On Tue Sep 12, 2023 at 10:51 AM EEST, Michal Suchánek wrote:
> On Tue, Sep 12, 2023 at 12:45:35AM +0300, Jarkko Sakkinen wrote:
> > On Thu Sep 7, 2023 at 7:52 PM EEST, Michal Suchanek wrote:
> > > No other platform needs CA_MACHINE_KEYRING, either.
> > >
> > > This is policy that should be decided by the administrator, not Kconfig
> >
> > s/administrator/distributor/ ?
>
> It depends on the situation. Ideally the administrator would pick the
> distributor that provides a policy that is considered fitting for the
> purpose or roll their own. Unfortunately, they don't always have the
> choice.
>
> For the kerenel's part it should support wide range of policies for
> different use cases, and not force the hand of the administrator or
> distributor.
>
> >
> > > dependencies.
> > >
> > > cc: joeyli <jlee@xxxxxxxx>
> > > Signed-off-by: Michal Suchanek <msuchanek@xxxxxxx>
> > > ---
> > > security/integrity/Kconfig | 2 --
> > > 1 file changed, 2 deletions(-)
> > >
> > > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> > > index 232191ee09e3..b6e074ac0227 100644
> > > --- a/security/integrity/Kconfig
> > > +++ b/security/integrity/Kconfig
> > > @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
> > > depends on INTEGRITY_ASYMMETRIC_KEYS
> > > depends on SYSTEM_BLACKLIST_KEYRING
> > > depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
> > > - select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
> > > - select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
> > > help
> > > If set, provide a keyring to which Machine Owner Keys (MOK) may
> > > be added. This keyring shall contain just MOK keys. Unlike keys
> > > --
> > > 2.41.0
> >
> > I'd suggest to add even fixes tag.
>
> Here it is
>
> Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
commit b755dd58d180b796d21bc14d03045e4ab84222b0 (HEAD -> next, origin/next)
Author: Michal Suchanek <msuchanek@xxxxxxx>
Date: Thu Sep 7 18:52:19 2023 +0200
integrity: powerpc: Do not select CA_MACHINE_KEYRING
No other platform needs CA_MACHINE_KEYRING, either.
This is policy that should be decided by the administrator, not Kconfig
dependencies.
Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
Signed-off-by: Michal Suchanek <msuchanek@xxxxxxx>
Signed-off-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 232191ee09e3..b6e074ac0227 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
depends on INTEGRITY_ASYMMETRIC_KEYS
depends on SYSTEM_BLACKLIST_KEYRING
depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
- select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
- select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
help
If set, provide a keyring to which Machine Owner Keys (MOK) may
be added. This keyring shall contain just MOK keys. Unlike keys
If this look good to you, I'll put it to the -rc2 pull request.
> Thanks
>
> Michal
BR, Jarkko
