On Tue, Sep 12, 2023 at 12:45:35AM +0300, Jarkko Sakkinen wrote:
> On Thu Sep 7, 2023 at 7:52 PM EEST, Michal Suchanek wrote:
> > No other platform needs CA_MACHINE_KEYRING, either.
> >
> > This is policy that should be decided by the administrator, not Kconfig
>
> s/administrator/distributor/ ?
It depends on the situation. Ideally the administrator would pick the
distributor that provides a policy that is considered fitting for the
purpose or roll their own. Unfortunately, they don't always have the
choice.
For the kerenel's part it should support wide range of policies for
different use cases, and not force the hand of the administrator or
distributor.
>
> > dependencies.
> >
> > cc: joeyli <[email protected]>
> > Signed-off-by: Michal Suchanek <[email protected]>
> > ---
> > security/integrity/Kconfig | 2 --
> > 1 file changed, 2 deletions(-)
> >
> > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> > index 232191ee09e3..b6e074ac0227 100644
> > --- a/security/integrity/Kconfig
> > +++ b/security/integrity/Kconfig
> > @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
> > depends on INTEGRITY_ASYMMETRIC_KEYS
> > depends on SYSTEM_BLACKLIST_KEYRING
> > depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
> > - select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
> > - select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
> > help
> > If set, provide a keyring to which Machine Owner Keys (MOK) may
> > be added. This keyring shall contain just MOK keys. Unlike keys
> > --
> > 2.41.0
>
> I'd suggest to add even fixes tag.
Here it is
Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
Thanks
Michal
On Tue Sep 12, 2023 at 10:51 AM EEST, Michal Suchánek wrote:
> On Tue, Sep 12, 2023 at 12:45:35AM +0300, Jarkko Sakkinen wrote:
> > On Thu Sep 7, 2023 at 7:52 PM EEST, Michal Suchanek wrote:
> > > No other platform needs CA_MACHINE_KEYRING, either.
> > >
> > > This is policy that should be decided by the administrator, not Kconfig
> >
> > s/administrator/distributor/ ?
>
> It depends on the situation. Ideally the administrator would pick the
> distributor that provides a policy that is considered fitting for the
> purpose or roll their own. Unfortunately, they don't always have the
> choice.
>
> For the kerenel's part it should support wide range of policies for
> different use cases, and not force the hand of the administrator or
> distributor.
>
> >
> > > dependencies.
> > >
> > > cc: joeyli <[email protected]>
> > > Signed-off-by: Michal Suchanek <[email protected]>
> > > ---
> > > security/integrity/Kconfig | 2 --
> > > 1 file changed, 2 deletions(-)
> > >
> > > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> > > index 232191ee09e3..b6e074ac0227 100644
> > > --- a/security/integrity/Kconfig
> > > +++ b/security/integrity/Kconfig
> > > @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
> > > depends on INTEGRITY_ASYMMETRIC_KEYS
> > > depends on SYSTEM_BLACKLIST_KEYRING
> > > depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
> > > - select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
> > > - select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
> > > help
> > > If set, provide a keyring to which Machine Owner Keys (MOK) may
> > > be added. This keyring shall contain just MOK keys. Unlike keys
> > > --
> > > 2.41.0
> >
> > I'd suggest to add even fixes tag.
>
> Here it is
>
> Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
commit b755dd58d180b796d21bc14d03045e4ab84222b0 (HEAD -> next, origin/next)
Author: Michal Suchanek <[email protected]>
Date: Thu Sep 7 18:52:19 2023 +0200
integrity: powerpc: Do not select CA_MACHINE_KEYRING
No other platform needs CA_MACHINE_KEYRING, either.
This is policy that should be decided by the administrator, not Kconfig
dependencies.
Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
Signed-off-by: Michal Suchanek <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
index 232191ee09e3..b6e074ac0227 100644
--- a/security/integrity/Kconfig
+++ b/security/integrity/Kconfig
@@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
depends on INTEGRITY_ASYMMETRIC_KEYS
depends on SYSTEM_BLACKLIST_KEYRING
depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
- select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
- select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
help
If set, provide a keyring to which Machine Owner Keys (MOK) may
be added. This keyring shall contain just MOK keys. Unlike keys
If this look good to you, I'll put it to the -rc2 pull request.
