Re: [PATCH v8 03/17] integrity: Introduce a Linux keyring called machine

From: Eric Snowberg
Date: Mon Nov 29 2021 - 17:54:39 EST




> On Nov 24, 2021, at 7:49 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> On Tue, 2021-11-23 at 23:41 -0500, Eric Snowberg wrote:
>> +config INTEGRITY_MACHINE_KEYRING
>> + bool "Provide a keyring to which CA Machine Owner Keys may be added"
>> + depends on SECONDARY_TRUSTED_KEYRING
>> + depends on INTEGRITY_ASYMMETRIC_KEYS
>
> Shouldn't this be "ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y"? With this
> change, is "KEYS: Create static version of
> public_key_verify_signature" trusted needed?

I believe it is still needed. If someone were to use the same config as the build bot,
where ASYMMETRIC_PUBLIC_KEY_SUBTYPE is not defined and
INTEGRITY_MACHINE_KEYRING is not defined, they would still hit the problem that
has now been fixed in "KEYS: Create static version of public_key_verify_signature”.

I wish the first two patches in this series would be accepted, since I’m only carrying
them to get past the build bot.