Re: [PATCH 4/9] KEYS: Allow unrestricted boot-time addition of keys to secondary keyring

From: David Howells
Date: Mon Nov 21 2016 - 10:17:19 EST

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> > > > This allows keys in the UEFI database to be added in secure boot mode
> > > > for the purposes of module signing.
> > >
> > > The key import should not be automatic, it should be optional.
> >
> > You can argue this either way. There's a config option to allow you to
> > turn this on or off. Arguably, this should be split in two: one for the
> > whitelist (db, MokListRT) and one for the blacklist (dbx).
> By "config", you're not referring to a Kconfig option, but a UEFI db
> option, making it hidden/unknown to someone building a kernel. If you
> really want to add this support, make it clear and easily seen by
> defining a "restrict_link_by_builtin_or_uefi" function.

No: by "config" I *am* referring to Kconfig.