Re: Re: Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries]

From: David Howells
Date: Thu Feb 04 2021 - 04:14:05 EST

Next message: Max Gurtovoy: "Re: [PATCH 8/9] vfio/pci: use x86 naming instead of igd"
Previous message: Guillaume Tucker: "Re: next/master bisection: baseline.login on sun50i-h5-libretech-all-h3-cc"
In reply to: Mickaël Salaün: "Re: Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Eric Snowberg <eric.snowberg@xxxxxxxxxx> wrote:

> > On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@xxxxxxxxxxx> wrote:
> >
> > This looks good to me, and it still works for my use case. Eric's
> > patchset only looks for asymmetric keys in the blacklist keyring, so
> > even if we use the same keyring we don't look for the same key types. My
> > patchset only allows blacklist keys (i.e. hashes, not asymmetric keys)
> > to be added by user space (if authenticated), but because Eric's
> > asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should
> > be OK for his use case. There should be no interference between the two
> > new features, but I find it a bit confusing to have such distinct use of
> > keys from the same keyring depending on their type.
>
> I agree, it is a bit confusing. What is the thought of having a dbx
> keyring, similar to how the platform keyring works?
>
> https://www.spinics.net/lists/linux-security-module/msg40262.html

That would be fine by me.

David

Next message: Max Gurtovoy: "Re: [PATCH 8/9] vfio/pci: use x86 naming instead of igd"
Previous message: Guillaume Tucker: "Re: next/master bisection: baseline.login on sun50i-h5-libretech-all-h3-cc"
In reply to: Mickaël Salaün: "Re: Conflict with Mickaël Salaün's blacklist patches [was [PATCH v5 0/4] Add EFI_CERT_X509_GUID support for dbx/mokx entries]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]