> Thanks
>
> Michal
BR, Jarkko
On Tue, Sep 12, 2023 at 12:46:32PM +0300, Jarkko Sakkinen wrote:
> On Tue Sep 12, 2023 at 10:51 AM EEST, Michal Such?nek wrote:
> > On Tue, Sep 12, 2023 at 12:45:35AM +0300, Jarkko Sakkinen wrote:
> > > On Thu Sep 7, 2023 at 7:52 PM EEST, Michal Suchanek wrote:
> > > > No other platform needs CA_MACHINE_KEYRING, either.
> > > >
> > > > This is policy that should be decided by the administrator, not Kconfig
> > >
> > > s/administrator/distributor/ ?
> >
> > It depends on the situation. Ideally the administrator would pick the
> > distributor that provides a policy that is considered fitting for the
> > purpose or roll their own. Unfortunately, they don't always have the
> > choice.
> >
> > For the kerenel's part it should support wide range of policies for
> > different use cases, and not force the hand of the administrator or
> > distributor.
> >
> > >
> > > > dependencies.
> > > >
> > > > cc: joeyli <[email protected]>
> > > > Signed-off-by: Michal Suchanek <[email protected]>
> > > > ---
> > > > security/integrity/Kconfig | 2 --
> > > > 1 file changed, 2 deletions(-)
> > > >
> > > > diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> > > > index 232191ee09e3..b6e074ac0227 100644
> > > > --- a/security/integrity/Kconfig
> > > > +++ b/security/integrity/Kconfig
> > > > @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
> > > > depends on INTEGRITY_ASYMMETRIC_KEYS
> > > > depends on SYSTEM_BLACKLIST_KEYRING
> > > > depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
> > > > - select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
> > > > - select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
> > > > help
> > > > If set, provide a keyring to which Machine Owner Keys (MOK) may
> > > > be added. This keyring shall contain just MOK keys. Unlike keys
> > > > --
> > > > 2.41.0
> > >
> > > I'd suggest to add even fixes tag.
> >
> > Here it is
> >
> > Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
>
> commit b755dd58d180b796d21bc14d03045e4ab84222b0 (HEAD -> next, origin/next)
> Author: Michal Suchanek <[email protected]>
> Date: Thu Sep 7 18:52:19 2023 +0200
>
> integrity: powerpc: Do not select CA_MACHINE_KEYRING
>
> No other platform needs CA_MACHINE_KEYRING, either.
>
> This is policy that should be decided by the administrator, not Kconfig
> dependencies.
>
> Fixes: d7d91c4743c4 ("integrity: PowerVM machine keyring enablement")
> Signed-off-by: Michal Suchanek <[email protected]>
> Signed-off-by: Jarkko Sakkinen <[email protected]>
>
> diff --git a/security/integrity/Kconfig b/security/integrity/Kconfig
> index 232191ee09e3..b6e074ac0227 100644
> --- a/security/integrity/Kconfig
> +++ b/security/integrity/Kconfig
> @@ -68,8 +68,6 @@ config INTEGRITY_MACHINE_KEYRING
> depends on INTEGRITY_ASYMMETRIC_KEYS
> depends on SYSTEM_BLACKLIST_KEYRING
> depends on LOAD_UEFI_KEYS || LOAD_PPC_KEYS
> - select INTEGRITY_CA_MACHINE_KEYRING if LOAD_PPC_KEYS
> - select INTEGRITY_CA_MACHINE_KEYRING_MAX if LOAD_PPC_KEYS
> help
> If set, provide a keyring to which Machine Owner Keys (MOK) may
> be added. This keyring shall contain just MOK keys. Unlike keys
>
> If this look good to you, I'll put it to the -rc2 pull request.
Looks good
Thanks
Michal