Eric Snowberg <eric.snowberg@xxxxxxxxxx> wrote: > > On Feb 3, 2021, at 11:49 AM, Mickaël Salaün <mic@xxxxxxxxxxx> wrote: > > > > This looks good to me, and it still works for my use case. Eric's > > patchset only looks for asymmetric keys in the blacklist keyring, so > > even if we use the same keyring we don't look for the same key types. My > > patchset only allows blacklist keys (i.e. hashes, not asymmetric keys) > > to be added by user space (if authenticated), but because Eric's > > asymmetric keys are loaded with KEY_ALLOC_BYPASS_RESTRICTION, it should > > be OK for his use case. There should be no interference between the two > > new features, but I find it a bit confusing to have such distinct use of > > keys from the same keyring depending on their type. > > I agree, it is a bit confusing. What is the thought of having a dbx > keyring, similar to how the platform keyring works? > > https://www.spinics.net/lists/linux-security-module/msg40262.html That would be fine by me. David