On Tue, Sep 12, 2023 at 12:46:32PM +0300, Jarkko Sakkinen wrote:
> On Tue Sep 12, 2023 at 10:51 AM EEST, Michal Suchánek wrote:
> > On Tue, Sep 12, 2023 at 12:45:35AM +0300, Jarkko Sakkinen wrote:
> > > On Thu Sep 7, 2023 at 7:52 PM EEST, Michal Suchanek wrote:
> > > > No other platform needs CA_MACHINE_KEYRING, either.
> > > >
> > > > This is policy that should be decided by the administrator, not Kconfig
> > >
> > > s/administrator/distributor/ ?
> >
> > It depends on the situation. Ideally the administrator would pick the
> > distributor that provides a policy that is considered fitting for the
> > purpose or roll their own. Unfortunately, they don't always have the
> > choice.
> >
> > For the kerenel's part it should support wide range of policies for
> > different use cases, and not force the hand of the administrator or
> > distributor.
> >
> > >
> > > > dependencies.
> > > >
> > > > cc: joeyli <jlee@xxxxxxxx>
> > > > Signed-off-by: Michal Suchanek <msuchanek@xxxxxxx>
> > > > ---
> > > > security/integrity/Kconfig | 2 --
> > > > 1 file changed, 2 deletions(-)
> > > >
> > > > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> > > > index 232191ee09e3..b6e074ac0227 100644
> > > > --- a/security/integrity/Kconfig
> > > > +++ b/security/integrity/Kconfig
> > > > @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
> > > > depends on INTEGRITY_ASYMMETRIC_KEYS
> > > > depends on SYSTEM_BLACKLIST_KEYRING
> > > > depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
> > > > - select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
> > > > - select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
> > > > help
> > > > If set, provide a keyring to which Machine Owner Keys (MOK) may
> > > > be added. This keyring shall contain just MOK keys. Unlike keys
> > > > --
> > > > 2.41.0
> > >
> > > I'd suggest to add even fixes tag.
> >
> > Here it is
> >
> > Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
>
> commit b755dd58d180b796d21bc14d03045e4ab84222b0 (HEAD -> next, origin/next)
> Author: Michal Suchanek <msuchanek@xxxxxxx>
> Date: Thu Sep 7 18:52:19 2023 +0200
>
> integrity: powerpc: Do not select CA_MACHINE_KEYRING
>
> No other platform needs CA_MACHINE_KEYRING, either.
>
> This is policy that should be decided by the administrator, not Kconfig
> dependencies.
>
> Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
> Signed-off-by: Michal Suchanek <msuchanek@xxxxxxx>
> Signed-off-by: Jarkko Sakkinen <jarkko@xxxxxxxxxx>
>
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index 232191ee09e3..b6e074ac0227 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
> depends on INTEGRITY_ASYMMETRIC_KEYS
> depends on SYSTEM_BLACKLIST_KEYRING
> depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
> - select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
> - select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
> help
> If set, provide a keyring to which Machine Owner Keys (MOK) may
> be added. This keyring shall contain just MOK keys. Unlike keys
>
> If this look good to you, I'll put it to the -rc2 pull request.
Looks good
Thanks
Michal
