Hi Jarkko, > > Thank you. I'll pick these soon. Is there any objections? No objections. > > Mimi brought up that we need a MAINTAINERS update for this and also > .platform. > > We have these: > > - KEYS/KEYRINGS > - CERTIFICATE HANDLING > > I would put them under KEYRINGS for now and would not consider further > subdivision for the moment. IMA has dependencies on the platform_certs/ and now on the new .machine keyring. Just adding "F: security/integrity/platform_certs/" to the KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't even be on the linux-integrity mailing list. Existing requirement: - The keys on the .platform keyring are limited to verifying the kexec image. New requirements based on Eric Snowbergs' patch set: - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled, the MOK keys will not be loaded directly onto the .machine keyring or indirectly onto the .secondary_trusted_keys keyring. - Only when a new IMA Kconfig explicitly allows the keys on the .machine keyrings, will the CA keys stored in MOK be loaded onto the .machine keyring. Unfortunately I don't think there is any choice, but to define a new MAINTAINERS entry. Perhaps something along the lines of: KEYS/KEYRINGS_INTEGRITY M: Jarkko Sakkinen <jarkko@xxxxxxxxxx> M: Mimi Zohar <zohar@xxxxxxxxxxxxx> L: keyrings@xxxxxxxxxxxxxxx L: linux-integrity@xxxxxxxxxxxxxxx F: security/integrity/platform_certs thanks, Mimi
