On Sun, 2022-02-20 at 20:00 +0100, Jarkko Sakkinen wrote: > On Wed, Jan 26, 2022 at 05:06:09PM -0500, Mimi Zohar wrote: > > > > > > Mimi brought up that we need a MAINTAINERS update for this and also > > > .platform. > > > > > > We have these: > > > > > > - KEYS/KEYRINGS > > > - CERTIFICATE HANDLING > > > > > > I would put them under KEYRINGS for now and would not consider further > > > subdivision for the moment. > > > > IMA has dependencies on the platform_certs/ and now on the new .machine > > keyring. Just adding "F: security/integrity/platform_certs/" to the > > KEYS/KEYRINGS record, ignores that dependency. The discussion wouldn't > > even be on the linux-integrity mailing list. > > > > Existing requirement: > > - The keys on the .platform keyring are limited to verifying the kexec > > image. > > > > New requirements based on Eric Snowbergs' patch set: > > - When IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled, > > the MOK keys will not be loaded directly onto the .machine keyring or > > indirectly onto the .secondary_trusted_keys keyring. > > > > - Only when a new IMA Kconfig explicitly allows the keys on the > > .machine keyrings, will the CA keys stored in MOK be loaded onto the > > .machine keyring. > > > > Unfortunately I don't think there is any choice, but to define a new > > MAINTAINERS entry. Perhaps something along the lines of: > > > > KEYS/KEYRINGS_INTEGRITY > > M: Jarkko Sakkinen <jarkko@xxxxxxxxxx> > > M: Mimi Zohar <zohar@xxxxxxxxxxxxx> > > L: keyrings@xxxxxxxxxxxxxxx > > L: linux-integrity@xxxxxxxxxxxxxxx > > F: security/integrity/platform_certs > > > > This would work for me. Thanks, Jarkko. Are you planning on upstreaming this change, as you previously said, or would you prefer I do it? thanks, Mimi
