On 16:33 27.09.21, Mimi Zohar wrote: > On Mon, 2021-09-27 at 22:08 +0200, Andreas Rammhold wrote: > > On 07:27 27.09.21, Mimi Zohar wrote: > > > On Mon, 2021-09-27 at 10:51 +0200, Andreas Rammhold wrote: > > > > On 09:47 13.09.21, Ahmad Fatoum wrote: > > > > > Dear trusted key maintainers, > > > > > > > > > > On 30.07.21 03:28, Andreas Rammhold wrote: > > > > > > Before this commit the kernel could end up with no trusted key sources > > > > > > even though both of the currently supported backends (TPM and TEE) were > > > > > > compiled as modules. This manifested in the trusted key type not being > > > > > > registered at all. > > > > > > > > > > > > When checking if a CONFIG_… preprocessor variable is defined we only > > > > > > test for the builtin (=y) case and not the module (=m) case. By using > > > > > > the IS_REACHABLE() macro we do test for both cases. > > > > > > > > > > > > Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") > > > > > > Signed-off-by: Andreas Rammhold <andreas@xxxxxxxxxxx> > > > > > > Reviewed-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx> > > > > > Does anyone intend to pick this up? > > > > > > > > Did this end up in any tree by now? I am wondering if I should resend > > > > the patch instead. Perhaps it was just overlooked? > > > > > > For EVM environments only using trusted and encrypted keys, not file > > > signatures, the trusted key is needed to decrypt the "master" key in > > > order to verify kernel modules. > > > > So what you are saying is that right now (before this patch & after this > > patch) you could compile a kernel that wouldn't be able to load any > > modules when the trusted keychain part is built as module? > > Before this patch, trusted and encrypted keys are builtin, so verifying > kernel modules with security.evm containing an EVM hmac would succeed. > Afterwards it would fail, as there's a dependency on the trusted key to > verify the integrity of the trusted key module. But building with =m was a valid configuration which is the original reason for me submitting the patch. So perhaps this should not be allowed to be a module then?