M: Jarkko Sakkinen <jarkko@kernel.org> > > M: Mimi Zohar <zohar@linux.ibm.com> > > L: keyrings@vger.kernel.org > > L: linux-integrity@vger.kernel.org > > F: security/integrity/platform_certs > > > > This would work for me. Thanks, Jarkko. Are you planning on upstreaming this change, as you previously said, or would you prefer I do it? thanks, Mimi
On Tue, Feb 22, 2022 at 06:59:25AM -0500, Mimi Zohar wrote: > On Sun, 2022-02-20 at 20:00 +0100, Jarkko Sakkinen wrote: > > On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote: > > > > > > > > > Mimi brought up that we need a MAINTAINERS update for this and also > > > > .platform. > > > > > > > > We have these: > > > > > > > > - KEYS/KEYRINGS > > > > - CERTIFICATE HANDLING > > > > > > > > I would put them under KEYRINGS for now and would not consider further > > > > subdivision for the moment. > > > > > > IMA has dependencies on the platform_certs/ and now on the new .machine > > > keyring. Just adding "F: security/integrity/platform_certs/" to the > > > KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't > > > even be on the linux-integrity mailing list. > > > > > > Existing requirement: > > > - The keys on the .platform keyring are limited to verifying the kexec > > > image. > > > > > > New requirements based on Eric Snowbergs' patch set: > > > - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled, > > > the MOK keys will not be loaded directly onto the .machine keyring or > > > indirectly onto the .secondary_trusted_keys keyring. > > > > > > - Only when a new IMA Kconfig explicitly allows the keys on the > > > .machine keyrings, will the CA keys stored in MOK be loaded onto the > > > .machine keyring. > > > > > > Unfortunately I don't think there is any choice, but to define a new > > > MAINTAINERS entry. Perhaps something along the lines of: > > > > > > KEYS/KEYRINGS_INTEGRITY > > > M: Jarkko Sakkinen <jarkko@kernel.org> > > > M: Mimi Zohar <zohar@linux.ibm.com> > > > L: keyrings@vger.kernel.org > > > L: linux-integrity@vger.kernel.org > > > F: security/integrity/platform_certs > > > > > > > This would work for me. > > Thanks, Jarkko. Are you planning on upstreaming this change, as you > previously said, or would you prefer I do it? > > thanks, > > Mimi This is the problem I'm encountering: https://lore.kernel.org/keyrings/YhLNYxBTbKW62vtC@iki.fi/ BR, Jarkko
On Tue, 2022-02-22 at 13:26 +0100, Jarkko Sakkinen wrote: > On Tue, Feb 22, 2022 at 06:59:25AM -0500, Mimi Zohar wrote: > > On Sun, 2022-02-20 at 20:00 +0100, Jarkko Sakkinen wrote: > > > On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote: > > > > > > > > > > > > Mimi brought up that we need a MAINTAINERS update for this and also > > > > > .platform. > > > > > > > > > > We have these: > > > > > > > > > > - KEYS/KEYRINGS > > > > > - CERTIFICATE HANDLING > > > > > > > > > > I would put them under KEYRINGS for now and would not consider further > > > > > subdivision for the moment. > > > > > > > > IMA has dependencies on the platform_certs/ and now on the new .machine > > > > keyring. Just adding "F: security/integrity/platform_certs/" to the > > > > KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't > > > > even be on the linux-integrity mailing list. > > > > > > > > Existing requirement: > > > > - The keys on the .platform keyring are limited to verifying the kexec > > > > image. > > > > > > > > New requirements based on Eric Snowbergs' patch set: > > > > - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled, > > > > the MOK keys will not be loaded directly onto the .machine keyring or > > > > indirectly onto the .secondary_trusted_keys keyring. > > > > > > > > - Only when a new IMA Kconfig explicitly allows the keys on the > > > > .machine keyrings, will the CA keys stored in MOK be loaded onto the > > > > .machine keyring. > > > > > > > > Unfortunately I don't think there is any choice, but to define a new > > > > MAINTAINERS entry. Perhaps something along the lines of: > > > > > > > > KEYS/KEYRINGS_INTEGRITY > > > > M: Jarkko Sakkinen <jarkko@kernel.org> > > > > M: Mimi Zohar <zohar@linux.ibm.com> > > > > L: keyrings@vger.kernel.org > > > > L: linux-integrity@vger.kernel.org > > > > F: security/integrity/platform_certs > > > > > > > > > > This would work for me. > > > > Thanks, Jarkko. Are you planning on upstreaming this change, as you > > previously said, or would you prefer I do it? > > > This is the problem I'm encountering: > > https://lore.kernel.org/keyrings/YhLNYxBTbKW62vtC@iki.fi/ That's the answer to a different question. :) I was asking about the MAINTAINERS record.
