On Tue, Sep 12, 2023 at 12:45:35AM +0300, Jarkko Sakkinen wrote:
> On Thu Sep 7, 2023 at 7:52 PM EEST, Michal Suchanek wrote:
> > No other platform needs CA_MACHINE_KEYRING, either.
> >
> > This is policy that should be decided by the administrator, not Kconfig
>
> s/administrator/distributor/ ?
It depends on the situation. Ideally the administrator would pick the
distributor that provides a policy that is considered fitting for the
purpose or roll their own. Unfortunately, they don't always have the
choice.
For the kerenel's part it should support wide range of policies for
different use cases, and not force the hand of the administrator or
distributor.
>
> > dependencies.
> >
> > cc: joeyli <jlee@xxxxxxxx>
> > Signed-off-by: Michal Suchanek <msuchanek@xxxxxxx>
> > ---
> > security/integrity/Kconfig | 2 --
> > 1 file changed, 2 deletions(-)
> >
> > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> > index 232191ee09e3..b6e074ac0227 100644
> > --- a/security/integrity/Kconfig
> > +++ b/security/integrity/Kconfig
> > @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
> > depends on INTEGRITY_ASYMMETRIC_KEYS
> > depends on SYSTEM_BLACKLIST_KEYRING
> > depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
> > - select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
> > - select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
> > help
> > If set, provide a keyring to which Machine Owner Keys (MOK) may
> > be added. This keyring shall contain just MOK keys. Unlike keys
> > --
> > 2.41.0
>
> I'd suggest to add even fixes tag.
Here it is
Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
Thanks
Michal
