Re: [PATCH v8 03/17] integrity: Introduce a Linux keyring called machine
From: Mimi Zohar
Date: Wed Nov 24 2021 - 21:52:01 EST
Hi Eric,
On Tue, 2021-11-23 at 23:41 -0500, Eric Snowberg wrote:
> +config INTEGRITY_MACHINE_KEYRING
> + bool "Provide a keyring to which CA Machine Owner Keys may be added"
> + depends on SECONDARY_TRUSTED_KEYRING
> + depends on INTEGRITY_ASYMMETRIC_KEYS
Shouldn't this be "ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y"? With this
change, is "KEYS: Create static version of
public_key_verify_signature" trusted needed?
Mimi
> + depends on SYSTEM_BLACKLIST_KEYRING
> + depends on LOAD_UEFI_KEYS
> + help
> + If set, provide a keyring to which CA Machine Owner Keys (MOK) may
> + be added. This keyring shall contain just CA MOK keys. Unlike keys
> + in the platform keyring, keys contained in the .machine keyring will
> + be trusted within the kernel.
> +