On Tue, 2022-02-22 at 13:26 +0100, Jarkko Sakkinen wrote: > This is the problem I'm encountering: > > https://lore.kernel.org/keyrings/YhLNYxBTbKW62vtC@iki.fi/ Try using the Message-Id: < 20220126025834.255493-1-eric.snowberg@oracle.com>
On Tue, Feb 22, 2022 at 07:32:20AM -0500, Mimi Zohar wrote: > On Tue, 2022-02-22 at 13:26 +0100, Jarkko Sakkinen wrote: > > On Tue, Feb 22, 2022 at 06:59:25AM -0500, Mimi Zohar wrote: > > > On Sun, 2022-02-20 at 20:00 +0100, Jarkko Sakkinen wrote: > > > > On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote: > > > > > > > > > > > > > > > Mimi brought up that we need a MAINTAINERS update for this and also > > > > > > .platform. > > > > > > > > > > > > We have these: > > > > > > > > > > > > - KEYS/KEYRINGS > > > > > > - CERTIFICATE HANDLING > > > > > > > > > > > > I would put them under KEYRINGS for now and would not consider further > > > > > > subdivision for the moment. > > > > > > > > > > IMA has dependencies on the platform_certs/ and now on the new .machine > > > > > keyring. Just adding "F: security/integrity/platform_certs/" to the > > > > > KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't > > > > > even be on the linux-integrity mailing list. > > > > > > > > > > Existing requirement: > > > > > - The keys on the .platform keyring are limited to verifying the kexec > > > > > image. > > > > > > > > > > New requirements based on Eric Snowbergs' patch set: > > > > > - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled, > > > > > the MOK keys will not be loaded directly onto the .machine keyring or > > > > > indirectly onto the .secondary_trusted_keys keyring. > > > > > > > > > > - Only when a new IMA Kconfig explicitly allows the keys on the > > > > > .machine keyrings, will the CA keys stored in MOK be loaded onto the > > > > > .machine keyring. > > > > > > > > > > Unfortunately I don't think there is any choice, but to define a new > > > > > MAINTAINERS entry. Perhaps something along the lines of: > > > > > > > > > > KEYS/KEYRINGS_INTEGRITY > > > > > M: Jarkko Sakkinen <jarkko@kernel.org> > > > > > M: Mimi Zohar <zohar@linux.ibm.com> > > > > > L: keyrings@vger.kernel.org > > > > > L: linux-integrity@vger.kernel.org > > > > > F: security/integrity/platform_certs > > > > > > > > > > > > > This would work for me. > > > > > > Thanks, Jarkko. Are you planning on upstreaming this change, as you > > > previously said, or would you prefer I do it? > > > > > This is the problem I'm encountering: > > > > https://lore.kernel.org/keyrings/YhLNYxBTbKW62vtC@iki.fi/ > > That's the answer to a different question. :) I was asking about the > MAINTAINERS record. Aaaaa... sorry! Yeah, please do it :-) BR, Jarkko
On Tue, Feb 22, 2022 at 08:43:18AM -0500, Mimi Zohar wrote: > On Tue, 2022-02-22 at 13:26 +0100, Jarkko Sakkinen wrote: > > This is the problem I'm encountering: > > > > https://lore.kernel.org/keyrings/YhLNYxBTbKW62vtC@iki.fi/ > > Try using the Message-Id: < > 20220126025834.255493-1-eric.snowberg@oracle.com> > > -- > thanks, > > Mimi OK, now the patch set is fully applied. Thank you Mimi, and Eric, apologies for the confusion. BR, Jarkko