> On Sep 9, 2021, at 11:26 AM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > Hi Eric, > > The subject line above is too long. According to > Documentation/process/submitting-patches.rst the "the ``summary`` must > be no more than 70-75 characters". > > On Tue, 2021-09-07 at 12:01 -0400, Eric Snowberg wrote: >> Introduce a new link restriction that includes the trusted builtin, >> secondary and machine keys. The restriction is based on the key to be added >> being vouched for by a key in any of these three keyrings. >> >> Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> >> Signed-off-by: Eric Snowberg <eric.snowberg@xxxxxxxxxx> >> --- >> v3: Initial version >> v4: moved code under CONFIG_INTEGRITY_MOK_KEYRING >> v5: Rename to machine keyring >> --- >> certs/system_keyring.c | 23 +++++++++++++++++++++++ >> include/keys/system_keyring.h | 6 ++++++ >> 2 files changed, 29 insertions(+) >> >> diff --git a/certs/system_keyring.c b/certs/system_keyring.c >> index 08ea542c8096..955bd57815f4 100644 >> --- a/certs/system_keyring.c >> +++ b/certs/system_keyring.c >> @@ -99,6 +99,29 @@ void __init set_machine_trusted_keys(struct key *keyring) >> { >> machine_trusted_keys = keyring; >> } >> + >> +/** >> + * restrict_link_by_builtin_secondary_and_ca_trusted > > Sorry for the patch churn. With the keyring name change to ".machine", > the restriction name should also reflect this change. Yes, I can change that. Should it be renamed to restrict_link_by_builtin_secondary_and_machine_trusted? That seems a little long though. Thanks.