Re: [RFC PATCH 2/2] kexec, KEYS: Make use of platform keyring for signature verify
From: nayna
Date: Tue Jan 15 2019 - 10:11:51 EST
On 2019-01-14 21:42, Dave Young wrote:
On 01/14/19 at 11:10am, Mimi Zohar wrote:
On Sun, 2019-01-13 at 09:39 +0800, Dave Young wrote:
> Hi,
>
> On 01/11/19 at 11:13am, Mimi Zohar wrote:
> > On Fri, 2019-01-11 at 21:43 +0800, Dave Young wrote:
> > [snip]
> >
> > > Personally I would like to see platform key separated from integrity.
> > > But for the kexec_file part I think it is good at least it works with
> > > this fix.
> > >
> > > Acked-by: Dave Young <dyoung@xxxxxxxxxx>
> >
> > The original "platform" keyring patches that Nayna posted multiple
> > times were in the certs directory, but nobody commented/responded. ÂSo
> > she reworked the patches, moving them to the integrity directory and
> > posted them (cc'ing the kexec mailing list). ÂIt's a bit late to be
> > asking to move it, isn't it?
>
> Hmm, apologize for being late, I did not get chance to have a look the
> old series. Since we have the needs now, it should be still fine
>
> Maybe Kairui can check Nayna's old series, see if he can do something
> again?
Whether the platform keyring is defined in certs/ or in integrity/ the
keyring id needs to be accessible to the other, without making the
keyring id global. ÂMoving where the platform keyring is defined is
not the problem.
Agreed, but just feel kexec depends on IMA sounds not good.
The platform keyring is not dependent on IMA, it is dependent on
"integrity" - CONFIG_INTEGRITY_ASYMMETRIC_KEYS.
Other CONFIGS which it needs are CONFIG_SYSTEM_BLACKLIST_KEYRING,
CONFIG_EFI.
Thanks & Regards,
- Nayna