Re: MAINTAINERS update suggestion (subject change)

[Mimi Zohar]

(Updated subject line)

On Tue, 2022-02-08 at 10:28 +0100, Jarkko Sakkinen wrote:
> On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote:

> > > Mimi brought up that we need a MAINTAINERS update for this and also
> > > .platform.
> > > 
> > > We have these:
> > > 
> > > - KEYS/KEYRINGS
> > > - CERTIFICATE HANDLING
> > > 
> > > I would put them under KEYRINGS for now and would not consider further
> > > subdivision for the moment.
> > 
> > IMA has dependencies on the platform_certs/ and now on the new .machine
> > keyring.  Just adding "F: security/integrity/platform_certs/" to the
> > KEYS/KEYRINGS record, ignores that dependency.  The discussion wouldn't
> > even be on the linux-integrity mailing list.
> > 
> > Existing requirement:
> > - The keys on the .platform keyring are limited to verifying the kexec
> > image.
> > 
> > New requirements based on Eric Snowbergs' patch set:
> > - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled,
> > the MOK keys will not be loaded directly onto the .machine keyring or
> > indirectly onto the .secondary_trusted_keys keyring.
> > 
> > - Only when a new IMA Kconfig explicitly allows the keys on the
> > .machine keyrings, will the CA keys stored in MOK be loaded onto the
> > .machine keyring.
> > 
> > Unfortunately I don't think there is any choice, but to define a new
> > MAINTAINERS entry.  Perhaps something along the lines of:
> > 
> > KEYS/KEYRINGS_INTEGRITY
> > M:     Jarkko Sakkinen <jarkko@xxxxxxxxxx>
> > M:     Mimi Zohar <zohar@xxxxxxxxxxxxx>
> > L:      keyrings@xxxxxxxxxxxxxxx
> > L:      linux-integrity@xxxxxxxxxxxxxxx
> > F:      security/integrity/platform_certs
> 
> WFM. BTW, the patches are now in my tree:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd.git
> 
> I can add any tags requested. I'll mirror this at some point to linux-next.

Thanks,  Jarkko.

-- 
Mimi