Re: [PATCH 4/4] module, KEYS: Make use of platform keyring for signature verification

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Luis,

On Tue, 2022-03-22 at 10:37 -0700, Luis Chamberlain wrote:
> How's this series going? Did you and Mimi sort things out? Either way,
> just wanted to let you kow you can base your changes on modules-testing
> [0] if you want to resubmit for v5.19 (v5.18 will be too late already).
> Once testing is done what is on modules-testing will go to modules-next
> for testing for v5.19. There are no changes planned for v5.18 other than
> fixes and so far there are none.
> 
> [0] https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux.git/log/?h=modules-testing

The "platform" keyring was upstreamed specifically to verify the kexec
kernel image. Orginally it contained only the UEFI db keys, but the MOK
keys were later added as well.  Any other usage of the "platform" is
not planned.

To allow end users to sign their own kernel modules, executables, or
any other file, Eric Snowberg is working on a patch set to only load
the MOK CA keys onto the ".machine" keyring, which is linked to the
"secondary" keyring[1].  Verifying kernel modules based on certificates
signed by a MOK CA will then be possible.

thanks,

Mimi

[1] 
https://lore.kernel.org/all/20220301173651.3435350-1-eric.snowberg@xxxxxxxxxx/




[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Big List of Linux Books]

  Powered by Linux