Re: [PATCH 4/4] module, KEYS: Make use of platform keyring for signature verification

[Mimi Zohar]

Hi Luis,

On Tue, 2022-03-22 at 10:37 -0700, Luis Chamberlain wrote:
> How's this series going? Did you and Mimi sort things out? Either way,
> just wanted to let you kow you can base your changes on modules-testing
> [0] if you want to resubmit for v5.19 (v5.18 will be too late already).
> Once testing is done what is on modules-testing will go to modules-next
> for testing for v5.19. There are no changes planned for v5.18 other than
> fixes and so far there are none.
> 
> [0] https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git/log/?h=modules-testing

The "platform" keyring was upstreamed specifically to verify the kexec
kernel image. Orginally it contained only the UEFI db keys, but the MOK
keys were later added as well.  Any other usage of the "platform" is
not planned.

To allow end users to sign their own kernel modules, executables, or
any other file, Eric Snowberg is working on a patch set to only load
the MOK CA keys onto the ".machine" keyring, which is linked to the
"secondary" keyring[1].  Verifying kernel modules based on certificates
signed by a MOK CA will then be possible.

thanks,

Mimi

[1] 
https://lore.kernel.org/all/20220301173651.3435350-1-eric.snowberg@xxxxxxxxxx/